Package org.keycloak.protocol.oidc.tokenexchange

Class AbstractTokenExchangeProvider

java.lang.Object

org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider

All Implemented Interfaces:

TokenExchangeProvider, Provider

Direct Known Subclasses:

FederatedTokenExchangeProvider, StandardTokenExchangeProvider, SubjectImpersonationTokenExchangeProvider, V1TokenExchangeProvider

public abstract class AbstractTokenExchangeProvider
extends Object
implements TokenExchangeProvider

Base token exchange implementation. For now for both V1 and V2 token exchange (may change in the follow-up commits)

Author:

Dmitry Telegin

Field Summary

Fields

Modifier and Type	Field	Description
protected ClientModel	client
protected Map<String,String>	clientAuthAttributes
protected ClientConnection	clientConnection
protected TokenExchangeContext	context
protected Cors	cors
protected EventBuilder	event
protected jakarta.ws.rs.core.MultivaluedMap<String,String>	formParams
protected jakarta.ws.rs.core.HttpHeaders	headers
protected TokenExchangeContext.Params	params
protected RealmModel	realm
protected KeycloakSession	session
protected TokenManager	tokenManager

Constructor Summary

Constructors

Constructor	Description
AbstractTokenExchangeProvider()

Method Summary

Modifier and Type	Method	Description
void	close()
protected AuthenticationSessionModel	createSessionModel(UserSessionModel targetUserSession, RootAuthenticationSessionModel rootAuthSession, UserModel targetUser, ClientModel client, String scope)
jakarta.ws.rs.core.Response	exchange(TokenExchangeContext context)	Exchange the token.
protected jakarta.ws.rs.core.Response	exchangeClientToClient(UserModel targetUser, UserSessionModel targetUserSession, AccessToken token, boolean disallowOnHolderOfTokenMismatch)
protected jakarta.ws.rs.core.Response	exchangeClientToOIDCClient(UserModel targetUser, UserSessionModel targetUserSession, String requestedTokenType, List<ClientModel> targetAudienceClients, String scope)
protected jakarta.ws.rs.core.Response	exchangeClientToSAML2Client(UserModel targetUser, UserSessionModel targetUserSession, String requestedTokenType, List<ClientModel> targetAudienceClients)
protected jakarta.ws.rs.core.Response	exchangeExternalToken(String subjectIssuer, String subjectToken)
protected jakarta.ws.rs.core.Response	exchangeToIdentityProvider(UserModel targetUser, UserSessionModel targetUserSession, String requestedIssuer)
protected void	forbiddenIfClientIsNotTokenHolder(boolean disallowOnHolderOfTokenMismatch, ClientModel tokenHolder)
protected void	forbiddenIfClientIsNotWithinTokenAudience(AccessToken token)
protected String	getRequestedScope(AccessToken token, List<ClientModel> targetAudienceClients)
protected String	getRequestedTokenType()
protected String	getSubjectIssuer(TokenExchangeContext context, String subjectToken, String subjectTokenType)
protected List<String>	getSupportedOAuthResponseTokenTypes()
protected List<ClientModel>	getTargetAudienceClients()
protected ClientModel	getTargetClient(List<ClientModel> targetAudienceClients)
protected UserModel	importUserFromExternalIdentity(BrokeredIdentityContext context)
protected boolean	isExternalInternalTokenExchangeRequest(TokenExchangeContext context)	Is it the request for external-internal token exchange?
protected void	setClientToContext(List<ClientModel> targetAudienceClients)
protected abstract jakarta.ws.rs.core.Response	tokenExchange()
protected void	updateUserSessionFromClientAuth(UserSessionModel userSession)
protected void	validateAudience(AccessToken token, boolean disallowOnHolderOfTokenMismatch, List<ClientModel> targetAudienceClients)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.protocol.oidc.TokenExchangeProvider

supports

Field Details

params

protected TokenExchangeContext.Params params

formParams

protected jakarta.ws.rs.core.MultivaluedMap<String,String> formParams

session

protected KeycloakSession session

cors

protected Cors cors

realm

protected RealmModel realm

client

protected ClientModel client

event

protected EventBuilder event

clientConnection

protected ClientConnection clientConnection

headers

protected jakarta.ws.rs.core.HttpHeaders headers

tokenManager

protected TokenManager tokenManager

clientAuthAttributes

protected Map<String,String> clientAuthAttributes

context

protected TokenExchangeContext context

Constructor Details

AbstractTokenExchangeProvider

public AbstractTokenExchangeProvider()

Method Details

exchange

public jakarta.ws.rs.core.Response exchange(TokenExchangeContext context)

Description copied from interface: TokenExchangeProvider

Exchange the token.

Specified by:

exchange in interface TokenExchangeProvider

Returns:

response with a new token

close

public void close()

Specified by:

close in interface Provider

tokenExchange

protected abstract jakarta.ws.rs.core.Response tokenExchange()

isExternalInternalTokenExchangeRequest

protected boolean isExternalInternalTokenExchangeRequest(TokenExchangeContext context)

Is it the request for external-internal token exchange?

getSubjectIssuer

protected String getSubjectIssuer(TokenExchangeContext context,
 String subjectToken,
 String subjectTokenType)

exchangeToIdentityProvider

protected jakarta.ws.rs.core.Response exchangeToIdentityProvider(UserModel targetUser,
 UserSessionModel targetUserSession,
 String requestedIssuer)

getRequestedTokenType

protected String getRequestedTokenType()

getTargetAudienceClients

protected List<ClientModel> getTargetAudienceClients()

validateAudience

protected void validateAudience(AccessToken token,
 boolean disallowOnHolderOfTokenMismatch,
 List<ClientModel> targetAudienceClients)

exchangeClientToClient

protected jakarta.ws.rs.core.Response exchangeClientToClient(UserModel targetUser,
 UserSessionModel targetUserSession,
 AccessToken token,
 boolean disallowOnHolderOfTokenMismatch)

forbiddenIfClientIsNotWithinTokenAudience

protected void forbiddenIfClientIsNotWithinTokenAudience(AccessToken token)

forbiddenIfClientIsNotTokenHolder

protected void forbiddenIfClientIsNotTokenHolder(boolean disallowOnHolderOfTokenMismatch,
 ClientModel tokenHolder)

getSupportedOAuthResponseTokenTypes

protected List<String> getSupportedOAuthResponseTokenTypes()

createSessionModel

protected AuthenticationSessionModel createSessionModel(UserSessionModel targetUserSession,
 RootAuthenticationSessionModel rootAuthSession,
 UserModel targetUser,
 ClientModel client,
 String scope)

getRequestedScope

protected String getRequestedScope(AccessToken token,
 List<ClientModel> targetAudienceClients)

setClientToContext

protected void setClientToContext(List<ClientModel> targetAudienceClients)

getTargetClient

protected ClientModel getTargetClient(List<ClientModel> targetAudienceClients)

exchangeClientToOIDCClient

protected jakarta.ws.rs.core.Response exchangeClientToOIDCClient(UserModel targetUser,
 UserSessionModel targetUserSession,
 String requestedTokenType,
 List<ClientModel> targetAudienceClients,
 String scope)

exchangeClientToSAML2Client

protected jakarta.ws.rs.core.Response exchangeClientToSAML2Client(UserModel targetUser,
 UserSessionModel targetUserSession,
 String requestedTokenType,
 List<ClientModel> targetAudienceClients)

exchangeExternalToken

protected jakarta.ws.rs.core.Response exchangeExternalToken(String subjectIssuer,
 String subjectToken)

importUserFromExternalIdentity

protected UserModel importUserFromExternalIdentity(BrokeredIdentityContext context)

updateUserSessionFromClientAuth

protected void updateUserSessionFromClientAuth(UserSessionModel userSession)