Package org.keycloak.protocol.oidc.tokenexchange

Class StandardTokenExchangeProvider

java.lang.Object

org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider

org.keycloak.protocol.oidc.tokenexchange.StandardTokenExchangeProvider

All Implemented Interfaces:

TokenExchangeProvider, Provider

public class StandardTokenExchangeProvider
extends AbstractTokenExchangeProvider

Provider for internal-internal token exchange, which is compliant with the token exchange specification https://datatracker.ietf.org/doc/html/rfc8693

Author:

Marek Posolda

Field Summary

Fields inherited from class org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider

client, clientAuthAttributes, clientConnection, context, cors, event, formParams, headers, params, realm, session, tokenManager

Constructor Summary

Constructors

Constructor	Description
StandardTokenExchangeProvider()

Method Summary

Modifier and Type	Method	Description
protected void	checkRequestedAudiences(TokenManager.AccessTokenResponseBuilder responseBuilder)
protected jakarta.ws.rs.core.Response	exchangeClientToOIDCClient(UserModel targetUser, UserSessionModel targetUserSession, String requestedTokenType, List<ClientModel> targetAudienceClients, String scope)
protected jakarta.ws.rs.core.Response	exchangeClientToSAML2Client(UserModel targetUser, UserSessionModel targetUserSession, String requestedTokenType, List<ClientModel> targetAudienceClients)
protected String	getRequestedScope(AccessToken token, List<ClientModel> targetAudienceClients)
protected String	getRequestedTokenType()
protected List<String>	getSupportedOAuthResponseTokenTypes()
protected void	setClientToContext(List<ClientModel> targetAudienceClients)
boolean	supports(TokenExchangeContext context)	Check if exchange request is supported by this provider
protected jakarta.ws.rs.core.Response	tokenExchange()
protected void	validateAudience(AccessToken token, boolean disallowOnHolderOfTokenMismatch, List<ClientModel> targetAudienceClients)
protected void	validateConsents(UserModel targetUser, ClientSessionContext clientSessionCtx)

Methods inherited from class org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider

close, createSessionModel, exchange, exchangeClientToClient, exchangeExternalToken, exchangeToIdentityProvider, forbiddenIfClientIsNotTokenHolder, forbiddenIfClientIsNotWithinTokenAudience, getSubjectIssuer, getTargetAudienceClients, getTargetClient, importUserFromExternalIdentity, isExternalInternalTokenExchangeRequest, updateUserSessionFromClientAuth

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

StandardTokenExchangeProvider

public StandardTokenExchangeProvider()

Method Details

supports

public boolean supports(TokenExchangeContext context)

Description copied from interface: TokenExchangeProvider

Check if exchange request is supported by this provider

Parameters:

context - token exchange context

Returns:

true if the request is supported

tokenExchange

protected jakarta.ws.rs.core.Response tokenExchange()

Specified by:

tokenExchange in class AbstractTokenExchangeProvider

validateAudience

protected void validateAudience(AccessToken token,
 boolean disallowOnHolderOfTokenMismatch,
 List<ClientModel> targetAudienceClients)

Overrides:

validateAudience in class AbstractTokenExchangeProvider

validateConsents

protected void validateConsents(UserModel targetUser,
 ClientSessionContext clientSessionCtx)

getRequestedScope

protected String getRequestedScope(AccessToken token,
 List<ClientModel> targetAudienceClients)

Overrides:

getRequestedScope in class AbstractTokenExchangeProvider

setClientToContext

protected void setClientToContext(List<ClientModel> targetAudienceClients)

Overrides:

setClientToContext in class AbstractTokenExchangeProvider

exchangeClientToOIDCClient

protected jakarta.ws.rs.core.Response exchangeClientToOIDCClient(UserModel targetUser,
 UserSessionModel targetUserSession,
 String requestedTokenType,
 List<ClientModel> targetAudienceClients,
 String scope)

Overrides:

exchangeClientToOIDCClient in class AbstractTokenExchangeProvider

exchangeClientToSAML2Client

protected jakarta.ws.rs.core.Response exchangeClientToSAML2Client(UserModel targetUser,
 UserSessionModel targetUserSession,
 String requestedTokenType,
 List<ClientModel> targetAudienceClients)

Overrides:

exchangeClientToSAML2Client in class AbstractTokenExchangeProvider

checkRequestedAudiences

protected void checkRequestedAudiences(TokenManager.AccessTokenResponseBuilder responseBuilder)

getSupportedOAuthResponseTokenTypes

protected List<String> getSupportedOAuthResponseTokenTypes()

Overrides:

getSupportedOAuthResponseTokenTypes in class AbstractTokenExchangeProvider

getRequestedTokenType

protected String getRequestedTokenType()

Overrides:

getRequestedTokenType in class AbstractTokenExchangeProvider