org.keycloak.broker.oidc

Class OIDCIdentityProvider

java.lang.Object

org.keycloak.broker.provider.AbstractIdentityProvider<C>

org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

org.keycloak.broker.oidc.OIDCIdentityProvider

All Implemented Interfaces:

ExchangeExternalToken, ExchangeTokenToIdentityProviderToken, IdentityProvider<OIDCIdentityProviderConfig>, Provider

Direct Known Subclasses:

GitLabIdentityProvider, GoogleIdentityProvider, KeycloakOIDCIdentityProvider

public class OIDCIdentityProvider
extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
implements ExchangeExternalToken

Author:

Pedro Igor

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected class	OIDCIdentityProvider.OIDCEndpoint

Nested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider

AbstractOAuth2IdentityProvider.Endpoint

Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider

IdentityProvider.AuthenticationCallback

Field Summary

Fields

Modifier and Type	Field and Description
static String	ACCESS_TOKEN_EXPIRATION
static String	EXCHANGE_PROVIDER
static String	FEDERATED_ACCESS_TOKEN_RESPONSE
static String	FEDERATED_ID_TOKEN
protected static org.jboss.logging.Logger	logger
static String	SCOPE_OPENID
static String	USER_INFO
static String	VALIDATED_ID_TOKEN

Fields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider

ACCESS_DENIED, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATE

Fields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider

ACCOUNT_LINK_URL, session

Fields inherited from interface org.keycloak.broker.provider.IdentityProvider

EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN

Constructor Summary

Constructors

Constructor and Description
OIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config)

Method Summary

Modifier and Type	Method and Description
void	authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context)
void	backchannelLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)
protected void	backchannelLogout(UserSessionModel userSession, String idToken)
Object	callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.
protected javax.ws.rs.core.UriBuilder	createAuthorizationUrl(AuthenticationRequest request)
protected BrokeredIdentityContext	exchangeExternalImpl(EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)
protected javax.ws.rs.core.Response	exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)
protected javax.ws.rs.core.Response	exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)
protected BrokeredIdentityContext	extractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken)
protected BrokeredIdentityContext	extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)
protected String	getDefaultScopes()
BrokeredIdentityContext	getFederatedIdentity(String response)
protected String	getProfileEndpointForValidation(EventBuilder event)
protected SimpleHttp	getRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret)
protected String	getUserInfoUrl()
protected String	getusernameClaimNameForIdToken()
protected String	getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)
boolean	isIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)
javax.ws.rs.core.Response	keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm) Called when a Keycloak application initiates a logout through the browser.
void	preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)
protected void	processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response)
String	refreshTokenForLogout(KeycloakSession session, UserSessionModel userSession) Returns access token response as a string from a refresh token invocation on the remote OIDC broker
protected boolean	supportsExternalExchange()
protected BrokeredIdentityContext	validateJwt(EventBuilder event, String subjectToken, String subjectTokenType)
protected JsonWebToken	validateToken(String encodedToken)
protected JsonWebToken	validateToken(String encodedToken, boolean ignoreAudience)
protected boolean	verify(JWSInput jws)

Methods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider

asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, validateExternalTokenThroughUserInfo

Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider

close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUser

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.broker.provider.ExchangeExternalToken

exchangeExternal, exchangeExternalComplete

Field Detail

logger

protected static final org.jboss.logging.Logger logger

SCOPE_OPENID

public static final String SCOPE_OPENID

See Also:

Constant Field Values

FEDERATED_ID_TOKEN

public static final String FEDERATED_ID_TOKEN

See Also:

Constant Field Values

USER_INFO

public static final String USER_INFO

See Also:

Constant Field Values

FEDERATED_ACCESS_TOKEN_RESPONSE

public static final String FEDERATED_ACCESS_TOKEN_RESPONSE

See Also:

Constant Field Values

VALIDATED_ID_TOKEN

public static final String VALIDATED_ID_TOKEN

See Also:

Constant Field Values

ACCESS_TOKEN_EXPIRATION

public static final String ACCESS_TOKEN_EXPIRATION

See Also:

Constant Field Values

EXCHANGE_PROVIDER

public static final String EXCHANGE_PROVIDER

See Also:

Constant Field Values

Constructor Detail

OIDCIdentityProvider

public OIDCIdentityProvider(KeycloakSession session,
                            OIDCIdentityProviderConfig config)

Method Detail

callback

public Object callback(RealmModel realm,
                       IdentityProvider.AuthenticationCallback callback,
                       EventBuilder event)

Description copied from interface: IdentityProvider

JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.

Specified by:

callback in interface IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

callback in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

Returns:

refreshTokenForLogout

public String refreshTokenForLogout(KeycloakSession session,
                                    UserSessionModel userSession)

Returns access token response as a string from a refresh token invocation on the remote OIDC broker

Parameters:

session -

userSession -

Returns:

backchannelLogout

public void backchannelLogout(KeycloakSession session,
                              UserSessionModel userSession,
                              javax.ws.rs.core.UriInfo uriInfo,
                              RealmModel realm)

Specified by:

backchannelLogout in interface IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

backchannelLogout in class AbstractIdentityProvider<OIDCIdentityProviderConfig>

backchannelLogout

protected void backchannelLogout(UserSessionModel userSession,
                                 String idToken)

keycloakInitiatedBrowserLogout

public javax.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session,
                                                                UserSessionModel userSession,
                                                                javax.ws.rs.core.UriInfo uriInfo,
                                                                RealmModel realm)

Description copied from interface: IdentityProvider

Called when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP

Specified by:

keycloakInitiatedBrowserLogout in interface IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

keycloakInitiatedBrowserLogout in class AbstractIdentityProvider<OIDCIdentityProviderConfig>

Returns:

null if this is not supported by this provider

exchangeStoredToken

protected javax.ws.rs.core.Response exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo,
                                                        EventBuilder event,
                                                        ClientModel authorizedClient,
                                                        UserSessionModel tokenUserSession,
                                                        UserModel tokenSubject)

Overrides:

exchangeStoredToken in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

processAccessTokenResponse

protected void processAccessTokenResponse(BrokeredIdentityContext context,
                                          AccessTokenResponse response)

getRefreshTokenRequest

protected SimpleHttp getRefreshTokenRequest(KeycloakSession session,
                                            String refreshToken,
                                            String clientId,
                                            String clientSecret)

exchangeSessionToken

protected javax.ws.rs.core.Response exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo,
                                                         EventBuilder event,
                                                         ClientModel authorizedClient,
                                                         UserSessionModel tokenUserSession,
                                                         UserModel tokenSubject)

Overrides:

exchangeSessionToken in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

getFederatedIdentity

public BrokeredIdentityContext getFederatedIdentity(String response)

Overrides:

getFederatedIdentity in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

extractIdentity

protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse,
                                                  String accessToken,
                                                  JsonWebToken idToken)
                                           throws IOException

Throws:

IOException

getusernameClaimNameForIdToken

protected String getusernameClaimNameForIdToken()

getUserInfoUrl

protected String getUserInfoUrl()

verify

protected boolean verify(JWSInput jws)

validateToken

protected JsonWebToken validateToken(String encodedToken)

validateToken

protected JsonWebToken validateToken(String encodedToken,
                                     boolean ignoreAudience)

authenticationFinished

public void authenticationFinished(AuthenticationSessionModel authSession,
                                   BrokeredIdentityContext context)

Specified by:

authenticationFinished in interface IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

authenticationFinished in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

getDefaultScopes

protected String getDefaultScopes()

Specified by:

getDefaultScopes in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

isIssuer

public boolean isIssuer(String issuer,
                        javax.ws.rs.core.MultivaluedMap<String,String> params)

Specified by:

isIssuer in interface ExchangeExternalToken

Overrides:

isIssuer in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

supportsExternalExchange

protected boolean supportsExternalExchange()

Overrides:

supportsExternalExchange in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

getProfileEndpointForValidation

protected String getProfileEndpointForValidation(EventBuilder event)

Overrides:

getProfileEndpointForValidation in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

extractIdentityFromProfile

protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event,
                                                             com.fasterxml.jackson.databind.JsonNode userInfo)

Overrides:

extractIdentityFromProfile in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

getUsernameFromUserInfo

protected String getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)

validateJwt

protected final BrokeredIdentityContext validateJwt(EventBuilder event,
                                                    String subjectToken,
                                                    String subjectTokenType)

exchangeExternalImpl

protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event,
                                                       javax.ws.rs.core.MultivaluedMap<String,String> params)

Overrides:

exchangeExternalImpl in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

createAuthorizationUrl

protected javax.ws.rs.core.UriBuilder createAuthorizationUrl(AuthenticationRequest request)

Overrides:

createAuthorizationUrl in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

preprocessFederatedIdentity

public void preprocessFederatedIdentity(KeycloakSession session,
                                        RealmModel realm,
                                        BrokeredIdentityContext context)

Specified by:

preprocessFederatedIdentity in interface IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

preprocessFederatedIdentity in class AbstractIdentityProvider<OIDCIdentityProviderConfig>