org.keycloak.federation.kerberos

Class KerberosFederationProvider

java.lang.Object

org.keycloak.federation.kerberos.KerberosFederationProvider

All Implemented Interfaces:

CredentialAuthentication, CredentialInputUpdater, CredentialInputUpdater.Streams, CredentialInputValidator, Provider, ImportedUserValidation, UserLookupProvider, UserLookupProvider.Streams, UserStorageProvider

public class KerberosFederationProvider
extends Object
implements UserStorageProvider, UserLookupProvider.Streams, CredentialInputValidator, CredentialInputUpdater.Streams, CredentialAuthentication, ImportedUserValidation

Author:

Marek Posolda

Nested Class Summary

Nested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider

UserStorageProvider.EditMode

Nested classes/interfaces inherited from interface org.keycloak.storage.user.UserLookupProvider

UserLookupProvider.Streams

Nested classes/interfaces inherited from interface org.keycloak.credential.CredentialInputUpdater

CredentialInputUpdater.Streams

Field Summary

Fields

Modifier and Type	Field and Description
protected KerberosFederationProviderFactory	factory
static String	KERBEROS_PRINCIPAL
protected KerberosConfig	kerberosConfig
protected UserStorageProviderModel	model
protected KeycloakSession	session

Constructor Summary

Constructors

Constructor and Description
KerberosFederationProvider(KeycloakSession session, UserStorageProviderModel model, KerberosFederationProviderFactory factory)

Method Summary

Modifier and Type	Method and Description
CredentialValidationOutput	authenticate(RealmModel realm, CredentialInput input)
void	close()
void	disableCredentialType(RealmModel realm, UserModel user, String credentialType)
protected UserModel	findOrCreateAuthenticatedUser(RealmModel realm, String username) Called after successful authentication
Stream<String>	getDisableableCredentialTypesStream(RealmModel realm, UserModel user) Obtains the set of credential types that can be disabled via disableCredentialType.
UserModel	getUserByEmail(RealmModel realm, String email) Returns a user with the given email belonging to the realm
UserModel	getUserById(RealmModel realm, String id) Returns a user with the given id belonging to the realm
UserModel	getUserByUsername(RealmModel realm, String username) Returns a user with the given username belonging to the realm
protected UserModel	importUserToKeycloak(RealmModel realm, String username)
boolean	isConfiguredFor(RealmModel realm, UserModel user, String credentialType)
boolean	isValid(RealmModel realm, UserModel local)
boolean	isValid(RealmModel realm, UserModel user, CredentialInput input) Tests whether a credential is valid
void	preRemove(RealmModel realm) Callback when a realm is removed.
void	preRemove(RealmModel realm, GroupModel group) Callback when a group is removed.
void	preRemove(RealmModel realm, RoleModel role) Callback when a role is removed.
boolean	supportsCredentialAuthenticationFor(String type)
boolean	supportsCredentialType(String credentialType)
boolean	updateCredential(RealmModel realm, UserModel user, CredentialInput input)
UserModel	validate(RealmModel realm, UserModel user) If this method returns null, then the user in local storage will be removed
protected boolean	validPassword(String username, String password)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.storage.user.UserLookupProvider.Streams

getUserByEmail, getUserById, getUserByUsername

Methods inherited from interface org.keycloak.credential.CredentialInputUpdater.Streams

getDisableableCredentialTypes

Field Detail

KERBEROS_PRINCIPAL

public static final String KERBEROS_PRINCIPAL

See Also:

Constant Field Values

session

protected KeycloakSession session

model

protected UserStorageProviderModel model

kerberosConfig

protected KerberosConfig kerberosConfig

factory

protected KerberosFederationProviderFactory factory

Constructor Detail

KerberosFederationProvider

public KerberosFederationProvider(KeycloakSession session,
                                  UserStorageProviderModel model,
                                  KerberosFederationProviderFactory factory)

Method Detail

validate

public UserModel validate(RealmModel realm,
                          UserModel user)

Description copied from interface: ImportedUserValidation

If this method returns null, then the user in local storage will be removed

Specified by:

validate in interface ImportedUserValidation

Returns:

null if user no longer valid

getUserByUsername

public UserModel getUserByUsername(RealmModel realm,
                                   String username)

Description copied from interface: UserLookupProvider

Returns a user with the given username belonging to the realm

Specified by:

getUserByUsername in interface UserLookupProvider

Specified by:

getUserByUsername in interface UserLookupProvider.Streams

Parameters:

realm - the realm model

username - case insensitive username (case-sensitivity is controlled by storage)

Returns:

found user model, or null if no such user exists

getUserByEmail

public UserModel getUserByEmail(RealmModel realm,
                                String email)

Description copied from interface: UserLookupProvider

Returns a user with the given email belonging to the realm

Specified by:

getUserByEmail in interface UserLookupProvider

Specified by:

getUserByEmail in interface UserLookupProvider.Streams

Parameters:

realm - the realm model

email - case insensitive email address (case-sensitivity is controlled by storage)

Returns:

found user model, or null if no such user exists

getUserById

public UserModel getUserById(RealmModel realm,
                             String id)

Description copied from interface: UserLookupProvider

Returns a user with the given id belonging to the realm

Specified by:

getUserById in interface UserLookupProvider

Specified by:

getUserById in interface UserLookupProvider.Streams

Parameters:

realm - the realm model

id - id of the user

Returns:

found user model, or null if no such user exists

preRemove

public void preRemove(RealmModel realm)

Description copied from interface: UserStorageProvider

Callback when a realm is removed. Implement this if, for example, you want to do some cleanup in your user storage when a realm is removed

Specified by:

preRemove in interface UserStorageProvider

preRemove

public void preRemove(RealmModel realm,
                      RoleModel role)

Description copied from interface: UserStorageProvider

Callback when a role is removed. Allows you to do things like remove a user role mapping in your external store if appropriate

Specified by:

preRemove in interface UserStorageProvider

preRemove

public void preRemove(RealmModel realm,
                      GroupModel group)

Description copied from interface: UserStorageProvider

Callback when a group is removed. Allows you to do things like remove a user group mapping in your external store if appropriate

Specified by:

preRemove in interface UserStorageProvider

isValid

public boolean isValid(RealmModel realm,
                       UserModel local)

updateCredential

public boolean updateCredential(RealmModel realm,
                                UserModel user,
                                CredentialInput input)

Specified by:

updateCredential in interface CredentialInputUpdater

disableCredentialType

public void disableCredentialType(RealmModel realm,
                                  UserModel user,
                                  String credentialType)

Specified by:

disableCredentialType in interface CredentialInputUpdater

getDisableableCredentialTypesStream

public Stream<String> getDisableableCredentialTypesStream(RealmModel realm,
                                                          UserModel user)

Description copied from interface: CredentialInputUpdater

Obtains the set of credential types that can be disabled via disableCredentialType.

Specified by:

getDisableableCredentialTypesStream in interface CredentialInputUpdater

Specified by:

getDisableableCredentialTypesStream in interface CredentialInputUpdater.Streams

Parameters:

realm - a reference to the realm.

user - the user whose credentials are being searched.

Returns:

a non-null Stream of credential types.

supportsCredentialType

public boolean supportsCredentialType(String credentialType)

Specified by:

supportsCredentialType in interface CredentialInputUpdater

Specified by:

supportsCredentialType in interface CredentialInputValidator

supportsCredentialAuthenticationFor

public boolean supportsCredentialAuthenticationFor(String type)

Specified by:

supportsCredentialAuthenticationFor in interface CredentialAuthentication

isConfiguredFor

public boolean isConfiguredFor(RealmModel realm,
                               UserModel user,
                               String credentialType)

Specified by:

isConfiguredFor in interface CredentialInputValidator

isValid

public boolean isValid(RealmModel realm,
                       UserModel user,
                       CredentialInput input)

Description copied from interface: CredentialInputValidator

Tests whether a credential is valid

Specified by:

isValid in interface CredentialInputValidator

Parameters:

realm - The realm in which to which the credential belongs to

user - The user for which to test the credential

input - the credential details to verify

Returns:

true if the passed secret is correct

validPassword

protected boolean validPassword(String username,
                                String password)

authenticate

public CredentialValidationOutput authenticate(RealmModel realm,
                                               CredentialInput input)

Specified by:

authenticate in interface CredentialAuthentication

close

public void close()

Specified by:

close in interface Provider

findOrCreateAuthenticatedUser

protected UserModel findOrCreateAuthenticatedUser(RealmModel realm,
                                                  String username)

Called after successful authentication

Parameters:

realm - realm

username - username without realm prefix

Returns:

user if found or successfully created. Null if user with same username already exists, but is not linked to this provider

importUserToKeycloak

protected UserModel importUserToKeycloak(RealmModel realm,
                                         String username)