Package org.keycloak.protocol.oidc.client.authentication

Interface ClientCredentialsProvider

  • All Known Implementing Classes:
    ClientIdAndSecretCredentialsProvider, JWTClientCredentialsProvider, JWTClientSecretCredentialsProvider
    public interface ClientCredentialsProvider
    The simple SPI for authenticating clients/applications . It's used by adapter during all OIDC backchannel requests to Keycloak server (codeToToken exchange, refresh token or backchannel logout) . You can also use it in your application during direct access grants or service account request (See the service-account example from Keycloak demo for more info) When you implement this SPI on the adapter (application) side, you also need to implement org.keycloak.authentication.ClientAuthenticator on the server side, so your server is able to authenticate client You must specify a file META-INF/services/org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider in the WAR that this class is contained in (or in the JAR that is attached to the WEB-INF/lib or as jboss module if you want to share the implementation among more WARs). NOTE: The SPI is not finished and method signatures are still subject to change in future versions (for example to support authentication with client certificate)
    Author:
    Marek Posolda

    • Method Detail

      • getId

        String getId()
        Return the ID of the provider. Use this ID in the keycloak.json configuration as the subelement of the "credentials" element For example if your provider has ID "kerberos-keytab" , use the configuration like this in keycloak.json "credentials": { "kerberos-keytab": { "keytab": "/tmp/foo" } }
        Returns:

      • init

        void init​(AdapterConfig adapterConfig,
          Object config)
        Called by adapter during deployment of your application. You can for example read configuration and init your authenticator here
        Parameters:
        adapterConfig - the adapter configuration
        config - the configuration of your provider read from keycloak.json . For the kerberos-keytab example above, it will return map with the single key "keytab" with value "/tmp/foo"

      • setClientCredentials

        void setClientCredentials​(AdapterConfig adapterConfig,
                          Map<String,​String> requestHeaders,
                          Map<String,​String> formParams)
        Called every time adapter needs to perform backchannel request
        Parameters:
        adapterConfig - Fully resolved deployment
        requestHeaders - You should put any HTTP request headers you want to use for authentication of client. These headers will be attached to the HTTP request sent to Keycloak server
        formParams - You should put any request parameters you want to use for authentication of client. These parameters will be attached to the HTTP request sent to Keycloak server