All Classes and Interfaces

Class
Description
 
 
Abstract class that handles the logic for importing and updating brokered users for all mappers that map a SAML attribute into a Keycloak group.
Abstract class that handles the logic for importing and updating brokered users for all mappers that map a SAML attribute into a Keycloak role.
 
 
 
 
 
 
 
 
Abstract class that handles the logic for importing and updating brokered users for all mappers that map an OIDC claim into a Keycloak role.
 
 
 
 
 
 
 
 
 
 
 
Helper base class for ClientModel implementations for ClientStorageProvider implementations.
 
Abstract base class for updating a single reference (specified via a single config property).
 
 
 
 
 
 
 
Abstract helper class that Authenticator implementations can leverage
 
 
 
 
 
 
 
 
 
 
 
 
 
Abstract class for Social Provider mappers which allow mapping of JSON user profile field into Keycloak user attribute.
Handles some common transaction logic related to start, rollback-only etc.
 
Abstract "store" for bulk sending of the updates related to lastSessionRefresh
 
Stateful per-request object
 
 
 
 
Abstract class for number validator.
 
 
 
 
Set the 'sub' claim to pairwise .
 
Base class for parsers
Base PartialImport for most resource types.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Helper class for securing local services.
 
Base class for arbitrary value type validators.
 
Simple support for STaX type of parsing.
 
 
 
 
 
Base class for String value format validators.
This abstract class provides implementations for everything but getUsername().
The AbstractUserAdapter.Streams interface makes all collection-based methods in AbstractUserAdapter default by providing implementations that delegate to the Stream-based variants instead of the other way around.
Assumes everything is managed by federated storage except for username.
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
 
 
 
 
Abstract base for Freemarker context bean providing informations about user profile to render dynamic or crafted forms.
A base class for UserProfileProvider implementations providing the main hooks for customizations.
 
 
Abstract class that is meant to be extended by implementations of VaultProvider that want to have support for key resolvers.
Abstract class that is meant to be extended by implementations of VaultProviderFactory that want to offer support for the configuration of key resolvers.
Enum containing the available VaultKeyResolvers.
 
 
 
 
 
 
 
 
 
 
 
 
OAuth 2.0 Access Token Response json
Created by st on 29/03/17.
 
 
 
 
 
 
 
 
CRUD data in the authentication session, which are related to step-up authentication
 
Enum for actions taken by PartialImport.
 
 
 
Handler of the action token.
 
 
 
Java class for ActionType complex type.
Java class for ActivationLimitDurationType complex type.
Java class for ActivationLimitDurationType complex type.
Java class for ActivationLimitSessionType complex type.
Java class for ActivationLimitSessionType complex type.
Java class for ActivationLimitType complex type.
Java class for ActivationLimitType complex type.
Java class for ActivationLimitUsagesType complex type.
Java class for ActivationLimitUsagesType complex type.
Java class for ActivationPinType complex type.
Java class for ActivationPinType complex type.
Configuration for Java based adapters
 
Configuration options relevant for configuring http client that can be used by adapter.
 
 
A ColumnConfig extension that contains attributes either to specify - a JSON column and the property to be selected from the JSON file - a hashOf property with column name to be used for the generating a column with hash value of it.
Java class for AdditionalMetadataLocationType complex type.
 
 
 
Posted to managed client from admin server.
 
 
 
 
 
 
 
 
 
 
Created by st on 21/03/17.
 
 
 
 
 
 
 
Message formatter for Admin GUI/API messages.
 
Useful as a function pointer, i.e.
Useful as a function pointer, i.e.
 
 
A AdminRealmResourceProvider creates JAX-RS sub-resource instances for paths relative to Realm's RESTful Admin API that could not be resolved by the server.
A factory that creates AdminRealmResourceProvider instances.
A Spi to plug additional sub-resources to Realms' RESTful Admin API.
 
Root resource for admin console and admin REST API
 
 
 
 
Java class for AdviceType complex type.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Java class for AffiliationDescriptorType complex type.
 
 
 
 
 
Java class for AgreementMethodType complex type.
 
 
Deprecated.
 
This wrapper encapsulates stores from all areas.
Authenticator will always successfully authenticate.
 
Populates token with requested scope.
Protocol mapper to add allowed web origins to the access token to the 'allowed-origins' claim
Java class for AlphabetType complex type.
Java class for AlphabetType complex type.
Ancestor for a provider factory for both a standalone ProviderFactory and a ComponentFactory.
A criteria that matches a property based on its annotations
 
 
Parses any DOM tree to a list of DOM representations.
 
The provider allows to extract X.509 client certificate forwarded to keycloak configured behind the Apache reverse proxy.
 
 
 
 
Deprecated.
 
Provides a way to create and resolve artifacts for SAML Artifact binding
Exception to indicate a configuration error in ArtifactResolver.
A factory that creates ArtifactResolver instances.
Exception to indicate a processing error in ArtifactResolver.
 
Java class for ArtifactResolveType complex type.
Java class for ArtifactResponseType complex type.
Security Exception indicating expiration of SAML2 assertion
Java class for AssertionIDRequestType complex type.
Utility to deal with assertions
 
 
 
 
When using AsyncResponse.resume(Object) directly in the code, the response is returned before all changes done withing this execution are committed.
 
Base resource class for the admin REST api of one realm
Pass-thru atheneticator that just sets the context to attempted.
 
 
Java class for AttributeAuthorityDescriptorType complex type.
Interface of the user profile attribute change listener.
Constants for attributes
Java class for AttributeConsumingServiceType complex type.
 
Configuration of the attribute group.
 
Java class for AttributeQueryType complex type.
Validator to check that User Profile attribute value is not blank (nor null) if the attribute is required based on AttributeMetadata predicate.
Holds attributes, their values and provides utlity methods to manage them.
 
This interface wraps the attributes associated with a user profile.
Holds an attribute and its values, providing useful methods for obtaining and formatting values.
 
Java class for AttributeStatementType complex type.
 
 
Java class for AttributeType complex type.
 
 
Protocol mapper, which adds all client_ids of "allowed" clients to the audience field of the token.
Java class for AudienceRestrictionType complex type.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Provides the interface for requesting the authentication(AuthN) and authorization(AuthZ) by an authentication device (AD) to the external entity via Authentication Channel.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Defines constants for authentication flow bindings.
Callback to be triggered during various lifecycle events of authentication flow.
Factory to create AuthenticationFlowCallback instances.
This interface encapsulates information about an execution in an AuthenticationFlow.
 
Set of error codes that can be thrown by an Authenticator, FormAuthenticator, or FormAction
Throw this exception from an Authenticator, FormAuthenticator, or FormAction if you want to completely abort the flow.
 
 
 
 
 
 
 
Stateless object that manages authentication
 
 
 
 
 
NOTE: Calling setter doesn't automatically enlist for update
 
 
 
Allow to encode compound string to fully lookup authenticationSessionModel
 
 
 
 
Represents the state of the authentication.
 
 
 
This interface is for users that want to add custom authenticators to an authentication flow.
Java class for AuthenticatorBaseType complex type.
Java class for AuthenticatorBaseType complex type.
 
 
 
 
 
 
Factory for creating Authenticator instances.
 
Java class for AuthenticatorTransportProtocolType complex type.
Java class for AuthenticatorTransportProtocolType complex type.
 
 
Java class for AuthnAuthorityDescriptorType complex type.
Type that represents an AuthnContextClassRef
Java class for AuthnContextComparisonType.
Java class for AuthnContextDeclarationBaseType complex type.
Java class for AuthnContextDeclarationBaseType complex type.
Type that represents an AuthnContextDeclRef
Type that represents an AuthnContextDecl
Java class for AuthnContextType complex type.
Java class for AuthnMethodBaseType complex type.
Java class for AuthnMethodBaseType complex type.
Java class for AuthnQueryType complex type.
Java class for AuthnRequestType complex type.
Java class for AuthnStatementType complex type.
 
 
 
 
The internal Keycloak representation of a Rich Authorization Request authorization_details object, together with some extra metadata to make it easier to work with this data in other parts of the codebase.
The JSON representation of a Rich Authorization Request's "authorization_details" object.
 
Common base class for Authorization REST endpoints implementation, which have to be implemented by each protocol.
Implements some checks typical for OIDC Authorization Endpoint.
 
 
 
The main contract here is the creation of PermissionEvaluator instances.
 
 
 
This context object will contain all parsed Rich Authorization Request objects, together with the internal representation that Keycloak is going to use for Scopes.
 
 
 
 
 
 
An entry point for obtaining permissions from the server.
 
 
 
 
 
 
 
 
 
 
 
This is class serves as an entry point for clients looking for access to Keycloak Authorization Services.
Java class for AuthzDecisionQueryType complex type.
Java class for AuthzDecisionStatementType complex type.
Parse the parameters from PAR
Parse the parameters from request queryString
Parse the parameters from OIDC "request" object
 
 
 
 
Class to detect if SSSD is available in the system.
 
 
 
 
 
 
 
 
 
 
Base32 - encodes and decodes RFC3548 Base32 (see http://www.faqs.org/rfcs/rfc3548.html )
Encodes and decodes to and from Base64 notation.
A Base64.InputStream will read data from another java.io.InputStream, given in the constructor, and encode/decode to/from Base64 notation on the fly.
A Base64.OutputStream will write data to another java.io.OutputStream, given in the constructor, and encode/decode to/from Base64 notation on the fly.
 
Common Adapter configuration
 
Abstract Type that represents an ID
Common Realm Configuration
 
 
 
 
Base Class for the Stax writers for SAML
 
The default implementation is compliant with RFC 2617
compliant with RFC 6749
 
 
 
 
 
Checks a password against a configured password blacklist.
A BlacklistPasswordPolicyProviderFactory.PasswordBlacklist describes a list of too easy to guess or potentially leaked passwords that users should not be able to use.
Validator to check that User Profile attribute value is not blank (null value is OK!).
A class implementing a BlockContext interface represents a transformer from a primitive value / sequence / mapping representation as declared in YAML format into a Java object of type V, with ability to produce the resulting instance of parsing.
 
 
 
A special stack suited for tracking the parser of a block language, and maintaining contextual information for block nesting position in the YAML file.
Java class for booleanType.
 
Represents all identity information obtained from an IdentityProvider after a successful authentication.
Validator to check that User Profile username is provided during Brokerin/Federation.
 
 
The point of this is to improve experience of browser history (back/forward/refresh buttons), but ensure there is no more redirects then necessary.
 
 
 
 
 
 
 
 
 
 
 
The cache entry, which contains list of all identityProvider links for particular user.
 
Cached authorization model classes will implement this interface.
 
 
 
 
Cached realms will implement this interface
 
 
 
 
 
 
 
 
 
 
 
 
Cached users will implement this interface
 
Some notes on how this works: This implementation manages optimistic locking and version checks itself.
 
 
 
 
 
 
 
 
Java class for CanonicalizationMethodType complex type.
This class contains utility classes for type conversion.
 
 
 
 
 
 
PEM values of key and certificate
The Class CertificateUtils provides utility functions for generation of V1 and V3 X509Certificate
The Class CertificateUtils provides utility functions for generation of V1 and V3 X509Certificate
 
 
Configure Certificate validation
 
 
 
 
 
 
Represents an authentication request sent by a consumption device (CD).
 
 
 
Provides the resolver that converts several types of receives login hint to its corresponding UserModel.
 
 
 
Java class for CipherDataType complex type.
Java class for CipherReferenceType complex type.
 
 
 
 
Claims parameter as described in the OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Clear user cache.
 
Clear user cache.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Encapsulates information about the execution in ClientAuthenticationFlow
This interface is for users that want to add custom client authenticators to an authentication flow.
Factory for creating ClientAuthenticator instances.
 
 
 
 
 
 
TODO: remove this class entirely?
Information about the client connection
The simple SPI for authenticating clients/applications .
 
Represents the context in the request to register/read/update/unregister client by Dynamic Client Registration or Admin REST API.
Provider plugin interface for importing clients from an arbitrary configuration format
Provider plugin interface for importing clients from an arbitrary configuration format
 
 
 
 
 
Validates client based on "client_id" and "client_secret" sent either in request parameters or in "Authorization: Basic" header .
Traditional OAuth2 authentication of clients based on client_id and client_secret
 
 
 
 
 
 
Provides a template/sample client config adapter file.
 
 
 
 
Abstraction interface for lookoup of clients by id and clientId.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Client Policies' (the set of all Client Policy) external representation class
 
 
Utilities for treating client policies/profiles
Just adds some type-safety to the ClientPolicyConditionConfiguration
This condition determines to which client a client policy is adopted.
 
 
 
Provides Client Policy Context.
Events on which client policies mechanism detects and do its operation
 
Just adds some type-safety to the ClientPolicyExecutorConfiguration
This executor specifies what action is executed on the client to which a client policy is adopted.
 
 
 
Provides a method for handling an event defined in ClientPolicyEvent.
 
 
 
 
 
Client Policy's external representation class
 
 
Client Profile's external representation class
Client Profiles' (the set of all Client Profile) external representation class
 
Provider of the client records.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Created by st on 29/03/17.
 
 
Base resource class for managing one particular client of a realm.
 
 
 
 
Partial Import handler for Client Roles.
 
 
 
 
 
 
 
 
Binding between client and clientScope
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Provider of the client scopes records.
 
 
 
 
 
 
Base resource class for managing one particular client of a realm.
 
 
 
 
 
 
 
 
 
Base resource class for managing a realm's client scopes.
 
 
 
Stored configuration of a Client scope Storage provider instance.
 
 
 
 
 
 
 
 
 
Request-scoped context object
 
 
 
 
 
PartialImport handler for Clients.
 
 
Base resource class for managing a realm's clients.
 
Base interface for components that want to provide an alternative storage mechanism for clients This is currently a private incomplete SPI.
 
Stored configuration of a Client Storage provider instance.
 
 
TODO Leave the name ClientTemplateEvent just due the backwards compatibility of infinispan migration.
 
 
Deprecated.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Ensures that there are not concurrent executions of same task (either on this host or any other cluster host)
 
Task to be executed on all cluster nodes once it's notified.
Deprecated.
This is only available when the legacy store is enabled.
 
 
 
 
Determines getter of a field which is unique across a set of the same entities within the same context.
 
 
SAML Action Type
SAML Advice Type
SAML AssertionType
Predecesor of AuthenticationSessionModel, ClientLoginSessionModel and ClientSessionModel (then action tickets).
 
 
 
Common configuration useful for all providers
Mapper related to mapping of LDAP groups to keycloak model objects (either keycloak roles or keycloak groups)
 
 
WARNING: Generated code! Do not edit!
SAML Request Abstract Type
 
Java class for StatusDetailType complex type.
 
Java class for ComplexAuthenticatorType complex type.
Java class for ComplexAuthenticatorType complex type.
 
 
 
 
 
 
 
Stored configuration of a User Storage provider instance.
 
 
 
 
 
 
 
 
KeyLocator that represents a list of multiple KeyLocators.
 
 
 
 
 
 
A Condition is used to specify how a specific query parameter is defined in order to filter query results.
Java class for ConditionAbstractType complex type.
 
 
 
 
An OTPFormAuthenticator that can conditionally require OTP authentication.
 
 
 
 
 
 
Java class for ConditionsType complex type.
Conditions validation as per Section 2.5 of https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
 
 
 
 
 
 
 
 
 
 
 
 
 
Event listener which synchronizes mapper configs, when references change.
Interface for updating references in mapper configs, when references (like group path) change.
 
 
Exception indicating an issue with the configuration
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Java class for ContactType complex type.
Java class for ContactTypeType.
 
 
 
 
 
 
 
 
 
Created by st on 21/03/17.
A Utility class that parses the Response object into the underlying ID attribute
Extension used to create an index for properties of JSON files stored in the database.
A SqlGenerator implementation that supports CreateJsonIndexStatements.
A SqlStatement that holds the information needed to create JSON indexes.
Single purpose method that knows how to authenticate a user based on a credential type.
 
used to set an execution a state based on type.
 
 
Implentations of this interface can validate CredentialInput, i.e.
 
 
 
Used just in cases when we want to "directly" update or retrieve the hash or salt of user credential (For example during export/import)
 
 
 
 
 
 
 
 
 
 
 
 
Output of credential validation
 
 
 
 
 
 
Cross-DC based CrossDCLastSessionRefreshStore Tracks the queue of lastSessionRefreshes, which were updated on this host.
 
Interface for CRUD operations on the storage.
 
 
 
Abstraction to handle differences between the APIs for non-fips and fips mode
 
 
This class overrides original ForeignKeySnapshotGenerator from liquibase 3.5.5.
 
We need to remove DELETE SQL command, which liquibase adds by default when inserting record to table lock.
 
We use "SELECT FOR UPDATE" pessimistic locking (Same algorithm like Hibernate LockMode.PESSIMISTIC_WRITE )
 
Liquibase lock service, which has some bugfixes and assumes timeouts to be configured in milliseconds
 
 
 
Util class for localized date and time representation
Encapsulates preloading of sessions within the DB Lock.
 
 
 
Global database lock to ensure that some actions in DB can be done just be one cluster node at a time.
Lock namespace to have different lock types or contexts.
 
 
Java class for DCEValueType complex type.
 
 
 
 
 
The decision strategy dictates how the policies associated with a given policy are evaluated and how a final decision is obtained.
Java class for DecisionType.
 
UserProfileProvider loading configuration from the changeable JSON file stored in component config.
Helper class for deep cloning and fine-grained instantiation per interface and deep copying their properties.
Builder for the DeepCloner helper class.
Function that clones properties from original object to a target object and returns the cloned object (usually the same as the target).
Function that instantiates a delegation object of type V with the given delegate provider
Function that instantiates a delegation object of type V with the given per-field delegate provider
Marker for interfaces that could be requested for instantiation and cloning.
Part of action token that is intended to be used e.g.
 
The default implementation for Attributes.
 
 
 
A single thread will log failures.
 
 
 
The provider retrieves a client certificate and the certificate chain (if any) from the incoming TLS connection.
The factory and the corresponding providers extract a client certificate and the certificate chain (if any) from the incoming TLS connection.
 
 
 
 
 
 
Binding between realm and default clientScope
 
 
Not thread safe.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
The default HttpClientFactory for HttpClientProvider's used by Keycloak for outbound HTTP calls.
 
 
 
 
 
 
 
 
 
 
Default implementation of DefaultLazyLoader that only fetches data once.
 
A MapLiquibaseConnectionProvider implementation for the map-jpa module.
MapLiquibaseConnectionProviderFactory implementation for the map-jpa module.
 
 
 
 
Standard implementation for a MapSubjectCredentialManagerEntity where the store doesn't provide validation of credentials.
Various common utils needed for migration from older version to newer
 
Generic instantiable DescriptiveModelCriteria.
The default implementation for generating/formatting user code of OAuth 2.0 Device Authorization Grant.
 
 
 
 
 
 
 
 
 
ArtifactResolver for artifact-04 format.
 
A ScriptingProvider that uses a ScriptEngineManager to evaluate scripts with a ScriptEngine.
 
 
 
 
 
 
 
 
 
Default token exchange implementation
Default token exchange provider factory
 
Generic implementation of a node in a tree.
The default implementation for UserProfile.
 
Default VaultCharSecret implementation based on CharBuffer.
Default raw secret implementation for byte[].
Default VaultCharSecret implementation based on String.
Default VaultTranscriber implementation that uses the configured VaultProvider to obtain raw secrets and convert them into other types.
Encoder of saml messages based on DEFLATE compression
Interface for a provider of a delegate of type T, optionally providing the flag on the object been updated.
 
 
 
Explicitly deny access to the resources.
 
Allows to CRUD for configurations (like Authenticator configs).
Allows to register "deployed configurations", which are retrieved in runtime from deployed providers and hence are not saved in the DB
 
 
 
 
 
 
 
 
 
Extract PrivateKey, PublicKey, and X509Certificate from a DER encoded byte array or file.
 
Descriptive model criteria implementation which in other words represents a Boolean formula on searchable fields.
 
Holder containing the information about a destination
Check that Destination field in SAML request/response is either unset or matches the expected one.
 
Cookie encapsulating data to be displayed on the info/error page.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Java class for DeviceTypeType.
Java class for DeviceTypeType.
Java class for DigestMethodType complex type.
 
 
 
 
Construct a DirExportProviderFactory to be used to export one or more realms.
 
 
 
Persistence of userSessions is disabled .
Per the docker auth v2 spec, access is defined like this: { "type": "repository", "name": "samalba/my-app", "actions": [ "push", "pull" ] }
 
 
 
 
 
 
 
 
Representation of the docker-compose.yaml file
 
 
Implements a docker-client understandable format.
JSON Representation of a Docker Error in the following format: { "code": "UNAUTHORIZED", "message": "access to the requested resource is not authorized", "detail": [ { "Type": "repository", "Name": "samalba/my-app", "Action": "pull" }, { "Type": "repository", "Name": "samalba/my-app", "Action": "push" } ] }
 
The “kid” field has to be in a libtrust fingerprint compatible format.
 
 
Creates a response understandable by the docker client in the form: { "token" : "eyJh...nSQ", "expires_in" : 300, "issued_at" : "2016-09-02T10:56:33Z" }
* { "iss": "auth.docker.com", "sub": "jlhawn", "aud": "registry.docker.com", "exp": 1415387315, "nbf": 1415387015, "iat": 1415387015, "jti": "tYJCO1c6cnyy7kAn0c7rKPgbV1H1bFws", "access": [ { "type": "repository", "name": "samalba/my-app", "actions": [ "push" ] } ] }
 
 
Utility dealing with DOM
PLINK-158: Maintain backward compatibility
Validate input being any kind of Number.
 
Java class for DSAKeyValueType complex type.
Dummy lock service injected to Liquibase.
Validator to check User Profile email duplication conditions based on realm settings like isDuplicateEmailsAllowed.
Validator to check that User Profile username already exists in database for another user in case of it's change, and fail in this case.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Validator to check User Profile email duplication conditions if isDuplicateEmailsAllowed is false but isRegistrationEmailAsUsername is true.
 
 
 
 
 
 
 
Email format validation - accepts plain string and collection of strings, for basic behavior like null/blank values handling and collections support see AbstractStringValidator.
 
 
Assertion that is encrypted
Java class for EncryptedDataType complex type.
Represents an element that is encrypted
Java class for EncryptedKeyType complex type.
Java class for EncryptedType complex type.
Java class for EncryptionMethodType complex type.
 
Java class for EncryptionPropertiesType complex type.
Java class for EncryptionPropertyType complex type.
Java class for EndpointType complex type.
Java class for EntitiesDescriptorType complex type.
*
 
 
 
 
Java class for EntityDescriptorType complex type.
 
 
Represents a field in an entity with appropriate accessors.
 
 
 
Classes implementing this interface guarantee that for each instance of this class, there exists an mutually unique integer which is stable in time, and identifies always the same instance of this class.
 
Providers that are only supported in some environments can implement this interface to be able to determine if they should be available or not.
Replaces any ${} strings with their corresponding system property.
 
 
Error Codes for PicketLink https://docs.jboss.org/author/display/PLINK/PicketLink+Error+Codes
 
 
 
 
 
An exception that can hold a Response object.
 
 
 
 
 
 
 
 
 
Wraps a ScriptModel so it can be evaluated with custom bindings.
An Evaluation is mainly used by PolicyProvider in order to evaluate a single and specific ResourcePermission against the configured policies.
This interface serves as a bridge between the policy evaluation runtime and the environment in which it is running.
A factory for the different PermissionEvaluator implementations.
 
 
AttributeChangeListener to audit user profile attribute changes into Event.
 
 
 
 
Adding listeners to Hibernate's entity manager for the JPA Map store.
 
 
 
 
 
 
 
 
 
 
 
Java class for EvidenceType complex type.
 
Use to unwrap exceptions specifically if there is an exception at JTA commit
 
Exchange a token crafted by this provider for a local realm token.
 
 
 
 
 
 
 
 
This interface provides a way for marking entities that can expire.
 
Token verification exception that bears an error to be logged via event system and a message to show to the user e.g.
 
This adapter allows the exporter to act independent of APIs used to serve the exported data to the caller.
Custom consumer that is allowed to throw an IOException as writing to an output stream might do this.
 
 
Manage importing and updating of realms for the legacy store.
Just to wrap IOException
 
 
 
 
 
A type that contains a list of ExtensionType
Java class for ExtensionOnlyType complex type.
Java class for ExtensionOnlyType complex type.
Java class for ExtensionsType complex type.
Java class for ExtensionsType complex type.
Java class for ExtensionType complex type.
Java class for ExtensionType complex type.
 
 
 
 
 
User attribute mapper.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
MapStorage implementation used with the file map storage.
File-based MapStorageProvider implementation.
A MapStorageProviderFactory that creates file-based MapStorageProviders.
 
 
A text-based vault provider, which stores each secret in a separate file.
Creates and configures FilesPlainTextVaultProvider.
 
 
 
 
 
Deprecated.
Deprecated.
Constants copied from XMLConstants to work around issues with IntelliJ See https://issues.redhat.com/browse/KEYCLOAK-19403
Status of an execution/authenticator in a Authentication Flow
 
 
 
To provide a typed exception for Forbidden (This doesn't exist in Resteasy 2.3.7)
 
Thrown internally when authenticator wants to fork the current flow.
Fine grain processing of a form.
Factory for instantiating FormAction objects.
 
 
This class is responsible for rendering a form.
Factory for instantiating FormAuthenticators.
 
Interface that encapsulates the current state of the current form being executed
Message (eg.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Mapper useful for the LDAP deployments when some attribute (usually CN) is mapped to full name of user
 
Set the 'name' claim to be first + last name.
Check that switch "fullScopeAllowed" is not enabled for the clients
 
Check that switch "fullScopeAllowed" is not enabled for the clients
Not thread-safe.
Constants
 
 
Extension used to add generated column to the table.
A SqlGenerator implementation that supports GeneratedColumnStatements.
A SqlStatement that extends the standard AddColumnStatement to include properties to either identify the JSON column and JSON property or a column name (hashOf) to be used for hashing that are to be used to generated the values for the column being added.
 
 
Specifies the default implementation with a no-args constructor for a container property (e.g.
 
 
 
 
 
 
 
 
Java class for anonymous complex type.
Java class for anonymous complex type.
 
 
 
User attribute mapper.
 
 
 
 
 
 
Result of the "global" request (like push notBefore or logoutAll), which is send to all cluster nodes
 
 
 
 
User attribute mapper.
Java class for GoverningAgreementRefType complex type.
Java class for GoverningAgreementRefType complex type.
Java class for GoverningAgreementsType complex type.
Java class for GoverningAgreementsType complex type.
 
 
 
 
 
 
Updates a group reference in a mapper config, when the path of a group changes.
 
 
 
 
 
 
 
 
 
Maps user group membership
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Provider of group records
 
 
 
 
 
 
 
 
 
 
Partial import handler for Groups.
 
 
 
 
 
 
Stored configuration of a Group Storage provider instance.
 
 
 
 
 
 
 
 
 
 
 
 
The provider allows to extract X.509 client certificate forwarded to the keycloak middleware configured behind the haproxy reverse proxy.
 
 
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
 
 
 
 
Key locator for a bunch of keys.
 
 
 
 
 
 
 
Add a role to a token
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
 
 
 
 
 
 
 
 
 
 
 
 
Interface for all objects which are bound to a realm and retain reference to its ID.
 
 
 
 
 
 
 
 
 
 
 
The Hostname provider is used by Keycloak to decide URLs for frontend and backend requests.
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
!!! Please do not change this class !!! If some change is needed please create a new version of this class and solve the migration on top-level entities.
WARNING: Generated code! Do not edit!
!!! Please do not change this class !!! If some change is needed please create a new version of this class and solve the migration on top-level entities.
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
!!! Please do not change this class !!! If some change is needed please create a new version of this class and solve the migration on top-level entities.
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
When no JTA transaction is present in the runtime this wrapper is used to enlist HotRod client provided transaction to our KeycloakTransactionManager.
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
!!! Please do not change this class !!! If some change is needed please create a new version of this class and solve the migration on top-level entities.
WARNING: Generated code! Do not edit!
HotRod client provides its own GenericTransactionManagerLookup that is able to locate variety of JTA transaction implementation present in the runtime.
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
 
 
 
 
 
 
Abstraction for creating HttpClients.
 
 
 
 
An extension of javax.ws.rs.core.Cookie in order to support additional fields and behavior.
 
 
 
Deprecated.
Class is deprecated and may be removed in the future.
Represents an incoming HTTP request.
 
Represents an out coming HTTP response.
 
 
 
 
This class provides knowledge on how to build Ickle query where clauses for specified ModelCriteriaBuilder.Operator.
This class provides knowledge on how to build Ickle query where clauses for specified SearchableModelField.
Java class for IdentificationType complex type.
Java class for IdentificationType complex type.
Represents a security identity, which can be a person or non-person entity that was previously authenticated.
 
Encapsulates parsing logic related to state passed to identity provider in "state" (or RelayState) parameter
 
 
 
 
 
 
 
 
 
 
 
 
Specifies a mapping from broker login to user data.
 
PartialImport handler for Identitiy Provider Mappers.
 
 
 
 
A model type representing the configuration for identity providers.
 
 
 
 
PartialImport handler for Identitiy Providers.
 
 
 
 
IdentityStore representation providing minimal SPI TODO: Rather remove this abstraction
An LSResource Resolver for schema validation
 
Utility class that generates unique IDs
 
 
 
 
 
 
 
 
 
 
Java class for IDPEntryType complex type.
Holds essential information about an IDP for creating saml messages.
Java class for IDPListType complex type.
 
 
 
 
Java class for IDPSSODescriptorType complex type.
Same like classic username+password form, but for use in IdP linking.
 
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for verification of e-mail address.
 
 
 
A validator that fails when the attribute is marked as read only and its value has changed.
 
Session note metadata for impersonation details stored in user session notes.
 
 
 
 
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports validating users.
This implementation of KeycloakSession wraps an existing session and directs all calls to the datastore provider to a separate KeycloakSessionFactory.
 
 
Deprecated.
This wraps an existing KeycloakSessionFactory and redirects all calls to a MapStorageProvider to ConcurrentHashMapStorageProvider.
 
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports syncing users to keycloak local storage.
 
 
 
 
 
Java class for IndexedEndpointType complex type.
 
 
Startup initialization for reading persistent userSessions to be filled into infinispan/memory .
 
 
 
 
 
 
This impl is aware of Cross-Data-Center scenario too
 
 
 
Abstract subclass for Wildfly externalizers.
 
 
 
 
 
 
Impl for sending infinispan messages across cluster and listening to them
 
 
TODO: Check if Boolean can be used as single-use cache argument instead of SingleUseObjectValueEntity.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Note that this state is NOT thread safe.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
User attribute mapper.
Validate input being integer number Integer or Long.
 
 
 
 
 
 
 
Handles invalidation requests.
Tagging interface for the kinds of invalidatable object
 
Wraps a ScriptModel and makes it Invocable.
Exception indicating that the IssueInstant is missing
Holds info about the issuer for saml messages creation
Exception indicating that the issuer is not trusted
 
 
 
 
 
 
Utility to obtain JAXB2 marshaller/unmarshaller etc
Utility class associated with JAXP Validation
 
 
 
 
 
 
Factory for the SAML v2 Authn Response
SAML Constants
Define the constants based on URI
Wrapper for JDBC connections retrieved from a connection pool.
 
An interface to represent signed (JWS) and encrypted (JWE) JWTs.
This interface represents a JOSE header.
 
JPA MapAdminEventEntity implementation.
A MapStorage implementation for admin event entities.
Class that contains all the admin event metadata that is written as JSON into the database.
Migration functions for admin events.
A JpaModelCriteriaBuilder implementation for admin events.
 
Interface for jpa child entities which are in form of attributes.
Enhances JpaAttributeEntity with value_hash column.
Entity represents individual authentication session.
 
 
JPA implementation for auth event details.
JPA MapAuthEventEntity implementation.
A MapStorage implementation for auth event entities.
Class that contains all the auth event metadata that is written as JSON into the database.
Migration functions for authentication events.
 
 
Extends Hibernate's DefaultAutoFlushEventListener to always flush queued inserts to allow correct handling of orphans of that entities in the same transactions, and also to clear a session-level query cache.
Interface for all child entities for JPA map storage.
 
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
 
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
Entity represents authenticated client session.
 
 
 
JPA MapComponentEntity implementation.
Class that contains all the component metadata that is written as JSON into the database.
Migration functions for components.
 
 
 
Base class for all delegate providers for the JPA storage.
 
 
 
 
 
Listen on changes on child- and root entities and updates the current entity version of the root.
 
 
 
 
 
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
 
A DelegateProvider implementation for JpaLockEntity.
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
This is needed for example by org.keycloak.transaction.JtaTransactionWrapper to map an exception that occurs on commit.
A FunctionContributor to register custom functions.
Delegate for the JPA implementation for MapRoleEntityDelegate.
 
 
 
 
 
Abstract class containing methods common to all Jpa*ModelCriteriaBuilder implementations
Listen on changes on child entities and forces an optimistic locking increment on the closest parent aka root.
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
 
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
 
JPA implementation for realm attributes.
A DelegateProvider implementation for JpaRealmEntity.
JPA MapRealmEntity implementation.
A MapStorage implementation for realm entities.
Class that contains all the realm metadata that is written as JSON into the database.
Migration functions for realms.
A JpaModelCriteriaBuilder implementation for realms.
 
 
 
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
 
 
This is a child table of JpaRoleEntity that is managed via named queries to avoid loading all its contents via a OneToMany relation.
The composite primary key representation for JpaRoleCompositeEntity.
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
 
Entity represents root authentication session.
 
 
 
 
Interface for all root entities in the JPA storage.
Interface for all root entities which implements optimistic locking.
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
JPA MapSingleUseObjectEntity implementation.
A MapStorage implementation for single-use object entities.
Class that contains all the single-use object metadata that is written as JSON into the database.
Migration functions for single-use objects.
A JpaModelCriteriaBuilder implementation for single-use objects.
JPA implementation for single-use object notes.
 
This is handed down to a JpaModelCriteriaBuilder to be able to create subqueries.
Wraps an EntityTransaction as a KeycloakTransaction so it can be enlisted in KeycloakTransactionManager.
 
 
 
 
 
 
 
 
Migration class to remove old rh-sso themes.
 
Update CREATED_ON and LAST_SESSION_REFRESH columns to current startup time
 
 
Status of database up-to-dateness
 
 
JPA implementation for user attributes.
JPA MapUserConsentEntity implementation.
Class that contains all the user consent metadata that is written as JSON into the database.
Migration functions for user consents.
 
 
A DelegateProvider implementation for JpaUserEntity.
JPA MapUserEntity implementation.
JPA MapUserFederatedIdentityEntity implementation.
Class that contains all the user federated identity metadata that is written as JSON into the database.
Migration functions for user federated identities.
 
 
JPA MapUserLoginFailureEntity implementation.
A JpaMapStorage implementation for user login failure entities.
Class that contains all the user login failure metadata that is written as JSON into the database.
Migration functions for user login failures.
A JpaModelCriteriaBuilder implementation for user login failures.
A MapStorage implementation for user entities.
Class that contains all the user metadata that is written as JSON into the database.
Migration functions for users.
A JpaModelCriteriaBuilder implementation for users.
 
 
There are some fields marked by @Column(insertable = false, updatable = false).
 
 
 
 
 
 
 
 
A MetadataBuilderContributor to register JSONB type.
 
Component model backed by JSON configuration.
 
 
A LiquibaseDataType to handle the JSON column type.
Utility class to handle simple JSON serializable for Keycloak.
Utility methods for manipulating JSON objects.
 
 
 
 
 
 
 
Get keycloak.js file for javascript clients
 
JTA TransactionManager lookup
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Client authentication based on JWT signed by client private key .
Client authentication based on JWT signed by client private key .
Client authentication based on JWT signed by client secret instead of private key .
Client authentication based on JWT signed by client secret instead of private key .
Override explicitly added ExceptionMapper for handling UnrecognizedPropertyException in RestEasy Jackson org.jboss.resteasy.plugins.providers.jackson.UnrecognizedPropertyExceptionHandler
Configuration specific to KerberosFederationProvider
 
 
Factory for standalone Kerberos federation provider.
Provides abstraction to handle differences between various JDK vendors (Sun, IBM)
 
Provides serialization/deserialization of kerberos GSSCredential, so it can be transmitted from auth-server to the application and used for further calls to kerberos-secured services
 
 
 
Java class for KeyActivationType complex type.
Java class for KeyActivationType complex type.
Provides a Keycloak client.
 
Provides a Keycloak client builder with the ability to customize the underlying RESTEasy client used to communicate with the Keycloak server.
 
 
 
 
A LiquibaseDataType to handle hashed value of other column.
Needed on Wildfly, so that remoteStore (hotRod client) can find our classes
 
A LiquibaseDataType used in columns that reference an entity that can be external to the JPA storage.
 
Extending the Liquibase StandardLockService for situations where it failed on a H2 database.
A Logger implementation that delegates to a JBoss Logger.
A LogService implementation that creates instances of KeycloakLogger.
Helper to optimize marshalling/unmarhsalling of some types
 
 
Set of helper methods, which are useful in various model implementations.
 
 
 
 
 
 
Class of constants relating to the OpenAPI annotations in Keycloak and the Keycloak Admin REST API
 
 
 
 
 
 
 
Allows sanitizing of html that uses Freemarker ?no_esc.
Based on the EbayPolicyExample in owasp java-html-sanitizer.
Available in secured requests under HttpServletRequest.getAttribute() Also available in HttpSession.getAttribute under the classname of this class
 
 
 
Task to be executed inside transaction
Interface for tasks that compute a result and need access to the KeycloakSession.
 
 
 
 
 
Java class for KeyDescriptorType complex type.
Java class for KeyInfoConfirmationDataType complex type.
 
Tools for KeyInfo object manipulation.
Java class for KeyInfoType complex type.
This interface defines a method for obtaining a security key by ID.
Helper class that facilitates the hash of a Key to be located easier.
 
 
 
 
 
 
 
 
 
 
Java class for KeySharingType complex type.
Java class for KeySharingType complex type.
 
 
 
 
Java class for KeyStorageType complex type.
Java class for KeyStorageType complex type.
Configuration of KeyStore.
 
 
 
Java class for KeyTypes.
 
 
 
Java class for KeyValueType complex type.
Java class for localizedURIType complex type.
 
 
 
 
 
 
A functional interface that can be used to return data D from a source S where implementations are free to define how and when data is fetched from source as well how it is internally cached.
Value object to represent an OID (object identifier) as used to describe LDAP schema, extension and features.
 
 
 
 
 
 
Single RDN inside the DN.
 
An IdentityStore implementation backed by an LDAP directory
 
 
 
 
 
Single RDN inside the DN.
 
An IdentityStore implementation backed by an LDAP directory
 
 
 
This class provides a set of operations to manage LDAP trees.
 
TODO: Possibly add "priority" instead of hardcoding behaviour
Default IdentityQuery implementation.
 
 
 
 
 
 
 
Utility class for working with LDAP.
Abstract class containing methods common to all Ldap*ModelCriteriaBuilder implementations
 
 
This class provides a set of operations to manage LDAP trees.
 
Configuration specific to LDAPStorageProvider
Default IdentityQuery implementation.
 
 
 
 
 
 
 
 
 
 
 
 
 
TODO: LDAPStorageMapper should be divided into more interfaces and let the LDAPStorageMapperManager to check which operation (feature) is supported by which mapper implementation
 
 
 
Track which LDAP users were already enlisted during this transaction
 
Utility class for working with LDAP.
Allow to directly call some operations against LDAPIdentityStore.
User model delegate, which tracks what attributes were written to LDAP in this transaction.
Enables legacy support when managing attributes without the declarative provider.
 
 
This wraps the functionality about export/import for legacy storage.
This wraps the functionality for migrations of the legacy storage.
 
Support for elements in Keycloak's session that are deprecated.
 
 
 
 
 
Event for notifying legacy store, so it can do migrations on the representation as needed.
Event for notifying legacy store about the need to reconfigure user providers sychronization.
Handling credentials for a given user for the legacy store.
 
 
Java class for LengthType complex type.
Java class for LengthType complex type.
String value length validation - accepts plain string and collection of strings, for basic behavior like null/blank values handling and collections support see AbstractStringValidator.
 
API for linking/unlinking social login accounts
Deprecated.
Deprecated.
Specific OIDC LinkedIn provider for Sign In with LinkedIn using OpenID Connect product app.
Specific OIDC LinkedIn provider for Sign In with LinkedIn using OpenID Connect product app.
Specific public key loader that assumes that use for the keys is the requested one.
User attribute mapper.
Method used to format link expiration time period in emails.
 
 
 
 
 
 
 
 
 
A date validator that only takes into account the format associated with the current locale.
 
 
 
 
 
 
 
 
 
Java class for localizedNameType complex type.
Java class for localizedURIType complex type.
This exception is thrown when acquiring a lock times out.
 
 
 
 
 
 
This flags the session that all information loaded from the stores should be locked as the service layer plans to modify it.
 
 
Indicates that retrieve lock wasn't successful, but it worth to retry it in different transaction (For example if we were trying to create LOCK table, but other transaction created the table in the meantime etc)
The decision strategy dictates how the policies associated with a given policy are evaluated and how a final decision is obtained.
 
 
This check verifies that user ID (subject) from the token matches the one from the authentication session.
Verifies that if authentication session exists and any action is required according to it, then it is the expected one.
Verifies whether the given redirect URL, when set, is valid for the given client.
 
 
 
 
 
 
 
 
 
 
 
 
 
Various util methods, so the logic is not hardcoded in freemarker beans
 
 
 
 
 
Java class for localizedURIType complex type.
 
 
 
 
Java class for LogoutRequestType complex type.
 
 
 
Utilities for OIDC logout
 
 
 
 
 
 
A Service Provider Interface (SPI) that allows to plug-in a cache manager instance.
 
 
Java class for ManageNameIDRequestType complex type.
Java class for ManifestType complex type.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Output of a credential validation.
 
 
 
BlockContext which handles any entity accompanied with EntityField field getters and setters, namely Map*Entity classes.
 
 
 
 
This wraps the functionality about export/import for legacy storage.
 
Implementing a GlobalLockProvider based on a map storage.
Factory to create a GlobalLockProvider backed by a Map store.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Status of database up-to-dateness
 
 
 
 
 
Entity to hold locks needed for the MapGlobalLockProvider.