Package org.keycloak.broker.oidc
Class OIDCIdentityProvider
java.lang.Object
org.keycloak.broker.provider.AbstractIdentityProvider<C>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
org.keycloak.broker.oidc.OIDCIdentityProvider
- All Implemented Interfaces:
ExchangeExternalToken
,ExchangeTokenToIdentityProviderToken
,IdentityProvider<OIDCIdentityProviderConfig>
,Provider
- Direct Known Subclasses:
GitLabIdentityProvider
,GoogleIdentityProvider
,KeycloakOIDCIdentityProvider
,LinkedInOIDCIdentityProvider
public class OIDCIdentityProvider
extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
implements ExchangeExternalToken
- Author:
- Pedro Igor
-
Nested Class Summary
Nested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
AbstractOAuth2IdentityProvider.Endpoint
Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider
IdentityProvider.AuthenticationCallback
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
static final String
static final String
static final String
protected static final org.jboss.logging.Logger
static final String
static final String
static final String
static final String
Fields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
ACCESS_DENIED, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATE
Fields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
ACCOUNT_LINK_URL, session
Fields inherited from interface org.keycloak.broker.provider.IdentityProvider
EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN
-
Constructor Summary
ConstructorDescriptionOIDCIdentityProvider
(KeycloakSession session, OIDCIdentityProviderConfig config) -
Method Summary
Modifier and TypeMethodDescriptionvoid
authenticationFinished
(AuthenticationSessionModel authSession, BrokeredIdentityContext context) void
backchannelLogout
(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) protected void
backchannelLogout
(UserSessionModel userSession, String idToken) callback
(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.protected jakarta.ws.rs.core.UriBuilder
protected BrokeredIdentityContext
exchangeExternalImpl
(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) protected jakarta.ws.rs.core.Response
exchangeSessionToken
(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) protected jakarta.ws.rs.core.Response
exchangeStoredToken
(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) protected BrokeredIdentityContext
extractIdentity
(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) protected BrokeredIdentityContext
extractIdentityFromProfile
(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo) protected String
getFederatedIdentity
(String response) protected KeyWrapper
protected String
protected SimpleHttp
getRefreshTokenRequest
(KeycloakSession session, String refreshToken, String clientId, String clientSecret) protected String
protected String
protected String
getUsernameFromUserInfo
(com.fasterxml.jackson.databind.JsonNode userInfo) protected boolean
isAuthTimeExpired
(JsonWebToken idToken, AuthenticationSessionModel authSession) boolean
jakarta.ws.rs.core.Response
keycloakInitiatedBrowserLogout
(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) Called when a Keycloak application initiates a logout through the browser.protected String
parseTokenInput
(String encodedToken, boolean shouldBeSigned) Parses a JWT token that can be a JWE, JWS or JWE/JWS.void
preprocessFederatedIdentity
(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context) protected void
processAccessTokenResponse
(BrokeredIdentityContext context, AccessTokenResponse response) refreshTokenForLogout
(KeycloakSession session, UserSessionModel userSession) Returns access token response as a string from a refresh token invocation on the remote OIDC brokerboolean
Reload keys for the identity provider if permitted in it.For example OIDC or SAML providers will reload the keys from the jwks or metadata endpoint.protected boolean
protected final BrokeredIdentityContext
validateJwt
(EventBuilder event, String subjectToken, String subjectTokenType) validateToken
(String encodedToken) protected JsonWebToken
validateToken
(String encodedToken, boolean ignoreAudience) protected boolean
Methods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, validateExternalTokenThroughUserInfo
Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUser
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.keycloak.broker.provider.ExchangeExternalToken
exchangeExternal, exchangeExternalComplete
Methods inherited from interface org.keycloak.broker.provider.IdentityProvider
isMapperSupported
-
Field Details
-
logger
protected static final org.jboss.logging.Logger logger -
SCOPE_OPENID
- See Also:
-
FEDERATED_ID_TOKEN
- See Also:
-
USER_INFO
- See Also:
-
FEDERATED_ACCESS_TOKEN_RESPONSE
- See Also:
-
VALIDATED_ID_TOKEN
- See Also:
-
ACCESS_TOKEN_EXPIRATION
- See Also:
-
EXCHANGE_PROVIDER
- See Also:
-
VALIDATED_ACCESS_TOKEN
- See Also:
-
-
Constructor Details
-
OIDCIdentityProvider
-
-
Method Details
-
callback
public Object callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) Description copied from interface:IdentityProvider
JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.- Specified by:
callback
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
callback
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
- Returns:
-
refreshTokenForLogout
Returns access token response as a string from a refresh token invocation on the remote OIDC broker- Parameters:
session
-userSession
-- Returns:
-
backchannelLogout
public void backchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) - Specified by:
backchannelLogout
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
backchannelLogout
in classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
backchannelLogout
-
keycloakInitiatedBrowserLogout
public jakarta.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) Description copied from interface:IdentityProvider
Called when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP- Specified by:
keycloakInitiatedBrowserLogout
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
keycloakInitiatedBrowserLogout
in classAbstractIdentityProvider<OIDCIdentityProviderConfig>
- Returns:
- null if this is not supported by this provider
-
exchangeStoredToken
protected jakarta.ws.rs.core.Response exchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) - Overrides:
exchangeStoredToken
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
processAccessTokenResponse
protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) -
getRefreshTokenRequest
protected SimpleHttp getRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret) -
exchangeSessionToken
protected jakarta.ws.rs.core.Response exchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) - Overrides:
exchangeSessionToken
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getFederatedIdentity
- Overrides:
getFederatedIdentity
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isAuthTimeExpired
-
extractIdentity
protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) throws IOException - Throws:
IOException
-
getusernameClaimNameForIdToken
-
getUserInfoUrl
-
getIdentityProviderKeyWrapper
-
verify
-
parseTokenInput
Parses a JWT token that can be a JWE, JWS or JWE/JWS. It returns the content as a string. If JWS is involved the signature is also validated. A IdentityBrokerException is thrown on any error.- Parameters:
encodedToken
- The token in the encoded string format.shouldBeSigned
- true if the token should be signed (id token), false if the token can be only encrypted and not signed (user info).- Returns:
- The content in string format.
-
validateToken
-
validateToken
-
authenticationFinished
public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) - Specified by:
authenticationFinished
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
authenticationFinished
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getDefaultScopes
- Specified by:
getDefaultScopes
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isIssuer
- Specified by:
isIssuer
in interfaceExchangeExternalToken
- Overrides:
isIssuer
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
supportsExternalExchange
protected boolean supportsExternalExchange()- Overrides:
supportsExternalExchange
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getProfileEndpointForValidation
- Overrides:
getProfileEndpointForValidation
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
extractIdentityFromProfile
protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo) - Overrides:
extractIdentityFromProfile
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getUsernameFromUserInfo
-
validateJwt
protected final BrokeredIdentityContext validateJwt(EventBuilder event, String subjectToken, String subjectTokenType) -
exchangeExternalImpl
protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) - Overrides:
exchangeExternalImpl
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
createAuthorizationUrl
- Overrides:
createAuthorizationUrl
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
preprocessFederatedIdentity
public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context) - Specified by:
preprocessFederatedIdentity
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
preprocessFederatedIdentity
in classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
reloadKeys
public boolean reloadKeys()Description copied from interface:IdentityProvider
Reload keys for the identity provider if permitted in it.For example OIDC or SAML providers will reload the keys from the jwks or metadata endpoint.- Specified by:
reloadKeys
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Returns:
- true if reloaded, false if not
-