Package org.keycloak.broker.oidc

Class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityProviderConfig>

java.lang.Object

org.keycloak.broker.provider.AbstractIdentityProvider<C>

org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<C>

All Implemented Interfaces:

ExchangeExternalToken, ExchangeTokenToIdentityProviderToken, IdentityProvider<C>, Provider

Direct Known Subclasses:

BitbucketIdentityProvider, FacebookIdentityProvider, GitHubIdentityProvider, InstagramIdentityProvider, MicrosoftIdentityProvider, OIDCIdentityProvider, OpenshiftV4IdentityProvider, PayPalIdentityProvider, StackoverflowIdentityProvider

public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityProviderConfig>
extends AbstractIdentityProvider<C>
implements ExchangeTokenToIdentityProviderToken, ExchangeExternalToken

Author:

Pedro Igor

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static class	AbstractOAuth2IdentityProvider.Endpoint

Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider

IdentityProvider.AuthenticationCallback

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ACCESS_DENIED
static final String	FEDERATED_REFRESH_TOKEN
static final String	FEDERATED_TOKEN_EXPIRATION
protected static final org.jboss.logging.Logger	logger
protected static com.fasterxml.jackson.databind.ObjectMapper	mapper
static final String	OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE
static final String	OAUTH2_GRANT_TYPE_REFRESH_TOKEN
static final String	OAUTH2_PARAMETER_ACCESS_TOKEN
static final String	OAUTH2_PARAMETER_CLIENT_ID
static final String	OAUTH2_PARAMETER_CLIENT_SECRET
static final String	OAUTH2_PARAMETER_CODE
static final String	OAUTH2_PARAMETER_GRANT_TYPE
static final String	OAUTH2_PARAMETER_REDIRECT_URI
static final String	OAUTH2_PARAMETER_RESPONSE_TYPE
static final String	OAUTH2_PARAMETER_SCOPE
static final String	OAUTH2_PARAMETER_STATE

Fields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider

ACCOUNT_LINK_URL, session

Fields inherited from interface org.keycloak.broker.provider.IdentityProvider

EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN

Constructor Summary

Constructors

Constructor	Description
AbstractOAuth2IdentityProvider(KeycloakSession session, C config)

Method Summary

Modifier and Type	Method	Description
com.fasterxml.jackson.databind.JsonNode	asJsonNode(String json)
SimpleHttp	authenticateTokenRequest(SimpleHttp tokenRequest)
void	authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context)
protected SimpleHttp	buildUserInfoRequest(String subjectToken, String userInfoUrl)
Object	callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event)	JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.
protected jakarta.ws.rs.core.UriBuilder	createAuthorizationUrl(AuthenticationRequest request)
protected BrokeredIdentityContext	doGetFederatedIdentity(String accessToken)
final BrokeredIdentityContext	exchangeExternal(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String,String> params)
void	exchangeExternalComplete(UserSessionModel userSession, BrokeredIdentityContext context, jakarta.ws.rs.core.MultivaluedMap<String,String> params)
protected BrokeredIdentityContext	exchangeExternalImpl(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String,String> params)
protected BrokeredIdentityContext	exchangeExternalUserInfoValidationOnly(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String,String> params)
jakarta.ws.rs.core.Response	exchangeFromToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject, jakarta.ws.rs.core.MultivaluedMap<String,String> params)
protected jakarta.ws.rs.core.Response	exchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)
protected jakarta.ws.rs.core.Response	exchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)
protected BrokeredIdentityContext	extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode node)
protected String	extractTokenFromResponse(String response, String tokenName)
protected JsonWebToken	generateToken()
protected String	getAccessTokenResponseParameter()
C	getConfig()
protected abstract String	getDefaultScopes()
BrokeredIdentityContext	getFederatedIdentity(String response)
String	getJsonProperty(com.fasterxml.jackson.databind.JsonNode jsonNode, String name)	Get JSON property as text.
protected String	getProfileEndpointForValidation(EventBuilder event)
protected SignatureSignerContext	getSignatureContext()
protected jakarta.ws.rs.core.Response	hasExternalExchangeToken(EventBuilder event, UserSessionModel tokenUserSession, jakarta.ws.rs.core.MultivaluedMap<String,String> params)	check to see if we have a token exchange in session in other words check to see if this session was created by an external exchange
boolean	isIssuer(String issuer, jakarta.ws.rs.core.MultivaluedMap<String,String> params)
jakarta.ws.rs.core.Response	performLogin(AuthenticationRequest request)	Initiates the authentication process by sending an authentication request to an identity provider.
jakarta.ws.rs.core.Response	retrieveToken(KeycloakSession session, FederatedIdentityModel identity)	Returns a Response containing the token previously stored during the authentication process for a specific user.
protected boolean	supportsExternalExchange()
protected BrokeredIdentityContext	validateExternalTokenThroughUserInfo(EventBuilder event, String subjectToken, String subjectTokenType)

Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider

backchannelLogout, close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, keycloakInitiatedBrowserLogout, preprocessFederatedIdentity, updateBrokeredUser

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.broker.provider.IdentityProvider

isMapperSupported, reloadKeys, supportsLongStateParameter

Field Details

logger

protected static final org.jboss.logging.Logger logger

OAUTH2_GRANT_TYPE_REFRESH_TOKEN

public static final String OAUTH2_GRANT_TYPE_REFRESH_TOKEN

See Also:

• Constant Field Values

OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

public static final String OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

See Also:

• Constant Field Values

FEDERATED_REFRESH_TOKEN

public static final String FEDERATED_REFRESH_TOKEN

See Also:

• Constant Field Values

FEDERATED_TOKEN_EXPIRATION

public static final String FEDERATED_TOKEN_EXPIRATION

See Also:

• Constant Field Values

ACCESS_DENIED

public static final String ACCESS_DENIED

See Also:

• Constant Field Values

mapper

protected static com.fasterxml.jackson.databind.ObjectMapper mapper

OAUTH2_PARAMETER_ACCESS_TOKEN

public static final String OAUTH2_PARAMETER_ACCESS_TOKEN

See Also:

• Constant Field Values

OAUTH2_PARAMETER_SCOPE

public static final String OAUTH2_PARAMETER_SCOPE

See Also:

• Constant Field Values

OAUTH2_PARAMETER_STATE

public static final String OAUTH2_PARAMETER_STATE

See Also:

• Constant Field Values

OAUTH2_PARAMETER_RESPONSE_TYPE

public static final String OAUTH2_PARAMETER_RESPONSE_TYPE

See Also:

• Constant Field Values

OAUTH2_PARAMETER_REDIRECT_URI

public static final String OAUTH2_PARAMETER_REDIRECT_URI

See Also:

• Constant Field Values

OAUTH2_PARAMETER_CODE

public static final String OAUTH2_PARAMETER_CODE

See Also:

• Constant Field Values

OAUTH2_PARAMETER_CLIENT_ID

public static final String OAUTH2_PARAMETER_CLIENT_ID

See Also:

• Constant Field Values

OAUTH2_PARAMETER_CLIENT_SECRET

public static final String OAUTH2_PARAMETER_CLIENT_SECRET

See Also:

• Constant Field Values

OAUTH2_PARAMETER_GRANT_TYPE

public static final String OAUTH2_PARAMETER_GRANT_TYPE

See Also:

• Constant Field Values

Constructor Details

AbstractOAuth2IdentityProvider

public AbstractOAuth2IdentityProvider(KeycloakSession session,
 C config)

Method Details

callback

public Object callback(RealmModel realm,
 IdentityProvider.AuthenticationCallback callback,
 EventBuilder event)

Description copied from interface: IdentityProvider

JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.

Specified by:

callback in interface IdentityProvider<C extends OAuth2IdentityProviderConfig>

Overrides:

callback in class AbstractIdentityProvider<C extends OAuth2IdentityProviderConfig>

Returns:

performLogin

public jakarta.ws.rs.core.Response performLogin(AuthenticationRequest request)

Description copied from interface: IdentityProvider

Initiates the authentication process by sending an authentication request to an identity provider. This method is called only once during the authentication.

Specified by:

performLogin in interface IdentityProvider<C extends OAuth2IdentityProviderConfig>

Overrides:

performLogin in class AbstractIdentityProvider<C extends OAuth2IdentityProviderConfig>

Parameters:

request - The initial authentication request. Contains all the contextual information in order to build an authentication request to the identity provider.

Returns:

retrieveToken

public jakarta.ws.rs.core.Response retrieveToken(KeycloakSession session,
 FederatedIdentityModel identity)

Description copied from interface: IdentityProvider

Returns a Response containing the token previously stored during the authentication process for a specific user.

Specified by:

retrieveToken in interface IdentityProvider<C extends OAuth2IdentityProviderConfig>

Returns:

getConfig

public C getConfig()

Specified by:

getConfig in interface IdentityProvider<C extends OAuth2IdentityProviderConfig>

Overrides:

getConfig in class AbstractIdentityProvider<C extends OAuth2IdentityProviderConfig>

extractTokenFromResponse

protected String extractTokenFromResponse(String response,
 String tokenName)

exchangeFromToken

public jakarta.ws.rs.core.Response exchangeFromToken(jakarta.ws.rs.core.UriInfo uriInfo,
 EventBuilder event,
 ClientModel authorizedClient,
 UserSessionModel tokenUserSession,
 UserModel tokenSubject,
 jakarta.ws.rs.core.MultivaluedMap<String,String> params)

Specified by:

exchangeFromToken in interface ExchangeTokenToIdentityProviderToken

authorizedClient - client requesting exchange

tokenUserSession - UserSessionModel of token exchanging from

tokenSubject - UserModel of token exchanging from

params - form parameters received for requested exchange

Returns:

hasExternalExchangeToken

protected jakarta.ws.rs.core.Response hasExternalExchangeToken(EventBuilder event,
 UserSessionModel tokenUserSession,
 jakarta.ws.rs.core.MultivaluedMap<String,String> params)

check to see if we have a token exchange in session in other words check to see if this session was created by an external exchange

Parameters:

tokenUserSession -

params -

Returns:

exchangeStoredToken

protected jakarta.ws.rs.core.Response exchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo,
 EventBuilder event,
 ClientModel authorizedClient,
 UserSessionModel tokenUserSession,
 UserModel tokenSubject)

exchangeSessionToken

protected jakarta.ws.rs.core.Response exchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo,
 EventBuilder event,
 ClientModel authorizedClient,
 UserSessionModel tokenUserSession,
 UserModel tokenSubject)

getFederatedIdentity

public BrokeredIdentityContext getFederatedIdentity(String response)

getAccessTokenResponseParameter

protected String getAccessTokenResponseParameter()

doGetFederatedIdentity

protected BrokeredIdentityContext doGetFederatedIdentity(String accessToken)

createAuthorizationUrl

protected jakarta.ws.rs.core.UriBuilder createAuthorizationUrl(AuthenticationRequest request)

getJsonProperty

public String getJsonProperty(com.fasterxml.jackson.databind.JsonNode jsonNode,
 String name)

Get JSON property as text. JSON numbers and booleans are converted to text. Empty string is converted to null.

Parameters:

jsonNode - to get property from

name - of property to get

Returns:

string value of the property or null.

asJsonNode

public com.fasterxml.jackson.databind.JsonNode asJsonNode(String json)
                                                   throws IOException

Throws:

IOException

getDefaultScopes

protected abstract String getDefaultScopes()

authenticationFinished

public void authenticationFinished(AuthenticationSessionModel authSession,
 BrokeredIdentityContext context)

Specified by:

authenticationFinished in interface IdentityProvider<C extends OAuth2IdentityProviderConfig>

Overrides:

authenticationFinished in class AbstractIdentityProvider<C extends OAuth2IdentityProviderConfig>

authenticateTokenRequest

public SimpleHttp authenticateTokenRequest(SimpleHttp tokenRequest)

generateToken

protected JsonWebToken generateToken()

getSignatureContext

protected SignatureSignerContext getSignatureContext()

getProfileEndpointForValidation

protected String getProfileEndpointForValidation(EventBuilder event)

extractIdentityFromProfile

protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event,
 com.fasterxml.jackson.databind.JsonNode node)

validateExternalTokenThroughUserInfo

protected BrokeredIdentityContext validateExternalTokenThroughUserInfo(EventBuilder event,
 String subjectToken,
 String subjectTokenType)

buildUserInfoRequest

protected SimpleHttp buildUserInfoRequest(String subjectToken,
 String userInfoUrl)

supportsExternalExchange

protected boolean supportsExternalExchange()

isIssuer

public boolean isIssuer(String issuer,
 jakarta.ws.rs.core.MultivaluedMap<String,String> params)

Specified by:

isIssuer in interface ExchangeExternalToken

exchangeExternal

public final BrokeredIdentityContext exchangeExternal(EventBuilder event,
 jakarta.ws.rs.core.MultivaluedMap<String,String> params)

Specified by:

exchangeExternal in interface ExchangeExternalToken

exchangeExternalImpl

protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event,
 jakarta.ws.rs.core.MultivaluedMap<String,String> params)

exchangeExternalUserInfoValidationOnly

protected BrokeredIdentityContext exchangeExternalUserInfoValidationOnly(EventBuilder event,
 jakarta.ws.rs.core.MultivaluedMap<String,String> params)

exchangeExternalComplete

public void exchangeExternalComplete(UserSessionModel userSession,
 BrokeredIdentityContext context,
 jakarta.ws.rs.core.MultivaluedMap<String,String> params)

Specified by:

exchangeExternalComplete in interface ExchangeExternalToken