Package org.keycloak.broker.oidc
Class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityProviderConfig>
java.lang.Object
org.keycloak.broker.provider.AbstractIdentityProvider<C>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<C>
- All Implemented Interfaces:
ExchangeExternalToken,ExchangeTokenToIdentityProviderToken,IdentityProvider<C>,Provider
- Direct Known Subclasses:
BitbucketIdentityProvider,FacebookIdentityProvider,GitHubIdentityProvider,InstagramIdentityProvider,MicrosoftIdentityProvider,OAuth2IdentityProvider,OIDCIdentityProvider,OpenshiftV4IdentityProvider,PayPalIdentityProvider,StackoverflowIdentityProvider
public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityProviderConfig>
extends AbstractIdentityProvider<C>
implements ExchangeTokenToIdentityProviderToken, ExchangeExternalToken
- Author:
- Pedro Igor
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprotected static classstatic classThis is a custom variant ofAccessTokenResponsewhich avoid primitives that would auto-add zero values to the original responses.Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider
IdentityProvider.AuthenticationCallback -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringstatic final Stringstatic final Stringprotected static final org.jboss.logging.Loggerprotected static com.fasterxml.jackson.databind.ObjectMapperstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final StringFields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
ACCOUNT_LINK_URL, BROKER_REGISTERED_NEW_USER, session, UPDATE_PROFILE_EMAIL_CHANGED, UPDATE_PROFILE_USERNAME_CHANGEDFields inherited from interface org.keycloak.broker.provider.IdentityProvider
EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptioncom.fasterxml.jackson.databind.JsonNodeasJsonNode(String json) authenticateTokenRequest(SimpleHttpRequest tokenRequest) voidauthenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) protected SimpleHttpRequestbuildUserInfoRequest(String subjectToken, String userInfoUrl) callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.protected jakarta.ws.rs.core.UriBuilderprotected BrokeredIdentityContextdoGetFederatedIdentity(String accessToken) final BrokeredIdentityContextexchangeExternal(TokenExchangeProvider tokenExchangeProvider, TokenExchangeContext tokenExchangeContext) voidexchangeExternalComplete(UserSessionModel userSession, BrokeredIdentityContext context, jakarta.ws.rs.core.MultivaluedMap<String, String> params) protected BrokeredIdentityContextexchangeExternalTokenV1Impl(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) Usage with token-exchange V1protected BrokeredIdentityContextexchangeExternalTokenV2Impl(TokenExchangeContext tokenExchangeContext) Usage with external-internal token-exchange v2.protected BrokeredIdentityContextexchangeExternalUserInfoValidationOnly(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) jakarta.ws.rs.core.ResponseexchangeFromToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject, jakarta.ws.rs.core.MultivaluedMap<String, String> params) protected jakarta.ws.rs.core.ResponseexchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) protected jakarta.ws.rs.core.ResponseexchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) protected BrokeredIdentityContextextractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode node) protected StringextractTokenFromResponse(String response, String tokenName) protected JsonWebTokenprotected Stringprotected abstract StringgetFederatedIdentity(String response) getJsonProperty(com.fasterxml.jackson.databind.JsonNode jsonNode, String name) Get JSON property as text.protected Stringprotected SimpleHttpRequestgetRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret) protected SignatureSignerContextprotected jakarta.ws.rs.core.ResponsehasExternalExchangeToken(EventBuilder event, UserSessionModel tokenUserSession, jakarta.ws.rs.core.MultivaluedMap<String, String> params) check to see if we have a token exchange in session in other words check to see if this session was created by an external exchangebooleanjakarta.ws.rs.core.ResponseperformLogin(AuthenticationRequest request) Initiates the authentication process by sending an authentication request to an identity provider.jakarta.ws.rs.core.ResponseretrieveToken(KeycloakSession session, FederatedIdentityModel identity) Returns aResponsecontaining the token previously stored during the authentication process for a specific user.protected TokenMetadataRepresentationsendTokenIntrospectionRequest(String idpAccessToken, EventBuilder event) Send introspection request as specified in the OAuth2 token introspection specification.protected booleanbooleanprotected BrokeredIdentityContextvalidateExternalTokenThroughUserInfo(EventBuilder event, String subjectToken, String subjectTokenType) protected voidvalidateExternalTokenWithIntrospectionEndpoint(TokenExchangeContext tokenExchangeContext) Called usually during external-internal token exchange for validation of external token, which is the token issued by the IDP.Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
backchannelLogout, close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, keycloakInitiatedBrowserLogout, preprocessFederatedIdentity, setEmailVerified, updateBrokeredUser, updateEmailMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.keycloak.broker.provider.IdentityProvider
isMapperSupported, reloadKeys
-
Field Details
-
logger
protected static final org.jboss.logging.Logger logger -
OAUTH2_GRANT_TYPE_REFRESH_TOKEN
- See Also:
-
OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE
- See Also:
-
FEDERATED_REFRESH_TOKEN
- See Also:
-
FEDERATED_TOKEN_EXPIRATION
- See Also:
-
ACCESS_DENIED
- See Also:
-
mapper
protected static com.fasterxml.jackson.databind.ObjectMapper mapper -
OAUTH2_PARAMETER_ACCESS_TOKEN
- See Also:
-
OAUTH2_PARAMETER_SCOPE
- See Also:
-
OAUTH2_PARAMETER_STATE
- See Also:
-
OAUTH2_PARAMETER_RESPONSE_TYPE
- See Also:
-
OAUTH2_PARAMETER_REDIRECT_URI
- See Also:
-
OAUTH2_PARAMETER_CODE
- See Also:
-
OAUTH2_PARAMETER_CLIENT_ID
- See Also:
-
OAUTH2_PARAMETER_CLIENT_SECRET
- See Also:
-
OAUTH2_PARAMETER_GRANT_TYPE
- See Also:
-
ACCESS_TOKEN_EXPIRATION
- See Also:
-
-
Constructor Details
-
AbstractOAuth2IdentityProvider
-
-
Method Details
-
callback
public Object callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) Description copied from interface:IdentityProviderJAXRS callback endpoint for when the remote IDP wants to callback to keycloak.- Specified by:
callbackin interfaceIdentityProvider<C extends OAuth2IdentityProviderConfig>- Overrides:
callbackin classAbstractIdentityProvider<C extends OAuth2IdentityProviderConfig>- Returns:
-
performLogin
Description copied from interface:IdentityProviderInitiates the authentication process by sending an authentication request to an identity provider. This method is called only once during the authentication.
- Specified by:
performLoginin interfaceIdentityProvider<C extends OAuth2IdentityProviderConfig>- Overrides:
performLoginin classAbstractIdentityProvider<C extends OAuth2IdentityProviderConfig>- Parameters:
request- The initial authentication request. Contains all the contextual information in order to build an authentication request to the identity provider.- Returns:
-
retrieveToken
public jakarta.ws.rs.core.Response retrieveToken(KeycloakSession session, FederatedIdentityModel identity) Description copied from interface:IdentityProviderReturns a
Responsecontaining the token previously stored during the authentication process for a specific user.- Specified by:
retrieveTokenin interfaceIdentityProvider<C extends OAuth2IdentityProviderConfig>- Returns:
-
getRefreshTokenRequest
protected SimpleHttpRequest getRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret) -
getConfig
- Specified by:
getConfigin interfaceIdentityProvider<C extends OAuth2IdentityProviderConfig>- Overrides:
getConfigin classAbstractIdentityProvider<C extends OAuth2IdentityProviderConfig>
-
extractTokenFromResponse
-
exchangeFromToken
public jakarta.ws.rs.core.Response exchangeFromToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject, jakarta.ws.rs.core.MultivaluedMap<String, String> params) - Specified by:
exchangeFromTokenin interfaceExchangeTokenToIdentityProviderTokenauthorizedClient- client requesting exchangetokenUserSession- UserSessionModel of token exchanging fromtokenSubject- UserModel of token exchanging fromparams- form parameters received for requested exchange- Returns:
-
hasExternalExchangeToken
protected jakarta.ws.rs.core.Response hasExternalExchangeToken(EventBuilder event, UserSessionModel tokenUserSession, jakarta.ws.rs.core.MultivaluedMap<String, String> params) check to see if we have a token exchange in session in other words check to see if this session was created by an external exchange- Parameters:
tokenUserSession-params-- Returns:
-
exchangeStoredToken
protected jakarta.ws.rs.core.Response exchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) -
exchangeSessionToken
protected jakarta.ws.rs.core.Response exchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) -
getFederatedIdentity
-
getAccessTokenResponseParameter
-
doGetFederatedIdentity
-
createAuthorizationUrl
-
getJsonProperty
Get JSON property as text. JSON numbers and booleans are converted to text. Empty string is converted to null.- Parameters:
jsonNode- to get property fromname- of property to get- Returns:
- string value of the property or null.
-
asJsonNode
- Throws:
IOException
-
getDefaultScopes
-
authenticationFinished
public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) - Specified by:
authenticationFinishedin interfaceIdentityProvider<C extends OAuth2IdentityProviderConfig>- Overrides:
authenticationFinishedin classAbstractIdentityProvider<C extends OAuth2IdentityProviderConfig>
-
authenticateTokenRequest
-
generateToken
-
getSignatureContext
-
getProfileEndpointForValidation
-
extractIdentityFromProfile
protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode node) -
validateExternalTokenThroughUserInfo
protected BrokeredIdentityContext validateExternalTokenThroughUserInfo(EventBuilder event, String subjectToken, String subjectTokenType) -
buildUserInfoRequest
-
supportsExternalExchange
protected boolean supportsExternalExchange() -
isIssuer
- Specified by:
isIssuerin interfaceExchangeExternalToken
-
exchangeExternal
public final BrokeredIdentityContext exchangeExternal(TokenExchangeProvider tokenExchangeProvider, TokenExchangeContext tokenExchangeContext) - Specified by:
exchangeExternalin interfaceExchangeExternalToken
-
exchangeExternalTokenV1Impl
protected BrokeredIdentityContext exchangeExternalTokenV1Impl(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) Usage with token-exchange V1- Parameters:
event- event builderparams- parameters of the token-exchange request- Returns:
- brokered identity context with the details about user from the IDP
-
exchangeExternalTokenV2Impl
protected BrokeredIdentityContext exchangeExternalTokenV2Impl(TokenExchangeContext tokenExchangeContext) Usage with external-internal token-exchange v2.- Parameters:
tokenExchangeContext- data about token-exchange request- Returns:
- brokered identity context with the details about user from the IDP
-
validateExternalTokenWithIntrospectionEndpoint
protected void validateExternalTokenWithIntrospectionEndpoint(TokenExchangeContext tokenExchangeContext) Called usually during external-internal token exchange for validation of external token, which is the token issued by the IDP. The validation of external token is done by calling OAuth2 introspection endpoint on the IDP side and validate if the response contains all the necessary claims and token is authorized for the token exchange (including validating of claims like aud from introspection response)- Parameters:
tokenExchangeContext- token exchange context with the external token (subject token) and other details related to token exchange- Throws:
ErrorResponseException- in case that validation failed for any reason
-
sendTokenIntrospectionRequest
protected TokenMetadataRepresentation sendTokenIntrospectionRequest(String idpAccessToken, EventBuilder event) Send introspection request as specified in the OAuth2 token introspection specification. It requires- Parameters:
idpAccessToken- access token issued by the IDPevent- event builder- Returns:
- token metadata in case that token introspection was successful and token is valid and active
- Throws:
ErrorResponseException- in case that introspection response was not correct for any reason (other status than 200) or the token was not active
-
exchangeExternalUserInfoValidationOnly
protected BrokeredIdentityContext exchangeExternalUserInfoValidationOnly(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) -
exchangeExternalComplete
public void exchangeExternalComplete(UserSessionModel userSession, BrokeredIdentityContext context, jakarta.ws.rs.core.MultivaluedMap<String, String> params) - Specified by:
exchangeExternalCompletein interfaceExchangeExternalToken
-
supportsLongStateParameter
public boolean supportsLongStateParameter()- Specified by:
supportsLongStateParameterin interfaceIdentityProvider<C extends OAuth2IdentityProviderConfig>- Returns:
- true if identity provider supports long value of "state" parameter (or "RelayState" parameter), which can hold relatively big amount of context data
-