Package org.keycloak.broker.oidc
Class OIDCIdentityProvider
java.lang.Object
org.keycloak.broker.provider.AbstractIdentityProvider<C>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
org.keycloak.broker.oidc.OIDCIdentityProvider
- All Implemented Interfaces:
ClientAssertionIdentityProvider,ExchangeExternalToken,ExchangeTokenToIdentityProviderToken,IdentityProvider<OIDCIdentityProviderConfig>,Provider
- Direct Known Subclasses:
GitLabIdentityProvider,GoogleIdentityProvider,KeycloakOIDCIdentityProvider,KubernetesIdentityProvider,LinkedInOIDCIdentityProvider
public class OIDCIdentityProvider
extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
implements ExchangeExternalToken, ClientAssertionIdentityProvider
- Author:
- Pedro Igor
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
AbstractOAuth2IdentityProvider.Endpoint, AbstractOAuth2IdentityProvider.OAuthResponseNested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider
IdentityProvider.AuthenticationCallback -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringstatic final Stringprotected static final org.jboss.logging.Loggerstatic final Stringstatic final Stringstatic final Stringstatic final StringFields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
ACCESS_DENIED, ACCESS_TOKEN_EXPIRATION, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATEFields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
ACCOUNT_LINK_URL, BROKER_REGISTERED_NEW_USER, session, UPDATE_PROFILE_EMAIL_CHANGED, UPDATE_PROFILE_USERNAME_CHANGEDFields inherited from interface org.keycloak.broker.provider.IdentityProvider
EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN -
Constructor Summary
ConstructorsConstructorDescriptionOIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config) -
Method Summary
Modifier and TypeMethodDescriptionvoidauthenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) voidbackchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) protected voidbackchannelLogout(UserSessionModel userSession, String idToken) callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.protected jakarta.ws.rs.core.UriBuilderprotected BrokeredIdentityContextexchangeExternalTokenV1Impl(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) Usage with token-exchange V1protected BrokeredIdentityContextexchangeExternalTokenV2Impl(TokenExchangeContext tokenExchangeContext) Usage with external-internal token-exchange v2.protected jakarta.ws.rs.core.ResponseexchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) protected jakarta.ws.rs.core.ResponseexchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) protected BrokeredIdentityContextextractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) protected BrokeredIdentityContextextractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo) protected StringgetFederatedIdentity(String response) protected KeyWrapperprotected Stringprotected Stringprotected Stringprotected StringgetUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo) protected booleanisAuthTimeExpired(JsonWebToken idToken, AuthenticationSessionModel authSession) booleanprotected booleanisTokenTypeSupported(JsonWebToken parsedToken) jakarta.ws.rs.core.ResponsekeycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) Called when a Keycloak application initiates a logout through the browser.protected StringparseTokenInput(String encodedToken, boolean shouldBeSigned) Parses a JWT token that can be a JWE, JWS or JWE/JWS.voidpreprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context) protected voidprocessAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) refreshTokenForLogout(KeycloakSession session, UserSessionModel userSession) Returns access token response as a string from a refresh token invocation on the remote OIDC brokerbooleanReload keys for the identity provider if permitted in it.For example OIDC or SAML providers will reload the keys from the jwks or metadata endpoint.protected voidsetEmailVerified(UserModel user, BrokeredIdentityContext context) protected booleanprotected BrokeredIdentityContextvalidateExternalTokenThroughUserInfo(EventBuilder event, String subjectToken, String subjectTokenType) protected final BrokeredIdentityContextvalidateJwt(EventBuilder event, String subjectToken, String subjectTokenType) validateToken(String encodedToken) protected JsonWebTokenvalidateToken(String encodedToken, boolean ignoreAudience) protected booleanbooleanMethods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getRefreshTokenRequest, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, sendTokenIntrospectionRequest, supportsLongStateParameter, validateExternalTokenWithIntrospectionEndpointMethods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUser, updateEmailMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.keycloak.broker.provider.ExchangeExternalToken
exchangeExternal, exchangeExternalCompleteMethods inherited from interface org.keycloak.broker.provider.IdentityProvider
isMapperSupported
-
Field Details
-
logger
protected static final org.jboss.logging.Logger logger -
SCOPE_OPENID
- See Also:
-
FEDERATED_ID_TOKEN
- See Also:
-
USER_INFO
- See Also:
-
FEDERATED_ACCESS_TOKEN_RESPONSE
- See Also:
-
VALIDATED_ID_TOKEN
- See Also:
-
EXCHANGE_PROVIDER
- See Also:
-
VALIDATED_ACCESS_TOKEN
- See Also:
-
-
Constructor Details
-
OIDCIdentityProvider
-
-
Method Details
-
callback
public Object callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) Description copied from interface:IdentityProviderJAXRS callback endpoint for when the remote IDP wants to callback to keycloak.- Specified by:
callbackin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
callbackin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>- Returns:
-
refreshTokenForLogout
Returns access token response as a string from a refresh token invocation on the remote OIDC broker- Parameters:
session-userSession-- Returns:
-
backchannelLogout
public void backchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) - Specified by:
backchannelLogoutin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
backchannelLogoutin classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
backchannelLogout
-
keycloakInitiatedBrowserLogout
public jakarta.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) Description copied from interface:IdentityProviderCalled when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP- Specified by:
keycloakInitiatedBrowserLogoutin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
keycloakInitiatedBrowserLogoutin classAbstractIdentityProvider<OIDCIdentityProviderConfig>- Returns:
- null if this is not supported by this provider
-
exchangeStoredToken
protected jakarta.ws.rs.core.Response exchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) - Overrides:
exchangeStoredTokenin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
validateExternalTokenThroughUserInfo
protected BrokeredIdentityContext validateExternalTokenThroughUserInfo(EventBuilder event, String subjectToken, String subjectTokenType) - Overrides:
validateExternalTokenThroughUserInfoin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
processAccessTokenResponse
protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) -
exchangeSessionToken
protected jakarta.ws.rs.core.Response exchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) - Overrides:
exchangeSessionTokenin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getFederatedIdentity
- Overrides:
getFederatedIdentityin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isAuthTimeExpired
-
extractIdentity
protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) throws IOException - Throws:
IOException
-
getusernameClaimNameForIdToken
-
getUserInfoUrl
-
getIdentityProviderKeyWrapper
-
verify
-
parseTokenInput
Parses a JWT token that can be a JWE, JWS or JWE/JWS. It returns the content as a string. If JWS is involved the signature is also validated. A IdentityBrokerException is thrown on any error.- Parameters:
encodedToken- The token in the encoded string format.shouldBeSigned- true if the token should be signed (id token), false if the token can be only encrypted and not signed (user info).- Returns:
- The content in string format.
-
validateToken
-
validateToken
-
authenticationFinished
public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) - Specified by:
authenticationFinishedin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
authenticationFinishedin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getDefaultScopes
- Specified by:
getDefaultScopesin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isIssuer
- Specified by:
isIssuerin interfaceExchangeExternalToken- Overrides:
isIssuerin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
supportsExternalExchange
protected boolean supportsExternalExchange()- Overrides:
supportsExternalExchangein classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getProfileEndpointForValidation
- Overrides:
getProfileEndpointForValidationin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
extractIdentityFromProfile
protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo) - Overrides:
extractIdentityFromProfilein classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getUsernameFromUserInfo
-
validateJwt
protected final BrokeredIdentityContext validateJwt(EventBuilder event, String subjectToken, String subjectTokenType) -
isTokenTypeSupported
-
exchangeExternalTokenV1Impl
protected BrokeredIdentityContext exchangeExternalTokenV1Impl(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) Description copied from class:AbstractOAuth2IdentityProviderUsage with token-exchange V1- Overrides:
exchangeExternalTokenV1Implin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>- Parameters:
event- event builderparams- parameters of the token-exchange request- Returns:
- brokered identity context with the details about user from the IDP
-
exchangeExternalTokenV2Impl
protected BrokeredIdentityContext exchangeExternalTokenV2Impl(TokenExchangeContext tokenExchangeContext) Description copied from class:AbstractOAuth2IdentityProviderUsage with external-internal token-exchange v2.- Overrides:
exchangeExternalTokenV2Implin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>- Parameters:
tokenExchangeContext- data about token-exchange request- Returns:
- brokered identity context with the details about user from the IDP
-
createAuthorizationUrl
- Overrides:
createAuthorizationUrlin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
preprocessFederatedIdentity
public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context) - Specified by:
preprocessFederatedIdentityin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
preprocessFederatedIdentityin classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
reloadKeys
public boolean reloadKeys()Description copied from interface:IdentityProviderReload keys for the identity provider if permitted in it.For example OIDC or SAML providers will reload the keys from the jwks or metadata endpoint.- Specified by:
reloadKeysin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Returns:
- true if reloaded, false if not
-
setEmailVerified
- Overrides:
setEmailVerifiedin classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
verifyClientAssertion
- Specified by:
verifyClientAssertionin interfaceClientAssertionIdentityProvider- Throws:
Exception
-