Package org.keycloak.models.jpa

Class JpaUserProvider

java.lang.Object
org.keycloak.models.jpa.JpaUserProvider
All Implemented Interfaces:
PartialEvaluationStorageProvider, UserCredentialStore, JpaUserPartialEvaluationProvider, UserProvider, Provider, UserBulkUpdateProvider, UserCountMethodsProvider, UserLookupProvider, UserQueryMethodsProvider, UserQueryProvider, UserRegistrationProvider
public class JpaUserProvider extends Object implements UserProvider, UserCredentialStore, JpaUserPartialEvaluationProvider
Version:
$Revision: 1 $
Author:
Bill Burke

  • Field Details

    • em

      protected jakarta.persistence.EntityManager em

  • Constructor Details

    • JpaUserProvider

      public JpaUserProvider(KeycloakSession session, jakarta.persistence.EntityManager em)

  • Method Details

    • addUser

      public UserModel addUser(RealmModel realm, String id, String username, boolean addDefaultRoles, boolean addDefaultRequiredActions)
      Description copied from interface: UserProvider
      Adds a new user into the storage.

      only used for local storage

      Specified by:
      addUser in interface UserProvider
      Parameters:
      realm - the realm that user will be created in
      id - id of the new user. Should be generated to a random value if null.
      username - username
      addDefaultRoles - if true, the user should join all realm default roles
      addDefaultRequiredActions - if true, all default required actions are added to the created user
      Returns:
      model of created user

    • addUser

      public UserModel addUser(RealmModel realm, String username)
      Description copied from interface: UserRegistrationProvider
      All storage providers that implement this interface will be looped through. If this method returns null, then the next storage provider's addUser() method will be called. If no storage providers handle the add, then the user will be created in local storage. Returning null is useful when you want optional support for adding users. For example, our LDAP provider can enable and disable the ability to add users.
      Specified by:
      addUser in interface UserRegistrationProvider
      Parameters:
      realm - a reference to the realm
      username - a username the created user will be assigned
      Returns:
      a model of created user

    • removeUser

      public boolean removeUser(RealmModel realm, UserModel user)
      Description copied from interface: UserRegistrationProvider
      Called if user originated from this provider. If a local user is linked to this provider, this method will be called before local storage's removeUser() method is invoked. If you are using an import strategy, and this is a local user linked to this provider, this method will be called before local storage's removeUser() method is invoked. Also, you DO NOT need to remove the imported user. The runtime will handle this for you.
      Specified by:
      removeUser in interface UserRegistrationProvider
      Parameters:
      realm - a reference to the realm
      user - a reference to the user that is removed
      Returns:
      true if the user was removed, false otherwise

    • addFederatedIdentity

      public void addFederatedIdentity(RealmModel realm, UserModel user, FederatedIdentityModel identity)
      Description copied from interface: UserProvider
      Adds a federated identity link for the user within the realm
      Specified by:
      addFederatedIdentity in interface UserProvider
      Parameters:
      realm - a reference to the realm
      user - the user model
      identity - the federated identity model containing all details of the association between the user and the identity provider

    • updateFederatedIdentity

      public void updateFederatedIdentity(RealmModel realm, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel)
      Description copied from interface: UserProvider
      Update details of association between the federatedUser and the idp given by the federatedIdentityModel
      Specified by:
      updateFederatedIdentity in interface UserProvider
      Parameters:
      realm - a reference to the realm
      federatedUser - the user model
      federatedIdentityModel - the federated identity model containing all details of the association between the user and the identity provider

    • removeFederatedIdentity

      public boolean removeFederatedIdentity(RealmModel realm, UserModel user, String identityProvider)
      Description copied from interface: UserProvider
      Removes federation link between the user and the identity provider given by its id
      Specified by:
      removeFederatedIdentity in interface UserProvider
      Parameters:
      realm - a reference to the realm
      user - the user model
      identityProvider - alias of the identity provider, see IdentityProviderModel.getAlias()
      Returns:
      true if the association was removed, false otherwise TODO: Make this method return Boolean so that store can return "I don't know" answer, this can be used for example in async stores

    • preRemove

      public void preRemove(RealmModel realm, IdentityProviderModel provider)
      Description copied from interface: UserProvider
      Called when an identity provider is removed. Should remove all federated identities assigned to users from the provider.
      Specified by:
      preRemove in interface UserProvider
      Parameters:
      realm - a reference to the realm
      provider - provider model

    • addConsent

      public void addConsent(RealmModel realm, String userId, UserConsentModel consent)
      Description copied from interface: UserProvider
      Add user consent for the user.
      Specified by:
      addConsent in interface UserProvider
      Parameters:
      realm - a reference to the realm
      userId - id of the user
      consent - all details corresponding to the granted consent

    • getConsentByClient

      public UserConsentModel getConsentByClient(RealmModel realm, String userId, String clientId)
      Description copied from interface: UserProvider
      Returns UserConsentModel given by a user with the userId for the client with clientInternalId
      Specified by:
      getConsentByClient in interface UserProvider
      Parameters:
      realm - a reference to the realm
      userId - id of the user
      clientId - id of the client
      Returns:
      consent given by the user to the client or null if no consent or user exists

    • getConsentsStream

      public Stream<UserConsentModel> getConsentsStream(RealmModel realm, String userId)
      Description copied from interface: UserProvider
      Obtains the consents associated with the user identified by the specified userId.
      Specified by:
      getConsentsStream in interface UserProvider
      Parameters:
      realm - a reference to the realm.
      userId - the user identifier.
      Returns:
      a non-null Stream of consents associated with the user.

    • updateConsent

      public void updateConsent(RealmModel realm, String userId, UserConsentModel consent)
      Description copied from interface: UserProvider
      Update client scopes in the stored user consent
      Specified by:
      updateConsent in interface UserProvider
      Parameters:
      realm - a reference to the realm
      userId - id of the user
      consent - new details of the user consent

    • revokeConsentForClient

      public boolean revokeConsentForClient(RealmModel realm, String userId, String clientId)
      Description copied from interface: UserProvider
      Remove a user consent given by the user id and client id
      Specified by:
      revokeConsentForClient in interface UserProvider
      Parameters:
      realm - a reference to the realm
      userId - id of the user
      clientId - id of the client
      Returns:
      true if the consent was removed, false otherwise TODO: Make this method return Boolean so that store can return "I don't know" answer, this can be used for example in async stores

    • setNotBeforeForUser

      public void setNotBeforeForUser(RealmModel realm, UserModel user, int notBefore)
      Description copied from interface: UserProvider
      Sets the notBefore value for the given user
      Specified by:
      setNotBeforeForUser in interface UserProvider
      Parameters:
      realm - a reference to the realm
      user - the user model
      notBefore - new value for notBefore

    • getNotBeforeOfUser

      public int getNotBeforeOfUser(RealmModel realm, UserModel user)
      Description copied from interface: UserProvider
      Gets the notBefore value for the given user
      Specified by:
      getNotBeforeOfUser in interface UserProvider
      Parameters:
      realm - a reference to the realm
      user - the user model
      Returns:
      the value of notBefore

    • grantToAllUsers

      public void grantToAllUsers(RealmModel realm, RoleModel role)
      Description copied from interface: UserBulkUpdateProvider
      Grants the given role to all users from particular realm. The role has to belong to the realm.
      Specified by:
      grantToAllUsers in interface UserBulkUpdateProvider
      Parameters:
      realm - Realm
      role - Role to be granted

    • preRemove

      public void preRemove(RealmModel realm)
      Description copied from interface: UserProvider
      Called when a realm is removed. Should remove all users that belong to the realm.
      Specified by:
      preRemove in interface UserProvider
      Parameters:
      realm - a reference to the realm

    • removeImportedUsers

      public void removeImportedUsers(RealmModel realm, String storageProviderId)
      Description copied from interface: UserProvider
      Removes any imported users from a specific User Storage Provider.
      Specified by:
      removeImportedUsers in interface UserProvider
      Parameters:
      realm - a reference to the realm
      storageProviderId - id of the user storage provider

    • unlinkUsers

      public void unlinkUsers(RealmModel realm, String storageProviderId)
      Description copied from interface: UserProvider
      Set federation link to null to imported users of a specific User Storage Provider
      Specified by:
      unlinkUsers in interface UserProvider
      Parameters:
      realm - a reference to the realm
      storageProviderId - id of the storage provider

    • preRemove

      public void preRemove(RealmModel realm, RoleModel role)
      Description copied from interface: UserProvider
      Called when a role is removed. Should remove the role membership for each user.
      Specified by:
      preRemove in interface UserProvider
      Parameters:
      realm - a reference to the realm
      role - the role model

    • preRemove

      public void preRemove(RealmModel realm, ClientModel client)
      Description copied from interface: UserProvider
      Called when a client is removed. Should remove all user consents associated with the client
      Specified by:
      preRemove in interface UserProvider
      Parameters:
      realm - a reference to the realm
      client - the client model

    • preRemove

      public void preRemove(ProtocolMapperModel protocolMapper)
      Description copied from interface: UserProvider
      Called when a protocolMapper is removed
      Specified by:
      preRemove in interface UserProvider
      Parameters:
      protocolMapper - the protocolMapper model

    • preRemove

      public void preRemove(ClientScopeModel clientScope)
      Description copied from interface: UserProvider
      Called when a client scope is removed. Should remove the clientScope from each user consent
      Specified by:
      preRemove in interface UserProvider
      Parameters:
      clientScope - the clientScope model

    • getGroupMembersStream

      public Stream<UserModel> getGroupMembersStream(RealmModel realm, GroupModel group)
      Description copied from interface: UserQueryMethodsProvider
      Obtains users that belong to a specific group.
      Specified by:
      getGroupMembersStream in interface UserQueryMethodsProvider
      Parameters:
      realm - a reference to the realm.
      group - a reference to the group.
      Returns:
      a non-null Stream of users that belong to the group.

    • getRoleMembersStream

      public Stream<UserModel> getRoleMembersStream(RealmModel realm, RoleModel role)
      Description copied from interface: UserQueryMethodsProvider
      Obtains users that have the specified role.
      Specified by:
      getRoleMembersStream in interface UserQueryMethodsProvider
      Parameters:
      realm - a reference to the realm.
      role - a reference to the role.
      Returns:
      a non-null Stream of users that have the specified role.

    • preRemove

      public void preRemove(RealmModel realm, GroupModel group)
      Description copied from interface: UserProvider
      Called when a group is removed. Should remove the group membership for each user.
      Specified by:
      preRemove in interface UserProvider
      Parameters:
      realm - a reference to the realm
      group - the group model

    • getUserById

      public UserModel getUserById(RealmModel realm, String id)
      Description copied from interface: UserLookupProvider
      Returns a user with the given id belonging to the realm
      Specified by:
      getUserById in interface UserLookupProvider
      Parameters:
      realm - the realm model
      id - id of the user
      Returns:
      found user model, or null if no such user exists

    • getUserByUsername

      public UserModel getUserByUsername(RealmModel realm, String username)
      Description copied from interface: UserLookupProvider
      Exact search for a user by its username. Returns a user with the given username belonging to the realm
      Specified by:
      getUserByUsername in interface UserLookupProvider
      Parameters:
      realm - the realm model
      username - (case-sensitivity is controlled by storage)
      Returns:
      found user model, or null if no such user exists

    • getUserByEmail

      public UserModel getUserByEmail(RealmModel realm, String email)
      Description copied from interface: UserLookupProvider
      Returns a user with the given email belonging to the realm
      Specified by:
      getUserByEmail in interface UserLookupProvider
      Parameters:
      realm - the realm model
      email - email address
      Returns:
      found user model, or null if no such user exists

    • close

      public void close()
      Specified by:
      close in interface Provider

    • getUserByFederatedIdentity

      public UserModel getUserByFederatedIdentity(RealmModel realm, FederatedIdentityModel identity)
      Description copied from interface: UserProvider
      Returns a userModel that corresponds to the given socialLink.
      Specified by:
      getUserByFederatedIdentity in interface UserProvider
      Parameters:
      realm - a reference to the realm
      identity - the socialLink
      Returns:
      the user corresponding to socialLink and null if no such user exists

    • getServiceAccount

      public UserModel getServiceAccount(ClientModel client)
      Description copied from interface: UserProvider
      Return a UserModel representing service account of the client
      Specified by:
      getServiceAccount in interface UserProvider
      Parameters:
      client - the client model
      Returns:
      userModel representing service account of the client

    • getUsersCount

      public int getUsersCount(RealmModel realm, boolean includeServiceAccount)
      Description copied from interface: UserCountMethodsProvider
      Returns the number of users.
      Specified by:
      getUsersCount in interface UserCountMethodsProvider
      Parameters:
      realm - the realm
      includeServiceAccount - if true, the number of users will also include service accounts. Otherwise, only the number of users.
      Returns:
      the number of users

    • getUsersCount

      public int getUsersCount(RealmModel realm, Set<String> groupIds)
      Description copied from interface: UserCountMethodsProvider
      Returns the number of users that are in at least one of the groups given.
      Specified by:
      getUsersCount in interface UserCountMethodsProvider
      Parameters:
      realm - the realm
      groupIds - set of groups IDs, the returned user needs to belong to at least one of them
      Returns:
      the number of users that are in at least one of the groups

    • getUsersCount

      public int getUsersCount(RealmModel realm, String search)
      Description copied from interface: UserCountMethodsProvider
      Returns the number of users that would be returned by a call to searchForUserStream
      Specified by:
      getUsersCount in interface UserCountMethodsProvider
      Parameters:
      realm - the realm
      search - case insensitive list of strings separated by whitespaces.
      Returns:
      number of users that match the search

    • getUsersCount

      public int getUsersCount(RealmModel realm, String search, Set<String> groupIds)
      Description copied from interface: UserCountMethodsProvider
      Returns the number of users that would be returned by a call to searchForUserStream and are members of at least one of the groups given by the groupIds set.
      Specified by:
      getUsersCount in interface UserCountMethodsProvider
      Parameters:
      realm - the realm
      search - case insensitive list of strings separated by whitespaces.
      groupIds - set of groups IDs, the returned user needs to belong to at least one of them
      Returns:
      number of users that match the search and given groups

    • getUsersCount

      public int getUsersCount(RealmModel realm, Map<String,String> params)
      Description copied from interface: UserCountMethodsProvider
      Returns the number of users that match the given filter parameters.
      Specified by:
      getUsersCount in interface UserCountMethodsProvider
      Parameters:
      realm - the realm
      params - filter parameters
      Returns:
      number of users that match the given filters

    • getUsersCount

      public int getUsersCount(RealmModel realm, Map<String,String> params, Set<String> groupIds)
      Description copied from interface: UserCountMethodsProvider
      Returns the number of users that match the given filter parameters and is in at least one of the given groups.
      Specified by:
      getUsersCount in interface UserCountMethodsProvider
      Parameters:
      realm - the realm
      params - filter parameters
      groupIds - set if groups to check for
      Returns:
      number of users that match the given filters and groups

    • getGroupMembersStream

      public Stream<UserModel> getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults)
      Description copied from interface: UserQueryMethodsProvider
      Obtains users that belong to a specific group.
      Specified by:
      getGroupMembersStream in interface UserQueryMethodsProvider
      Parameters:
      realm - a reference to the realm.
      group - a reference to the group.
      firstResult - first result to return. Ignored if negative, zero, or null.
      maxResults - maximum number of results to return. Ignored if negative or null.
      Returns:
      a non-null Stream of users that belong to the group.

    • getGroupMembersStream

      public Stream<UserModel> getGroupMembersStream(RealmModel realm, GroupModel group, String search, Boolean exact, Integer first, Integer max)
      Description copied from interface: UserQueryMethodsProvider
      Obtains users that belong to a specific group, filtered according to the search parameters.
      Specified by:
      getGroupMembersStream in interface UserQueryMethodsProvider
      Parameters:
      realm - a reference to the realm.
      group - a reference to the group.
      search - the search string. It can represent either the user's username, e-mail, first name, or last name.
      exact - a boolean indicating if the search should be exact or not. If true, it selects only users whose main attributes (username, e-mail, first name, or last name) exactly match the search string. If false, it selects the users whose main attributes partially match the search string.
      first - the position of the first result to be processed (pagination offset). Ignored if negative or null.
      max - the maximum number of results to be returned. Ignored if negative or null.
      Returns:
      a non-null Stream of filtered users that belong to the group.

    • getRoleMembersStream

      public Stream<UserModel> getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults)
      Description copied from interface: UserQueryMethodsProvider
      Searches for users that have the specified role.
      Specified by:
      getRoleMembersStream in interface UserQueryMethodsProvider
      Parameters:
      realm - a reference to the realm.
      role - a reference to the role.
      firstResult - first result to return. Ignored if negative or null.
      maxResults - maximum number of results to return. Ignored if negative or null.
      Returns:
      a non-null Stream of users that have the specified role.

    • searchForUserStream

      public Stream<UserModel> searchForUserStream(RealmModel realm, String search, Integer firstResult, Integer maxResults)
      Description copied from interface: UserQueryMethodsProvider
      Searches for users whose username, email, first name or last name contain any of the strings in search separated by whitespace.

      If possible, implementations should treat the parameter values as partial match patterns (i.e. in RDMBS terms use LIKE).

      This method is used by the admin console search box

      Specified by:
      searchForUserStream in interface UserQueryMethodsProvider
      Parameters:
      realm - a reference to the realm.
      search - case insensitive list of string separated by whitespaces.
      firstResult - first result to return. Ignored if negative, zero, or null.
      maxResults - maximum number of results to return. Ignored if negative or null.
      Returns:
      a non-null Stream of users that match the search criteria.

    • searchForUserStream

      public Stream<UserModel> searchForUserStream(RealmModel realm, Map<String,String> attributes, Integer firstResult, Integer maxResults)
      Description copied from interface: UserQueryMethodsProvider
      Searches for user by parameter. If possible, implementations should treat the parameter values as partial match patterns (i.e. in RDMBS terms use LIKE).

      Valid parameters are:

      • UserModel.SEARCH - search for users whose username, email, first name or last name contain any of the strings in search separated by whitespace, when SEARCH is set all other params are ignored
      • UserModel.FIRST_NAME - first name (case insensitive string)
      • UserModel.LAST_NAME - last name (case insensitive string)
      • UserModel.EMAIL - email (case insensitive string)
      • UserModel.USERNAME - username (case insensitive string)
      • UserModel.EXACT - whether search with FIRST_NAME, LAST_NAME, USERNAME or EMAIL should be exact match
      • UserModel.EMAIL_VERIFIED - search only for users with verified/non-verified email (true/false)
      • UserModel.ENABLED - search only for enabled/disabled users (true/false)
      • UserModel.IDP_ALIAS - search only for users that have a federated identity from idp with the given alias configured (case sensitive string)
      • UserModel.IDP_USER_ID - search for users with federated identity with the given userId (case sensitive string)

      Any other parameters will be treated as custom user attributes.

      This method is used by the REST API when querying users.

      Specified by:
      searchForUserStream in interface UserQueryMethodsProvider
      Parameters:
      realm - a reference to the realm.
      attributes - a map containing the search parameters.
      firstResult - first result to return. Ignored if negative, zero, or null.
      maxResults - maximum number of results to return. Ignored if negative or null.
      Returns:
      a non-null Stream of users that match the search criteria.

    • searchForUserByUserAttributeStream

      public Stream<UserModel> searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue)
      Description copied from interface: UserQueryMethodsProvider
      Searches for users that have a specific attribute with a specific value.
      Specified by:
      searchForUserByUserAttributeStream in interface UserQueryMethodsProvider
      Parameters:
      realm - a reference to the realm.
      attrName - the attribute name.
      attrValue - the attribute value.
      Returns:
      a non-null Stream of users that match the search criteria.

    • getFederatedIdentitiesStream

      public Stream<FederatedIdentityModel> getFederatedIdentitiesStream(RealmModel realm, UserModel user)
      Description copied from interface: UserProvider
      Obtains the federated identities of the specified user.
      Specified by:
      getFederatedIdentitiesStream in interface UserProvider
      Parameters:
      realm - a reference to the realm.
      user - the reference to the user.
      Returns:
      a non-null Stream of federated identities associated with the user.

    • getFederatedIdentity

      public FederatedIdentityModel getFederatedIdentity(RealmModel realm, UserModel user, String identityProvider)
      Description copied from interface: UserProvider
      Returns details of the association between the user and the socialProvider.
      Specified by:
      getFederatedIdentity in interface UserProvider
      Parameters:
      realm - a reference to the realm
      user - the user model
      identityProvider - the id of the identity provider
      Returns:
      federatedIdentityModel or null if no association exists

    • preRemove

      public void preRemove(RealmModel realm, ComponentModel component)
      Description copied from interface: UserProvider
      Called when a component is removed. Should remove all data in UserStorage associated with removed component. For example,
      • if component corresponds to UserStorageProvider all imported users from the provider should be removed,
      • if component corresponds to ClientStorageProvider all consents granted for clients imported from the provider should be removed
      Specified by:
      preRemove in interface UserProvider
      Parameters:
      realm - a reference to the realm
      component - the component model

    • removeConsentByClientStorageProvider

      protected void removeConsentByClientStorageProvider(RealmModel realm, String providerId)

    • updateCredential

      public void updateCredential(RealmModel realm, UserModel user, CredentialModel cred)
      Specified by:
      updateCredential in interface UserCredentialStore

    • createCredential

      public CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred)
      Specified by:
      createCredential in interface UserCredentialStore

    • removeStoredCredential

      public boolean removeStoredCredential(RealmModel realm, UserModel user, String id)
      Description copied from interface: UserCredentialStore
      Removes credential with the id for the user.
      Specified by:
      removeStoredCredential in interface UserCredentialStore
      Parameters:
      realm - realm.
      user - user
      id - id
      Returns:
      true if the credential was removed, false otherwise TODO: Make this method return Boolean so that store can return "I don't know" answer, this can be used for example in async stores

    • getStoredCredentialById

      public CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id)
      Specified by:
      getStoredCredentialById in interface UserCredentialStore

    • toModel

      protected CredentialModel toModel(CredentialEntity entity)

    • getStoredCredentialsStream

      public Stream<CredentialModel> getStoredCredentialsStream(RealmModel realm, UserModel user)
      Description copied from interface: UserCredentialStore
      Obtains the stored credentials associated with the specified user.
      Specified by:
      getStoredCredentialsStream in interface UserCredentialStore
      Parameters:
      realm - a reference to the realm.
      user - the user whose credentials are being searched.
      Returns:
      a non-null Stream of credentials.

    • getStoredCredentialsByTypeStream

      public Stream<CredentialModel> getStoredCredentialsByTypeStream(RealmModel realm, UserModel user, String type)
      Description copied from interface: UserCredentialStore
      Obtains the stored credentials associated with the specified user that match the specified type.
      Specified by:
      getStoredCredentialsByTypeStream in interface UserCredentialStore
      Parameters:
      realm - a reference to the realm.
      user - the user whose credentials are being searched.
      type - the type of credentials being searched.
      Returns:
      a non-null Stream of credentials.

    • getStoredCredentialByNameAndType

      public CredentialModel getStoredCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type)
      Specified by:
      getStoredCredentialByNameAndType in interface UserCredentialStore

    • moveCredentialTo

      public boolean moveCredentialTo(RealmModel realm, UserModel user, String id, String newPreviousCredentialId)
      Specified by:
      moveCredentialTo in interface UserCredentialStore

    • ensureEmailConstraint

      protected void ensureEmailConstraint(List<UserEntity> users, RealmModel realm)

    • getSession

      public KeycloakSession getSession()
      Specified by:
      getSession in interface JpaUserPartialEvaluationProvider

    • getEntityManager

      public jakarta.persistence.EntityManager getEntityManager()
      Specified by:
      getEntityManager in interface JpaUserPartialEvaluationProvider