Package org.keycloak.protocol.oidc.tokenexchange

Class StandardTokenExchangeProvider

java.lang.Object

org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider

org.keycloak.protocol.oidc.tokenexchange.StandardTokenExchangeProvider

All Implemented Interfaces:

TokenExchangeProvider, Provider

Direct Known Subclasses:

ExternalToInternalTokenExchangeProvider

public class StandardTokenExchangeProvider
extends AbstractTokenExchangeProvider

Provider for internal-internal token exchange, which is compliant with the token exchange specification https://datatracker.ietf.org/doc/html/rfc8693

Author:

Marek Posolda

Nested Class Summary

Nested classes/interfaces inherited from class org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider

AbstractTokenExchangeProvider.ExternalExchangeContext

Field Summary

Fields inherited from class org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider

client, clientAuthAttributes, clientConnection, context, cors, event, formParams, headers, params, realm, session, tokenManager

Constructor Summary

Constructors

Constructor	Description
StandardTokenExchangeProvider()

Method Summary

Modifier and Type	Method	Description
protected void	checkRequestedAudiences(TokenManager.AccessTokenResponseBuilder responseBuilder)
protected jakarta.ws.rs.core.Response	exchangeClientToOIDCClient(UserModel targetUser, UserSessionModel targetUserSession, String requestedTokenType, List<ClientModel> targetAudienceClients, String scope, AccessToken subjectToken)
protected jakarta.ws.rs.core.Response	exchangeClientToSAML2Client(UserModel targetUser, UserSessionModel targetUserSession, String requestedTokenType, List<ClientModel> targetAudienceClients)
protected String	getRequestedScope(AccessToken token, List<ClientModel> targetAudienceClients)
protected String	getRequestedTokenType()
protected List<String>	getSupportedOAuthResponseTokenTypes()
int	getVersion()
boolean	supports(TokenExchangeContext context)	Check if exchange request is supported by this provider
protected jakarta.ws.rs.core.Response	tokenExchange()
protected void	validateAudience(AccessToken token, boolean disallowOnHolderOfTokenMismatch, List<ClientModel> targetAudienceClients)
protected void	validateConsents(UserModel targetUser, ClientSessionContext clientSessionCtx)

Methods inherited from class org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider

close, createSessionModel, exchange, exchangeClientToClient, exchangeExternalToken, exchangeToIdentityProvider, forbiddenIfClientIsNotTokenHolder, forbiddenIfClientIsNotWithinTokenAudience, getSubjectIssuer, getTargetAudienceClients, importUserFromExternalIdentity, isExternalInternalTokenExchangeRequest, locateExchangeExternalTokenByAlias, setClientToContext, updateUserSessionFromClientAuth

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

StandardTokenExchangeProvider

public StandardTokenExchangeProvider()

Method Details

getVersion

public int getVersion()

Returns:

version of the token-exchange provider. Could be useful by various components (like for example identity-providers), which need to interact with the token-exchange provider to doublecheck if it should have a "legacy" behaviour (for older version of token-exchange provider) or a "new" behaviour

supports

public boolean supports(TokenExchangeContext context)

Description copied from interface: TokenExchangeProvider

Check if exchange request is supported by this provider

Parameters:

context - token exchange context

Returns:

true if the request is supported

tokenExchange

protected jakarta.ws.rs.core.Response tokenExchange()

Specified by:

tokenExchange in class AbstractTokenExchangeProvider

validateAudience

protected void validateAudience(AccessToken token,
 boolean disallowOnHolderOfTokenMismatch,
 List<ClientModel> targetAudienceClients)

Specified by:

validateAudience in class AbstractTokenExchangeProvider

validateConsents

protected void validateConsents(UserModel targetUser,
 ClientSessionContext clientSessionCtx)

getRequestedScope

protected String getRequestedScope(AccessToken token,
 List<ClientModel> targetAudienceClients)

Specified by:

getRequestedScope in class AbstractTokenExchangeProvider

exchangeClientToOIDCClient

protected jakarta.ws.rs.core.Response exchangeClientToOIDCClient(UserModel targetUser,
 UserSessionModel targetUserSession,
 String requestedTokenType,
 List<ClientModel> targetAudienceClients,
 String scope,
 AccessToken subjectToken)

Specified by:

exchangeClientToOIDCClient in class AbstractTokenExchangeProvider

exchangeClientToSAML2Client

protected jakarta.ws.rs.core.Response exchangeClientToSAML2Client(UserModel targetUser,
 UserSessionModel targetUserSession,
 String requestedTokenType,
 List<ClientModel> targetAudienceClients)

Specified by:

exchangeClientToSAML2Client in class AbstractTokenExchangeProvider

checkRequestedAudiences

protected void checkRequestedAudiences(TokenManager.AccessTokenResponseBuilder responseBuilder)

getSupportedOAuthResponseTokenTypes

protected List<String> getSupportedOAuthResponseTokenTypes()

Specified by:

getSupportedOAuthResponseTokenTypes in class AbstractTokenExchangeProvider

getRequestedTokenType

protected String getRequestedTokenType()

Specified by:

getRequestedTokenType in class AbstractTokenExchangeProvider