Package org.keycloak.authentication.authenticators.client

Class JWTClientAuthenticator

java.lang.Object

org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator

org.keycloak.authentication.authenticators.client.JWTClientAuthenticator

All Implemented Interfaces:

ClientAuthenticator, ClientAuthenticatorFactory, ConfigurableAuthenticatorFactory, ConfiguredPerClientProvider, ConfiguredProvider, Provider, ProviderFactory<ClientAuthenticator>

public class JWTClientAuthenticator
extends AbstractClientAuthenticator

Client authentication based on JWT signed by client private key . See specs for more details. This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by org.keycloak.adapters.authentication.JWTClientCredentialsProvider

Author:

Marek Posolda

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ATTR_PREFIX
static final String	CERTIFICATE_ATTR
static final String	PROVIDER_ID

Fields inherited from interface org.keycloak.authentication.ConfigurableAuthenticatorFactory

REQUIREMENT_CHOICES

Constructor Summary

Constructors

Constructor	Description
JWTClientAuthenticator()

Method Summary

Modifier and Type	Method	Description
void	authenticateClient(ClientAuthenticationFlowContext context)	Initial call for the authenticator.
Map<String,Object>	getAdapterConfiguration(ClientModel client)	Get configuration, which needs to be used for adapter ( keycloak.json ) of particular client.
List<ProviderConfigProperty>	getConfigProperties()
List<ProviderConfigProperty>	getConfigPropertiesPerClient()	List of config properties for this client implementation.
String	getDisplayType()	Friendly name for the authenticator
String	getHelpText()
String	getId()
Set<String>	getProtocolAuthenticatorMethods(String loginProtocol)	Get authentication methods for the specified protocol
AuthenticationExecutionModel.Requirement[]	getRequirementChoices()	What requirement settings are allowed.
protected PublicKey	getSignatureValidationKey(ClientModel client, ClientAuthenticationFlowContext context, JWSInput jws)
boolean	isConfigurable()	Is this authenticator configurable globally?
boolean	verifySignature(AbstractJWTClientValidator validator)

Methods inherited from class org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator

close, create, create, getReferenceCategory, init, isUserSetupAllowed, postInit

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.authentication.ClientAuthenticatorFactory

supportsSecret

Methods inherited from interface org.keycloak.authentication.ConfigurableAuthenticatorFactory

getOptionalReferenceCategories

Methods inherited from interface org.keycloak.provider.ConfiguredProvider

getConfig

Methods inherited from interface org.keycloak.provider.ProviderFactory

dependsOn, getConfigMetadata, order

Field Details

PROVIDER_ID

public static final String PROVIDER_ID

See Also:

• Constant Field Values

ATTR_PREFIX

public static final String ATTR_PREFIX

See Also:

• Constant Field Values

CERTIFICATE_ATTR

public static final String CERTIFICATE_ATTR

See Also:

• Constant Field Values

Constructor Details

JWTClientAuthenticator

public JWTClientAuthenticator()

Method Details

authenticateClient

public void authenticateClient(ClientAuthenticationFlowContext context)

Description copied from interface: ClientAuthenticator

Initial call for the authenticator. This method should check the current HTTP request to determine if the request satisfies the ClientAuthenticator's requirements. If it doesn't, it should send back a challenge response by calling the ClientAuthenticationFlowContext.challenge(Response).

verifySignature

public boolean verifySignature(AbstractJWTClientValidator validator)

getSignatureValidationKey

protected PublicKey getSignatureValidationKey(ClientModel client,
 ClientAuthenticationFlowContext context,
 JWSInput jws)

getDisplayType

public String getDisplayType()

Description copied from interface: ConfigurableAuthenticatorFactory

Friendly name for the authenticator

Returns:

isConfigurable

public boolean isConfigurable()

Description copied from interface: ClientAuthenticatorFactory

Is this authenticator configurable globally?

Returns:

getRequirementChoices

public AuthenticationExecutionModel.Requirement[] getRequirementChoices()

Description copied from interface: ConfigurableAuthenticatorFactory

What requirement settings are allowed.

Returns:

getHelpText

public String getHelpText()

getConfigProperties

public List<ProviderConfigProperty> getConfigProperties()

getConfigPropertiesPerClient

public List<ProviderConfigProperty> getConfigPropertiesPerClient()

Description copied from interface: ConfiguredPerClientProvider

List of config properties for this client implementation. Those will be shown in admin console in clients credentials tab and can be configured per client.

Returns:

getAdapterConfiguration

public Map<String,Object> getAdapterConfiguration(ClientModel client)

Description copied from interface: ClientAuthenticatorFactory

Get configuration, which needs to be used for adapter ( keycloak.json ) of particular client. Some implementations may return just template and user needs to edit the values according to his environment (For example fill the location of keystore file)

Returns:

getId

public String getId()

getProtocolAuthenticatorMethods

public Set<String> getProtocolAuthenticatorMethods(String loginProtocol)

Description copied from interface: ClientAuthenticatorFactory

Get authentication methods for the specified protocol

Parameters:

loginProtocol - corresponds to ProviderFactory.getId()

Returns:

name of supported client authenticator methods in the protocol specific "language"