Class OAuth2GrantTypeBase
java.lang.Object
org.keycloak.protocol.oidc.grants.OAuth2GrantTypeBase
- All Implemented Interfaces:
OAuth2GrantType,Provider
- Direct Known Subclasses:
AuthorizationCodeGrantType,CibaGrantType,ClientCredentialsGrantType,DeviceGrantType,JWTAuthorizationGrantType,PermissionGrantType,PreAuthorizedCodeGrantType,RefreshTokenGrantType,ResourceOwnerPasswordCredentialsGrantType,TokenExchangeGrantType
Base class for OAuth 2.0 grant types
- Author:
- Dmitry Telegin (et al.)
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.keycloak.protocol.oidc.grants.OAuth2GrantType
OAuth2GrantType.Context -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected ClientModelprotected OIDCAdvancedConfigWrapperprotected ClientConnectionprotected OAuth2GrantType.Contextprotected Corsprotected EventBuilderprotected jakarta.ws.rs.core.HttpHeadersprotected RealmModelprotected HttpRequestprotected HttpResponseprotected KeycloakSessionprotected TokenManager -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voidaddCustomTokenResponseClaims(AccessTokenResponse res, ClientSessionContext clientSessionCtx) Extension point for subclasses to add custom claims to the AccessTokenResponse before it is returned.protected voidafterAuthorizationDetailsProcessed(UserSessionModel userSession, ClientSessionContext clientSessionCtx, List<AuthorizationDetailsJSONRepresentation> authorizationDetailsResponse) Hook method called after authorization_details are processed and before the token response is created.protected voidcheckAndBindMtlsHoKToken(TokenManager.AccessTokenResponseBuilder responseBuilder, boolean useRefreshToken) protected voidvoidclose()protected jakarta.ws.rs.core.ResponsecreateTokenResponse(UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx, String scopeParam, boolean code, Function<TokenManager.AccessTokenResponseBuilder, ClientPolicyContext> clientPolicyContextGenerator) protected jakarta.ws.rs.core.ResponsecreateTokenResponse(TokenManager.AccessTokenResponseBuilder responseBuilder, ClientSessionContext clientSessionCtx, boolean code) protected TokenManager.AccessTokenResponseBuildercreateTokenResponseBuilder(UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx, String scopeParam, Function<TokenManager.AccessTokenResponseBuilder, ClientPolicyContext> clientPolicyContextGenerator) protected Stringprotected List<AuthorizationDetailsJSONRepresentation>handleMissingAuthorizationDetails(UserSessionModel userSession, ClientSessionContext clientSessionCtx) Allows processors to generate an authorization details response when the authorization_details parameter is missing in the request.protected List<AuthorizationDetailsJSONRepresentation>processAuthorizationDetails(UserSessionModel userSession, ClientSessionContext clientSessionCtx) Processes the authorization_details parameter using provider discovery.protected List<AuthorizationDetailsJSONRepresentation>processStoredAuthorizationDetails(UserSessionModel userSession, ClientSessionContext clientSessionCtx) Process stored authorization_details from the authorization request (e.g., from PAR).protected voidsetContext(OAuth2GrantType.Context context) protected voidupdateClientSession(AuthenticatedClientSessionModel clientSession) protected voidupdateUserSessionFromClientAuth(UserSessionModel userSession) protected booleanMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.keycloak.protocol.oidc.grants.OAuth2GrantType
getEventType, getSupportedMultivaluedRequestParameters, isTokenAllowed, process
-
Field Details
-
context
-
session
-
realm
-
client
-
clientConfig
-
clientConnection
-
clientAuthAttributes
-
formParams
-
event
-
cors
-
tokenManager
-
request
-
response
-
headers
protected jakarta.ws.rs.core.HttpHeaders headers
-
-
Constructor Details
-
OAuth2GrantTypeBase
public OAuth2GrantTypeBase()
-
-
Method Details
-
setContext
-
createTokenResponseBuilder
protected TokenManager.AccessTokenResponseBuilder createTokenResponseBuilder(UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx, String scopeParam, Function<TokenManager.AccessTokenResponseBuilder, ClientPolicyContext> clientPolicyContextGenerator) -
createTokenResponse
protected jakarta.ws.rs.core.Response createTokenResponse(TokenManager.AccessTokenResponseBuilder responseBuilder, ClientSessionContext clientSessionCtx, boolean code) -
createTokenResponse
protected jakarta.ws.rs.core.Response createTokenResponse(UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx, String scopeParam, boolean code, Function<TokenManager.AccessTokenResponseBuilder, ClientPolicyContext> clientPolicyContextGenerator) -
checkAndBindMtlsHoKToken
protected void checkAndBindMtlsHoKToken(TokenManager.AccessTokenResponseBuilder responseBuilder, boolean useRefreshToken) -
updateClientSession
-
updateUserSessionFromClientAuth
-
getRequestedScopes
-
checkClient
protected void checkClient() -
addCustomTokenResponseClaims
protected void addCustomTokenResponseClaims(AccessTokenResponse res, ClientSessionContext clientSessionCtx) Extension point for subclasses to add custom claims to the AccessTokenResponse before it is returned. Default implementation does nothing. -
afterAuthorizationDetailsProcessed
protected void afterAuthorizationDetailsProcessed(UserSessionModel userSession, ClientSessionContext clientSessionCtx, List<AuthorizationDetailsJSONRepresentation> authorizationDetailsResponse) Hook method called after authorization_details are processed and before the token response is created. This allows authorization details processors to perform post-processing actions (e.g., creating state objects). Processors can store information in session notes during processing, and this hook allows them to act on it. Default implementation does nothing.- Parameters:
userSession- the user sessionclientSessionCtx- the client session contextauthorizationDetailsResponse- the processed authorization details response
-
processAuthorizationDetails
protected List<AuthorizationDetailsJSONRepresentation> processAuthorizationDetails(UserSessionModel userSession, ClientSessionContext clientSessionCtx) Processes the authorization_details parameter using provider discovery. This method can be overridden by subclasses to customize the behavior.- Parameters:
userSession- the user sessionclientSessionCtx- the client session context- Returns:
- the authorization details response if processing was successful, null otherwise
-
handleMissingAuthorizationDetails
protected List<AuthorizationDetailsJSONRepresentation> handleMissingAuthorizationDetails(UserSessionModel userSession, ClientSessionContext clientSessionCtx) Allows processors to generate an authorization details response when the authorization_details parameter is missing in the request. This applies to flows where pre-authorization or credential offers are present, and is general to all AuthorizationDetailsProcessor implementations.- Parameters:
userSession- the user sessionclientSessionCtx- the client session context- Returns:
- the authorization details response if generation was successful, null otherwise
-
processStoredAuthorizationDetails
protected List<AuthorizationDetailsJSONRepresentation> processStoredAuthorizationDetails(UserSessionModel userSession, ClientSessionContext clientSessionCtx) throws CorsErrorResponseException Process stored authorization_details from the authorization request (e.g., from PAR). This method is specifically for Authorization Code Flow where authorization_details was used in the authorization request but is missing from the token request.- Parameters:
userSession- the user sessionclientSessionCtx- the client session context- Returns:
- the authorization details response if processing was successful, null otherwise
- Throws:
CorsErrorResponseException
-
useRefreshToken
protected boolean useRefreshToken() -
close
public void close()
-