Package org.keycloak.authentication.authenticators.client

Class AttestationBasedClientAuthenticator

java.lang.Object

org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator

org.keycloak.authentication.authenticators.client.AttestationBasedClientAuthenticator

All Implemented Interfaces:

ClientAuthenticator, ClientAuthenticatorFactory, ConfigurableAuthenticatorFactory, ConfiguredPerClientProvider, ConfiguredProvider, EnvironmentDependentProviderFactory, Provider, ProviderFactory<ClientAuthenticator>

public class AttestationBasedClientAuthenticator
extends AbstractClientAuthenticator
implements EnvironmentDependentProviderFactory

Attestation-Based Client Authentication based on Client Attestation JWT and PoP. See specs for more details. The current implementation aligns with HAIP Profile 1.0 specifically Attestation-Based Client Authentication - Draft07

Author:

Thomas Diesler

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	AttestationBasedClientAuthenticator.ABCAConfig	The AttestationBasedClientAuthenticator config
static class	AttestationBasedClientAuthenticator.ClientAttestationJwt
static class	AttestationBasedClientAuthenticator.ClientAttestationPoPJwt
static class	AttestationBasedClientAuthenticator.Confirmation

Field Summary

Fields

Modifier and Type	Field	Description
static final String	OAUTH_CLIENT_ATTESTATION_CONFIG_ATTESTER_JWKS	The ClientAuthenticator needs to be aware of the public keys from the various Attesters it can trust.
static final String	OAUTH_CLIENT_ATTESTATION_HEADER
static final String	OAUTH_CLIENT_ATTESTATION_JWT_TYPE
static final String	OAUTH_CLIENT_ATTESTATION_POP_HEADER
static final String	OAUTH_CLIENT_ATTESTATION_POP_JWT_TYPE
static final String	PROVIDER_ID

Fields inherited from class org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator

logger

Fields inherited from interface org.keycloak.authentication.ConfigurableAuthenticatorFactory

REQUIREMENT_CHOICES

Constructor Summary

Constructors

Constructor	Description
AttestationBasedClientAuthenticator()

Method Summary

Modifier and Type	Method	Description
void	authenticateClient(ClientAuthenticationFlowContext context)	Initial call for the authenticator.
Map<String,Object>	getAdapterConfiguration(KeycloakSession session, ClientModel client)	Get configuration, which needs to be used for adapter ( keycloak.json ) of particular client.
List<ProviderConfigProperty>	getConfigProperties()
List<ProviderConfigProperty>	getConfigPropertiesPerClient()	List of config properties for this client implementation.
String	getDisplayType()	Friendly name for the authenticator
String	getHelpText()
String	getId()
Set<String>	getProtocolAuthenticatorMethods(String loginProtocol)	Get authentication methods for the specified protocol
AuthenticationExecutionModel.Requirement[]	getRequirementChoices()	What requirement settings are allowed.
boolean	isConfigurable()	Is this authenticator configurable globally?
boolean	isSupported(Config.Scope config)	Check if the provider is supported and should be available based on the provider configuration.

Methods inherited from class org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator

close, create, create, getReferenceCategory, init, isUserSetupAllowed, postInit

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.authentication.ClientAuthenticatorFactory

getProtocolAuthenticatorMethod, setClientAuthenticationMethod, supportsSecret

Methods inherited from interface org.keycloak.authentication.ConfigurableAuthenticatorFactory

getOptionalReferenceCategories

Methods inherited from interface org.keycloak.provider.ConfiguredProvider

getConfig

Methods inherited from interface org.keycloak.provider.ProviderFactory

dependsOn, getConfigMetadata, order

Field Details

PROVIDER_ID

public static final String PROVIDER_ID

See Also:

• Constant Field Values

OAUTH_CLIENT_ATTESTATION_HEADER

public static final String OAUTH_CLIENT_ATTESTATION_HEADER

See Also:

• Constant Field Values

OAUTH_CLIENT_ATTESTATION_POP_HEADER

public static final String OAUTH_CLIENT_ATTESTATION_POP_HEADER

See Also:

• Constant Field Values

OAUTH_CLIENT_ATTESTATION_JWT_TYPE

public static final String OAUTH_CLIENT_ATTESTATION_JWT_TYPE

See Also:

• Constant Field Values

OAUTH_CLIENT_ATTESTATION_POP_JWT_TYPE

public static final String OAUTH_CLIENT_ATTESTATION_POP_JWT_TYPE

See Also:

• Constant Field Values

OAUTH_CLIENT_ATTESTATION_CONFIG_ATTESTER_JWKS

public static final String OAUTH_CLIENT_ATTESTATION_CONFIG_ATTESTER_JWKS

The ClientAuthenticator needs to be aware of the public keys from the various Attesters it can trust. [ { "kty": "RSA", "kid": "openid-abca-attester-key", "use": "sig", "alg": "PS256", "n": "uVd8mEqXMp...aaVZNQ", "e": "AQAB" } ]

See Also:

• Constant Field Values

Constructor Details

AttestationBasedClientAuthenticator

public AttestationBasedClientAuthenticator()

Method Details

getId

public String getId()

Specified by:

getId in interface ProviderFactory<ClientAuthenticator>

authenticateClient

public void authenticateClient(ClientAuthenticationFlowContext context)

Description copied from interface: ClientAuthenticator

Initial call for the authenticator. This method should check the current HTTP request to determine if the request satisfies the ClientAuthenticator's requirements. If it doesn't, it should send back a challenge response by calling the ClientAuthenticationFlowContext.challenge(Response).

Specified by:

authenticateClient in interface ClientAuthenticator

getDisplayType

public String getDisplayType()

Description copied from interface: ConfigurableAuthenticatorFactory

Friendly name for the authenticator

Specified by:

getDisplayType in interface ConfigurableAuthenticatorFactory

Returns:

getHelpText

public String getHelpText()

Specified by:

getHelpText in interface ConfiguredProvider

getRequirementChoices

public AuthenticationExecutionModel.Requirement[] getRequirementChoices()

Description copied from interface: ConfigurableAuthenticatorFactory

What requirement settings are allowed.

Specified by:

getRequirementChoices in interface ConfigurableAuthenticatorFactory

Returns:

isConfigurable

public boolean isConfigurable()

Description copied from interface: ClientAuthenticatorFactory

Is this authenticator configurable globally?

Specified by:

isConfigurable in interface ClientAuthenticatorFactory

Specified by:

isConfigurable in interface ConfigurableAuthenticatorFactory

Returns:

getConfigProperties

public List<ProviderConfigProperty> getConfigProperties()

Specified by:

getConfigProperties in interface ConfiguredProvider

getConfigPropertiesPerClient

public List<ProviderConfigProperty> getConfigPropertiesPerClient()

Description copied from interface: ConfiguredPerClientProvider

List of config properties for this client implementation. Those will be shown in admin console in clients credentials tab and can be configured per client.

Specified by:

getConfigPropertiesPerClient in interface ConfiguredPerClientProvider

Returns:

getAdapterConfiguration

public Map<String,Object> getAdapterConfiguration(KeycloakSession session,
 ClientModel client)

Description copied from interface: ClientAuthenticatorFactory

Get configuration, which needs to be used for adapter ( keycloak.json ) of particular client. Some implementations may return just template and user needs to edit the values according to his environment (For example fill the location of keystore file)

Specified by:

getAdapterConfiguration in interface ClientAuthenticatorFactory

Returns:

isSupported

public boolean isSupported(Config.Scope config)

Description copied from interface: EnvironmentDependentProviderFactory

Check if the provider is supported and should be available based on the provider configuration.

Specified by:

isSupported in interface EnvironmentDependentProviderFactory

Parameters:

config - the provider configuration

Returns:

true if the provider is supported. Otherwise, false.

getProtocolAuthenticatorMethods

public Set<String> getProtocolAuthenticatorMethods(String loginProtocol)

Description copied from interface: ClientAuthenticatorFactory

Get authentication methods for the specified protocol

Specified by:

getProtocolAuthenticatorMethods in interface ClientAuthenticatorFactory

Parameters:

loginProtocol - corresponds to ProviderFactory.getId()

Returns:

name of supported client authenticator methods in the protocol specific "language"