Package org.keycloak.broker.spiffe

Class SpiffeIdentityProvider

java.lang.Object

org.keycloak.broker.spiffe.SpiffeIdentityProvider

All Implemented Interfaces:

ClientAssertionIdentityProvider, IdentityProvider<SpiffeIdentityProviderConfig>, Provider

public class SpiffeIdentityProvider
extends Object
implements IdentityProvider<SpiffeIdentityProviderConfig>, ClientAssertionIdentityProvider

Implementation for https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/ Main differences for SPIFFE JWT SVIDs and regular client assertions:

• jwt-spiffe client assertion type
• iss claim is optional, uses SPIFFE IDs, which includes trust domain instead
• jti claim is optional, and SPIFFE vendors re-use/cache tokens
• sub is a SPIFFE ID with the syntax spiffe://trust-domain/workload-identity
• Keys are fetched from a SPIFFE bundle endpoint, where the JWKS has additional SPIFFE specific fields (spiffe_sequence and spiffe_refresh_hint, the JWK does not set the alg>

Nested Class Summary

Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider

IdentityProvider.AuthenticationCallback

Field Summary

Fields inherited from interface org.keycloak.broker.provider.IdentityProvider

EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN

Constructor Summary

Constructors

Constructor	Description
SpiffeIdentityProvider(KeycloakSession session, SpiffeIdentityProviderConfig config)

Method Summary

Modifier and Type	Method	Description
void	authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context)
void	backchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm)
Object	callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event)	JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.
void	close()
jakarta.ws.rs.core.Response	export(jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm, String format)	Export a representation of the IdentityProvider in a specific format.
SpiffeIdentityProviderConfig	getConfig()
IdentityProviderDataMarshaller	getMarshaller()	Implementation of marshaller to serialize/deserialize attached data to Strings, which can be saved in clientSession
void	importNewUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context)
jakarta.ws.rs.core.Response	keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm)	Called when a Keycloak application initiates a logout through the browser.
jakarta.ws.rs.core.Response	performLogin(AuthenticationRequest request)	Initiates the authentication process by sending an authentication request to an identity provider.
void	preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)
jakarta.ws.rs.core.Response	retrieveToken(KeycloakSession session, FederatedIdentityModel identity)	Returns a Response containing the token previously stored during the authentication process for a specific user.
void	updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context)
boolean	verifyClientAssertion(ClientAuthenticationFlowContext context)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.broker.provider.IdentityProvider

isMapperSupported, reloadKeys, supportsLongStateParameter

Constructor Details

SpiffeIdentityProvider

public SpiffeIdentityProvider(KeycloakSession session,
 SpiffeIdentityProviderConfig config)

Method Details

getConfig

public SpiffeIdentityProviderConfig getConfig()

Specified by:

getConfig in interface IdentityProvider<SpiffeIdentityProviderConfig>

verifyClientAssertion

public boolean verifyClientAssertion(ClientAuthenticationFlowContext context)
                              throws Exception

Specified by:

verifyClientAssertion in interface ClientAssertionIdentityProvider

Throws:

Exception

close

public void close()

Specified by:

close in interface Provider

preprocessFederatedIdentity

public void preprocessFederatedIdentity(KeycloakSession session,
 RealmModel realm,
 BrokeredIdentityContext context)

Specified by:

preprocessFederatedIdentity in interface IdentityProvider<SpiffeIdentityProviderConfig>

authenticationFinished

public void authenticationFinished(AuthenticationSessionModel authSession,
 BrokeredIdentityContext context)

Specified by:

authenticationFinished in interface IdentityProvider<SpiffeIdentityProviderConfig>

importNewUser

public void importNewUser(KeycloakSession session,
 RealmModel realm,
 UserModel user,
 BrokeredIdentityContext context)

Specified by:

importNewUser in interface IdentityProvider<SpiffeIdentityProviderConfig>

updateBrokeredUser

public void updateBrokeredUser(KeycloakSession session,
 RealmModel realm,
 UserModel user,
 BrokeredIdentityContext context)

Specified by:

updateBrokeredUser in interface IdentityProvider<SpiffeIdentityProviderConfig>

callback

public Object callback(RealmModel realm,
 IdentityProvider.AuthenticationCallback callback,
 EventBuilder event)

Description copied from interface: IdentityProvider

JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.

Specified by:

callback in interface IdentityProvider<SpiffeIdentityProviderConfig>

Returns:

performLogin

public jakarta.ws.rs.core.Response performLogin(AuthenticationRequest request)

Description copied from interface: IdentityProvider

Initiates the authentication process by sending an authentication request to an identity provider. This method is called only once during the authentication.

Specified by:

performLogin in interface IdentityProvider<SpiffeIdentityProviderConfig>

Parameters:

request - The initial authentication request. Contains all the contextual information in order to build an authentication request to the identity provider.

Returns:

retrieveToken

public jakarta.ws.rs.core.Response retrieveToken(KeycloakSession session,
 FederatedIdentityModel identity)

Description copied from interface: IdentityProvider

Returns a Response containing the token previously stored during the authentication process for a specific user.

Specified by:

retrieveToken in interface IdentityProvider<SpiffeIdentityProviderConfig>

Returns:

backchannelLogout

public void backchannelLogout(KeycloakSession session,
 UserSessionModel userSession,
 jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm)

Specified by:

backchannelLogout in interface IdentityProvider<SpiffeIdentityProviderConfig>

keycloakInitiatedBrowserLogout

public jakarta.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session,
 UserSessionModel userSession,
 jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm)

Description copied from interface: IdentityProvider

Called when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP

Specified by:

keycloakInitiatedBrowserLogout in interface IdentityProvider<SpiffeIdentityProviderConfig>

Returns:

null if this is not supported by this provider

export

public jakarta.ws.rs.core.Response export(jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm,
 String format)

Description copied from interface: IdentityProvider

Export a representation of the IdentityProvider in a specific format. For example, a SAML EntityDescriptor

Specified by:

export in interface IdentityProvider<SpiffeIdentityProviderConfig>

Returns:

getMarshaller

public IdentityProviderDataMarshaller getMarshaller()

Description copied from interface: IdentityProvider

Implementation of marshaller to serialize/deserialize attached data to Strings, which can be saved in clientSession

Specified by:

getMarshaller in interface IdentityProvider<SpiffeIdentityProviderConfig>

Returns: