java.lang.Object

org.keycloak.broker.spiffe.SpiffeIdentityProvider

All Implemented Interfaces:: ClientAssertionIdentityProvider<SpiffeIdentityProviderConfig>, IdentityProvider<SpiffeIdentityProviderConfig>, Provider

public class SpiffeIdentityProvider extends Object implements ClientAssertionIdentityProvider<SpiffeIdentityProviderConfig>

Implementation for https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/ Main differences for SPIFFE JWT SVIDs and regular client assertions:

jwt-spiffe client assertion type
iss claim is optional, uses SPIFFE IDs, which includes trust domain instead
jti claim is optional, and SPIFFE vendors re-use/cache tokens
sub is a SPIFFE ID with the syntax spiffe://trust-domain/workload-identity
Keys are fetched from a SPIFFE bundle endpoint, where the JWKS has additional SPIFFE specific fields (spiffe_sequence and spiffe_refresh_hint, the JWK does not set the alg>

Constructor Summary

Constructors

Constructor

Description

SpiffeIdentityProvider(KeycloakSession session, SpiffeIdentityProviderConfig config)
Method Summary

Modifier and Type

Method

Description

void

close()

SpiffeIdentityProviderConfig

getConfig()

boolean

verifyClientAssertion(ClientAuthenticationFlowContext context)

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.broker.provider.IdentityProvider
export, isMapperSupported, reloadKeys

Constructor Details
- SpiffeIdentityProvider
  
  public SpiffeIdentityProvider(KeycloakSession session, SpiffeIdentityProviderConfig config)
Method Details
- getConfig
  
  public SpiffeIdentityProviderConfig getConfig()
  
  Specified by:
  
  getConfig in interface IdentityProvider<SpiffeIdentityProviderConfig>
- verifyClientAssertion
  
  public boolean verifyClientAssertion(ClientAuthenticationFlowContext context) throws Exception
  
  Specified by:
  
  verifyClientAssertion in interface ClientAssertionIdentityProvider<SpiffeIdentityProviderConfig>
  
  Throws:
  
  Exception
- close
  
  public void close()
  
  Specified by:
  
  close in interface Provider

Class SpiffeIdentityProvider

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Methods inherited from interface org.keycloak.broker.provider.IdentityProvider

Constructor Details

SpiffeIdentityProvider

Method Details

getConfig

verifyClientAssertion

close