Package org.keycloak.protocol.oauth2.cimd.clientpolicy.executor

Class AbstractClientIdMetadataDocumentExecutor<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration>

java.lang.Object
org.keycloak.protocol.oauth2.cimd.clientpolicy.executor.AbstractClientIdMetadataDocumentExecutor<CONFIG>
All Implemented Interfaces:
Provider, ClientPolicyExecutorProvider<CONFIG>
Direct Known Subclasses:
ClientIdMetadataDocumentExecutor
public abstract class AbstractClientIdMetadataDocumentExecutor<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration> extends Object implements ClientPolicyExecutorProvider<CONFIG>
The abstract class implements OAuth Client ID Metadata Document specification (Internet Draft v00).
Author:
Takashi Norimatsu
See Also:
  • OAuth Client ID Metadata Document (CIMD) [Internet Draft]]

    Moreover, the abstract class implements Authorization part of Model Context Protocol (MCP) specification (version 2025-11-25).

  • Model Context Protocol (MCP) [2025-11-25]]

    The abstract class satisfies the following requirements of CIMD and MCP:

    • Requirements whose requirement level is MUST or SHOULD.
    • Requirements in Security Consideration.

    The abstract class provides the following features:

    • Client ID Verification: if {client_id} parameter satisfies the requirements of the specifications
    • Client ID Validation: if {client_id} parameter is valid according to the policy.
    • Fetching Client Metadata: fetch a client metadata by accessing {client_id} URL.
    • Client Metadata Verification: if a client metadata satisfies the requirements of the specifications.
    • Client Metadata Validation: if a client metadata is valid according to the policy.
    • Client Metadata Augmentation in OIDCClientRepresentation: augment a fetched client metadata.

    Roles of the abstract class and its concrete class: The abstract class covers the basic checks and processes by following the CIMD and MCP specifications while the concrete class of the abstract class provides additional checks or processes.

    For example, regarding Client ID Validation and Client Metadata Validation, the CIMD and MCP specifications allow an authorization server to implement policies that determine the valid {client_id} parameter value and client metadata. The CIMD and MCP specification show some examples of the policies roughly, but what policies are implemented in detail is up to the authorization server implementation. Therefore, the abstract class provides some of the examples and the concrete class can implement additional policies.

    Client Metadata Caching: The abstract class does not treat the following processes. It delegates them to ClientIdMetadataDocumentProvider:

    • determining if (re-)fetching a client metadata is needed
    • concrete process of caching a client metadata: create and update
    • update cache expiry time
    • augment a client metadata in ClientRepresentation
    For example, PersistentClientIdMetadataDocumentProvider persists client metadata. In the future, the provider for non-persisting a client metadata can be provided.

    Client Metadata Format: According to the CIMD specification, the client metadata format is the same as for Dynamic Client Registration except for client_id property.

  • invalid input: '<a href="https://datatracker.ietf.org/doc/html/rfc7591>OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591]</a> Therefore, OIDCClientRepresentation is used for the client metadata format. The CIMD specification allows the use of additional properties (MAY requirement level), but the class does not treat them. <p>Client Metadata Augmentation in <code>OIDCClientRepresentation</code>: To successfully convert a fetched client metadata to <code>ClientRepresentation</code>, intentionally augment it. The actual example is a public client. The CIMD and MCP specification allows a public client. <code>DescriptionConverter.toInternal</code> recognize a client as a public client if token_endpoint_auth_method is "none" If a client metadata lacks token_endpoint_auth_method, it is converted to "none", meaning it is treated as a public client.'