Package org.keycloak.protocol.oauth2.cimd.clientpolicy.executor

Class ClientIdMetadataDocumentExecutor

java.lang.Object

org.keycloak.protocol.oauth2.cimd.clientpolicy.executor.AbstractClientIdMetadataDocumentExecutor<ClientIdMetadataDocumentExecutor.Configuration>

org.keycloak.protocol.oauth2.cimd.clientpolicy.executor.ClientIdMetadataDocumentExecutor

All Implemented Interfaces:

Provider, ClientPolicyExecutorProvider<ClientIdMetadataDocumentExecutor.Configuration>

public class ClientIdMetadataDocumentExecutor
extends AbstractClientIdMetadataDocumentExecutor<ClientIdMetadataDocumentExecutor.Configuration>

The class is a concrete class of AbstractClientIdMetadataDocumentExecutor. The class provide additional checks and processes, which are not determined by the CIMD and MCP specifications so these are keycloak-specific ones.

Client Metadata Validation: The class provides the following policies:

• only accept a confidential client
• under the same domain as Server-side request forgery(SSRF) countermeasure: client_id, redirect_uri, client_uri, logo_uri, tos_uri,policy_uri, jwks_uri

Author:

Takashi Norimatsu

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	ClientIdMetadataDocumentExecutor.Configuration

Nested classes/interfaces inherited from class org.keycloak.protocol.oauth2.cimd.clientpolicy.executor.AbstractClientIdMetadataDocumentExecutor

AbstractClientIdMetadataDocumentExecutor.ClientMetadataCacheControl, AbstractClientIdMetadataDocumentExecutor.ErrorHandler, AbstractClientIdMetadataDocumentExecutor.FetchOperation, AbstractClientIdMetadataDocumentExecutor.OIDCClientRepresentationWithCacheControl

Field Summary

Fields

Modifier and Type	Field	Description
protected static final Set<String>	ALLOWED_ALGORITHMS
static final String	ERR_METADATA_NO_CONFIDENTIAL_CLIENT
static final String	ERR_METADATA_NO_CONFIDENTIAL_CLIENT_JWKS

Fields inherited from class org.keycloak.protocol.oauth2.cimd.clientpolicy.executor.AbstractClientIdMetadataDocumentExecutor

configuration, ERR_CLIENTID_EMPTY_PATH, ERR_CLIENTID_FRAGMENT, ERR_CLIENTID_INVALID_SCHEME, ERR_CLIENTID_MALFORMED_URL, ERR_CLIENTID_PATH_TRAVERSAL, ERR_CLIENTID_QUERY, ERR_CLIENTID_USERINFO, ERR_HOST_UNRESOLVED, ERR_INVALID_PARAMETER, ERR_METADATA_CLIENTID_UNMATCH, ERR_METADATA_CLIENTSECRET, ERR_METADATA_FETCH_FAILED, ERR_METADATA_MALFORMED_URL, ERR_METADATA_NO_ALL_URIS_SAMEDOMAIN, ERR_METADATA_NO_REQUIRED_PROPERTIES, ERR_METADATA_NOCLIENTID, ERR_METADATA_NOCONTENT, ERR_METADATA_NOTALLOWED_CLIENTAUTH, ERR_METADATA_REDIRECTURI, ERR_METADATA_URIS_SAMEDOMAIN, ERR_NOTALLOWED_DOMAIN, NOTALLOWED_ALGORITHMS, provider, providerConfig, session

Constructor Summary

Constructors

Constructor	Description
ClientIdMetadataDocumentExecutor(KeycloakSession session, ClientIdMetadataDocumentExecutorFactoryProviderConfig providerConfig)

Method Summary

Modifier and Type	Method	Description
Class<ClientIdMetadataDocumentExecutor.Configuration>	getExecutorConfigurationClass()
protected org.jboss.logging.Logger	getLogger()
String	getProviderId()
void	setupConfiguration(ClientIdMetadataDocumentExecutor.Configuration config)	setup this executor's configuration.
protected void	validateClientMetadata(URI clientIdURI, URI redirectUriURI, OIDCClientRepresentation clientOIDC)	Validate a client metadata to check if the value meets the policies.

Methods inherited from class org.keycloak.protocol.oauth2.cimd.clientpolicy.executor.AbstractClientIdMetadataDocumentExecutor

augmentClientOIDC, checkTrustedDomain, convertContentFilledList, executeOnEvent, fetchClientMetadata, getConfiguration, getProvider, invalidClientIdMetadata, validateClientId, verifyAuthorizationRequest, verifyClientId, verifyClientMetadata

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider

close, getName

Field Details

ERR_METADATA_NO_CONFIDENTIAL_CLIENT

public static final String ERR_METADATA_NO_CONFIDENTIAL_CLIENT

See Also:

• Constant Field Values

ERR_METADATA_NO_CONFIDENTIAL_CLIENT_JWKS

public static final String ERR_METADATA_NO_CONFIDENTIAL_CLIENT_JWKS

See Also:

• Constant Field Values

ALLOWED_ALGORITHMS

protected static final Set<String> ALLOWED_ALGORITHMS

Constructor Details

ClientIdMetadataDocumentExecutor

public ClientIdMetadataDocumentExecutor(KeycloakSession session,
 ClientIdMetadataDocumentExecutorFactoryProviderConfig providerConfig)

Method Details

getLogger

protected org.jboss.logging.Logger getLogger()

Specified by:

getLogger in class AbstractClientIdMetadataDocumentExecutor<ClientIdMetadataDocumentExecutor.Configuration>

getProviderId

public String getProviderId()

getExecutorConfigurationClass

public Class<ClientIdMetadataDocumentExecutor.Configuration> getExecutorConfigurationClass()

Returns:

Class, which should match the "config" argument of the ClientPolicyExecutorProvider.setupConfiguration(ClientPolicyExecutorConfigurationRepresentation)

setupConfiguration

public void setupConfiguration(ClientIdMetadataDocumentExecutor.Configuration config)

Description copied from interface: ClientPolicyExecutorProvider

setup this executor's configuration.

validateClientMetadata

protected void validateClientMetadata(URI clientIdURI,
 URI redirectUriURI,
 OIDCClientRepresentation clientOIDC)
                               throws ClientPolicyException

Description copied from class: AbstractClientIdMetadataDocumentExecutor

Validate a client metadata to check if the value meets the policies.

Overrides:

validateClientMetadata in class AbstractClientIdMetadataDocumentExecutor<ClientIdMetadataDocumentExecutor.Configuration>

Parameters:

clientIdURI - a value of {client_id} parameter of an authorization request in URI

redirectUriURI - a value of {redirect_uri} parameter of an authorization request in URI

clientOIDC - a client metadata

Throws:

ClientPolicyException - when validating a client metadata fails.