Package org.keycloak.protocol.oauth2.cimd.provider

Class AbstractPersistentClientIdMetadataDocumentProvider<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration>

java.lang.Object

org.keycloak.protocol.oauth2.cimd.provider.AbstractPersistentClientIdMetadataDocumentProvider<CONFIG>

All Implemented Interfaces:

ClientIdMetadataDocumentProvider<CONFIG>, Provider

Direct Known Subclasses:

PersistentClientIdMetadataDocumentProvider

public abstract class AbstractPersistentClientIdMetadataDocumentProvider<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration>
extends Object
implements ClientIdMetadataDocumentProvider<CONFIG>

The abstract class persists client metadata.

Creating and updating a client metadata: The class does almost the same process in Dynamic Client Registration (DCR)in OIDCClientRegistrationProvider.

The reason is that a client sends its metadata to an authorization server in DCR by RFC 7591 while an authorization server fetches a client metadata in CIMD, which means that only the method of getting a client metadata is different.

The reason why not directly calling methods of OIDCClientRegistrationProvider is as follows:

• client_id property is not allowed in DCR while it is mandatory in CIMD. OIDCClientRegistrationProvider does not allow client metadata including client_id.
• A registration access token is issued in DCR (to say more precisely, RFC 7592 OAuth 2.0 Dynamic Client Registration Management Protocol) while it is not needed in CIMD. OIDCClientRegistrationProvider issues the registration access token.

Cache expiry time: The provider stores the cache expiry time in an attribute of ClientRepresentation/ClientModel.

Process when a cache expires

Do nothing. After keycloak supports workflow for clients, it would be used to delete a client metadata.

Roles of the abstract class and its concrete class: The abstract class itself covers all about persisting a client metadata while the concrete class can see a configuration of the concrete class of (AbstractClientIdMetadataDocumentExecutor) and augment a client metadata based on it. Moreover, the concrete class can add or modify the abstract class, which makes it easy to implement custom persistent CIMD provider.

Author:

Takashi Norimatsu

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CIMD_CACHE_EXPIRY_TIME_IN_SEC
protected CONFIG	configuration
protected KeycloakSession	session

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	AbstractPersistentClientIdMetadataDocumentProvider(KeycloakSession session)

Method Summary

Modifier and Type	Method	Description
ClientModel	createClientMetadata(AbstractClientIdMetadataDocumentExecutor.OIDCClientRepresentationWithCacheControl clientOIDCWithCacheControl)	Creates a client metadata.
AbstractClientIdMetadataDocumentExecutor.FetchOperation	determineFetchOperation(String clientId)	Returns if fetching a client metadata to newly create it is needed, or re-fetching a client metadata to update it is needed, or re-fetching is not needed because a client metadata does not expire.
protected abstract org.jboss.logging.Logger	getLogger()
void	setCacheExpiryTimeToClientMetadata(ClientModel clientModel, int cacheExpiryTimeInSec)	Sets a cache expiry time in sec to a client metadata.
void	setCacheExpiryTimeToClientMetadata(ClientRepresentation clientRep, int cacheExpiryTimeInSec)	Sets a cache expiry time in sec to a client metadata.
ClientModel	updateClientMetadata(AbstractClientIdMetadataDocumentExecutor.OIDCClientRepresentationWithCacheControl clientOIDCWithCacheControl)	Updates a client metadata.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.protocol.oauth2.cimd.provider.ClientIdMetadataDocumentProvider

augmentClientMetadata, close, getConfiguration, setConfiguration

Field Details

session

protected KeycloakSession session

configuration

protected CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration configuration

CIMD_CACHE_EXPIRY_TIME_IN_SEC

public static final String CIMD_CACHE_EXPIRY_TIME_IN_SEC

See Also:

• Constant Field Values

Constructor Details

AbstractPersistentClientIdMetadataDocumentProvider

protected AbstractPersistentClientIdMetadataDocumentProvider(KeycloakSession session)

Method Details

getLogger

protected abstract org.jboss.logging.Logger getLogger()

setCacheExpiryTimeToClientMetadata

public void setCacheExpiryTimeToClientMetadata(ClientRepresentation clientRep,
 int cacheExpiryTimeInSec)

Description copied from interface: ClientIdMetadataDocumentProvider

Sets a cache expiry time in sec to a client metadata.

Specified by:

setCacheExpiryTimeToClientMetadata in interface ClientIdMetadataDocumentProvider<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration>

Parameters:

clientRep - a client metadata in ClientRepresentation, not null

cacheExpiryTimeInSec - when a cache expires in sec

setCacheExpiryTimeToClientMetadata

public void setCacheExpiryTimeToClientMetadata(ClientModel clientModel,
 int cacheExpiryTimeInSec)

Description copied from interface: ClientIdMetadataDocumentProvider

Sets a cache expiry time in sec to a client metadata.

Specified by:

setCacheExpiryTimeToClientMetadata in interface ClientIdMetadataDocumentProvider<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration>

Parameters:

clientModel - a client metadata in ClientModel, not null

cacheExpiryTimeInSec - when a cache expires in sec

determineFetchOperation

public AbstractClientIdMetadataDocumentExecutor.FetchOperation determineFetchOperation(String clientId)

Description copied from interface: ClientIdMetadataDocumentProvider

Returns if fetching a client metadata to newly create it is needed, or re-fetching a client metadata to update it is needed, or re-fetching is not needed because a client metadata does not expire.

Specified by:

determineFetchOperation in interface ClientIdMetadataDocumentProvider<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration>

Parameters:

clientId - client_id parameter of an authorization request, not null

Returns:

AbstractClientIdMetadataDocumentExecutor.FetchOperation

createClientMetadata

public ClientModel createClientMetadata(AbstractClientIdMetadataDocumentExecutor.OIDCClientRepresentationWithCacheControl clientOIDCWithCacheControl)
                                 throws ClientPolicyException

Description copied from interface: ClientIdMetadataDocumentProvider

Creates a client metadata.

Specified by:

createClientMetadata in interface ClientIdMetadataDocumentProvider<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration>

Parameters:

clientOIDCWithCacheControl - a combination of a fetched client metadata and Cache-Control header accompanied by it, not null

Returns:

ClientModel a created client metadata in ClientModel

Throws:

ClientPolicyException - when creating a client metadata fails

updateClientMetadata

public ClientModel updateClientMetadata(AbstractClientIdMetadataDocumentExecutor.OIDCClientRepresentationWithCacheControl clientOIDCWithCacheControl)
                                 throws ClientPolicyException

Description copied from interface: ClientIdMetadataDocumentProvider

Updates a client metadata.

Specified by:

updateClientMetadata in interface ClientIdMetadataDocumentProvider<CONFIG extends AbstractClientIdMetadataDocumentExecutor.Configuration>

Parameters:

clientOIDCWithCacheControl - a combination of a re-fetched client metadata and Cache-Control header accompanied by it, not null

Returns:

ClientModel an updated client metadata in ClientModel

Throws:

ClientPolicyException - when updating a client metadata fails