keycloak
公開メンバ関数 | 静的公開変数類 | 静的限定公開変数類 | 全メンバ一覧
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator クラス
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator の継承関係図
Inheritance graph
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator 連携図
Collaboration graph

公開メンバ関数

void authenticateClient (ClientAuthenticationFlowContext context)
 
String getDisplayType ()
 
boolean isConfigurable ()
 
AuthenticationExecutionModel.Requirement [] getRequirementChoices ()
 
List< ProviderConfigPropertygetConfigPropertiesPerClient ()
 
Map< String, Object > getAdapterConfiguration (ClientModel client)
 
Set< String > getProtocolAuthenticatorMethods (String loginProtocol)
 
String getHelpText ()
 
List< ProviderConfigPropertygetConfigProperties ()
 
String getId ()
 
ClientAuthenticator create ()
 
ClientAuthenticator create (KeycloakSession session)
 
void close ()
 
void init (Config.Scope config)
 
void postInit (KeycloakSessionFactory factory)
 
boolean isUserSetupAllowed ()
 
String getReferenceCategory ()
 
default int order ()
 

静的公開変数類

static final String PROVIDER_ID = "client-x509"
 
static final String ATTR_PREFIX = "x509"
 
static final String ATTR_SUBJECT_DN = ATTR_PREFIX + ".subjectdn"
 
static final AuthenticationExecutionModel.Requirement [] REQUIREMENT_CHOICES
 

静的限定公開変数類

static ServicesLogger logger = ServicesLogger.LOGGER
 

詳解

関数詳解

◆ authenticateClient()

void org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.authenticateClient ( ClientAuthenticationFlowContext  context)
inline

org.keycloak.authentication.ClientAuthenticatorを実装しています。

41  {
42 
43  X509ClientCertificateLookup provider = context.getSession().getProvider(X509ClientCertificateLookup.class);
44  if (provider == null) {
45  logger.errorv("\"{0}\" Spi is not available, did you forget to update the configuration?",
46  X509ClientCertificateLookup.class);
47  return;
48  }
49 
50  X509Certificate[] certs = null;
51  ClientModel client = null;
52  try {
53  certs = provider.getCertificateChain(context.getHttpRequest());
54  String client_id = null;
55  MediaType mediaType = context.getHttpRequest().getHttpHeaders().getMediaType();
56  boolean hasFormData = mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
57 
58  MultivaluedMap<String, String> formData = hasFormData ? context.getHttpRequest().getDecodedFormParameters() : null;
59  MultivaluedMap<String, String> queryParams = context.getHttpRequest().getUri().getQueryParameters();
60 
61  if (formData != null) {
62  client_id = formData.getFirst(OAuth2Constants.CLIENT_ID);
63  }
64 
65  if (client_id == null && queryParams != null) {
66  client_id = queryParams.getFirst(OAuth2Constants.CLIENT_ID);
67  }
68 
69  if (client_id == null) {
70  client_id = context.getSession().getAttribute("client_id", String.class);
71  }
72 
73  if (client_id == null) {
74  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter");
75  context.challenge(challengeResponse);
76  return;
77  }
78 
79  client = context.getRealm().getClientByClientId(client_id);
80  if (client == null) {
81  context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
82  return;
83  }
84  context.getEvent().client(client_id);
85  context.setClient(client);
86 
87  if (!client.isEnabled()) {
88  context.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
89  return;
90  }
91  } catch (GeneralSecurityException e) {
92  logger.errorf("[X509ClientCertificateAuthenticator:authenticate] Exception: %s", e.getMessage());
93  context.attempted();
94  return;
95  }
96 
97  if (certs == null || certs.length == 0) {
98  // No x509 client cert, fall through and
99  // continue processing the rest of the authentication flow
100  logger.debug("[X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.");
101  context.attempted();
102  return;
103  }
104 
105  String subjectDNRegexp = client.getAttribute(ATTR_SUBJECT_DN);
106  if (subjectDNRegexp == null || subjectDNRegexp.length() == 0) {
107  logger.errorf("[X509ClientCertificateAuthenticator:authenticate] " + ATTR_SUBJECT_DN + " is null or empty");
108  context.attempted();
109  return;
110  }
111  Pattern subjectDNPattern = Pattern.compile(subjectDNRegexp);
112 
113  Optional<String> matchedCertificate = Arrays.stream(certs)
114  .map(certificate -> certificate.getSubjectDN().getName())
115  .filter(subjectdn -> subjectDNPattern.matcher(subjectdn).matches())
116  .findFirst();
117 
118  if (!matchedCertificate.isPresent()) {
119  // We do quite expensive operation here, so better check the logging level beforehand.
120  if (logger.isDebugEnabled()) {
121  logger.debug("[X509ClientCertificateAuthenticator:authenticate] Couldn't match any certificate for pattern " + subjectDNRegexp);
122  logger.debug("[X509ClientCertificateAuthenticator:authenticate] Available SubjectDNs: " +
123  Arrays.stream(certs)
124  .map(cert -> cert.getSubjectDN().getName())
125  .collect(Collectors.toList()));
126  }
127  context.attempted();
128  return;
129  } else {
130  logger.debug("[X509ClientCertificateAuthenticator:authenticate] Matched " + matchedCertificate.get() + " certificate.");
131  }
132 
133  context.success();
134  }
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.ATTR_SUBJECT_DN
static final String ATTR_SUBJECT_DN
Definition: X509ClientAuthenticator.java:31
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.logger
static ServicesLogger logger
Definition: X509ClientAuthenticator.java:33

◆ close()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.close ( )
inlineinherited

org.keycloak.provider.Providerを実装しています。

37  {
38 
39  }

◆ create() [1/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( )
inlineinherited

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

32  {
33  return this;
34  }

◆ create() [2/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( KeycloakSession  session)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

42  {
43  return this;
44  }

◆ getAdapterConfiguration()

Map<String, Object> org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getAdapterConfiguration ( ClientModel  client)
inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

156  {
157  return Collections.emptyMap();
158  }

◆ getConfigProperties()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getConfigProperties ( )
inline

org.keycloak.provider.ConfiguredProviderを実装しています。

176  {
177  return Collections.emptyList();
178  }

◆ getConfigPropertiesPerClient()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getConfigPropertiesPerClient ( )
inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

151  {
152  return Collections.emptyList();
153  }

◆ getDisplayType()

String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getDisplayType ( )
inline

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

136  {
137  return "X509 Certificate";
138  }

◆ getHelpText()

String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getHelpText ( )
inline

org.keycloak.provider.ConfiguredProviderを実装しています。

171  {
172  return "Validates client based on a X509 Certificate";
173  }

◆ getId()

String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getId ( )
inline

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

181  {
182  return PROVIDER_ID;
183  }
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.PROVIDER_ID
static final String PROVIDER_ID
Definition: X509ClientAuthenticator.java:29

◆ getProtocolAuthenticatorMethods()

Set<String> org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getProtocolAuthenticatorMethods ( String  loginProtocol)
inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

161  {
162  if (loginProtocol.equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
163  Set<String> results = new HashSet<>();
164  return results;
165  } else {
166  return Collections.emptySet();
167  }
168  }

◆ getReferenceCategory()

String org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.getReferenceCategory ( )
inlineinherited

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

62  {
63  return null;
64  }

◆ getRequirementChoices()

AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getRequirementChoices ( )
inline

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

146  {
147  return REQUIREMENT_CHOICES;
148  }
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.REQUIREMENT_CHOICES
static final AuthenticationExecutionModel.Requirement [] REQUIREMENT_CHOICES
Definition: X509ClientAuthenticator.java:35

◆ init()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.init ( Config.Scope  config)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

47  {
48 
49  }

◆ isConfigurable()

boolean org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.isConfigurable ( )
inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

141  {
142  return false;
143  }

◆ isUserSetupAllowed()

boolean org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.isUserSetupAllowed ( )
inlineinherited

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

57  {
58  return false;
59  }

◆ order()

default int org.keycloak.provider.ProviderFactory< T extends Provider >.order ( )
inlineinherited

org.keycloak.protocol.docker.DockerAuthV2ProtocolFactory, org.keycloak.urls.HostnameProviderFactory, org.keycloak.protocol.oidc.ext.OIDCExtProviderFactoryで実装されています。

56  {
57  return 0;
58  }

◆ postInit()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.postInit ( KeycloakSessionFactory  factory)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

52  {
53 
54  }

メンバ詳解

◆ ATTR_PREFIX

final String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.ATTR_PREFIX = "x509"
static

◆ ATTR_SUBJECT_DN

final String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.ATTR_SUBJECT_DN = ATTR_PREFIX + ".subjectdn"
static

◆ logger

ServicesLogger org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.logger = ServicesLogger.LOGGER
staticprotected

◆ PROVIDER_ID

final String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.PROVIDER_ID = "client-x509"
static

◆ REQUIREMENT_CHOICES

final AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.REQUIREMENT_CHOICES
static
初期値:
= {
AuthenticationExecutionModel.Requirement.ALTERNATIVE,
AuthenticationExecutionModel.Requirement.DISABLED
}
このクラス詳解は次のファイルから抽出されました:
2018年10月29日(月) 00時34分13秒作成 - keycloak / 構成:   doxygen 1.8.13