org.keycloak.social.google.GoogleIdentityProvider の継承関係図

org.keycloak.social.google.GoogleIdentityProvider 連携図

公開メンバ関数
	GoogleIdentityProvider (KeycloakSession session, GoogleIdentityProviderConfig config)

boolean	isIssuer (String issuer, MultivaluedMap< String, String > params)

Object	callback (RealmModel realm, AuthenticationCallback callback, EventBuilder event)

void	backchannelLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

Response	keycloakInitiatedBrowserLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

String	refreshTokenForLogout (KeycloakSession session, UserSessionModel userSession)

BrokeredIdentityContext	getFederatedIdentity (String response)

void	authenticationFinished (AuthenticationSessionModel authSession, BrokeredIdentityContext context)

Response	performLogin (AuthenticationRequest request)

Response	retrieveToken (KeycloakSession session, FederatedIdentityModel identity)

C	getConfig ()

Response	exchangeFromToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject, MultivaluedMap< String, String > params)

String	getJsonProperty (JsonNode jsonNode, String name)

JsonNode	asJsonNode (String json) throws IOException

final BrokeredIdentityContext	exchangeExternal (EventBuilder event, MultivaluedMap< String, String > params)

BrokeredIdentityContext	exchangeExternal (EventBuilder event, MultivaluedMap< String, String > params)

void	exchangeExternalComplete (UserSessionModel userSession, BrokeredIdentityContext context, MultivaluedMap< String, String > params)

void	exchangeExternalComplete (UserSessionModel userSession, BrokeredIdentityContext context, MultivaluedMap< String, String > params)

void	preprocessFederatedIdentity (KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)

void	authenticationFinished (AuthenticationSessionModel authSession, BrokeredIdentityContext context)

void	importNewUser (KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context)

void	updateBrokeredUser (KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context)

Object	callback (RealmModel realm, AuthenticationCallback callback, EventBuilder event)

Response	performLogin (AuthenticationRequest request)

Response	retrieveToken (KeycloakSession session, FederatedIdentityModel identity)

void	backchannelLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

Response	keycloakInitiatedBrowserLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

Response	export (UriInfo uriInfo, RealmModel realm, String format)

IdentityProviderDataMarshaller	getMarshaller ()

void	close ()

公開変数類
String	EXTERNAL_IDENTITY_PROVIDER = "EXTERNAL_IDENTITY_PROVIDER"

String	FEDERATED_ACCESS_TOKEN = "FEDERATED_ACCESS_TOKEN"

静的公開変数類
static final String	AUTH_URL = "https://accounts.google.com/o/oauth2/auth"

static final String	TOKEN_URL = "https://www.googleapis.com/oauth2/v3/token"

static final String	PROFILE_URL = "https://www.googleapis.com/plus/v1/people/me/openIdConnect"

static final String	DEFAULT_SCOPE = "openid profile email"

static final String	SCOPE_OPENID = "openid"

static final String	FEDERATED_ID_TOKEN = "FEDERATED_ID_TOKEN"

static final String	USER_INFO = "UserInfo"

static final String	FEDERATED_ACCESS_TOKEN_RESPONSE = "FEDERATED_ACCESS_TOKEN_RESPONSE"

static final String	VALIDATED_ID_TOKEN = "VALIDATED_ID_TOKEN"

static final String	ACCESS_TOKEN_EXPIRATION = "accessTokenExpiration"

static final String	EXCHANGE_PROVIDER = "EXCHANGE_PROVIDER"

static final String	OAUTH2_GRANT_TYPE_REFRESH_TOKEN

static final String	OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

static final String	FEDERATED_REFRESH_TOKEN

static final String	FEDERATED_TOKEN_EXPIRATION

static final String	ACCESS_DENIED

static final String	OAUTH2_PARAMETER_ACCESS_TOKEN

static final String	OAUTH2_PARAMETER_SCOPE

static final String	OAUTH2_PARAMETER_STATE

static final String	OAUTH2_PARAMETER_RESPONSE_TYPE

static final String	OAUTH2_PARAMETER_REDIRECT_URI

static final String	OAUTH2_PARAMETER_CODE

static final String	OAUTH2_PARAMETER_CLIENT_ID

static final String	OAUTH2_PARAMETER_CLIENT_SECRET

static final String	OAUTH2_PARAMETER_GRANT_TYPE

限定公開メンバ関数
String	getDefaultScopes ()

String	getUserInfoUrl ()

boolean	supportsExternalExchange ()

BrokeredIdentityContext	exchangeExternalImpl (EventBuilder event, MultivaluedMap< String, String > params)

UriBuilder	createAuthorizationUrl (AuthenticationRequest request)

JsonWebToken	validateToken (final String encodedToken, final boolean ignoreAudience)

void	backchannelLogout (UserSessionModel userSession, String idToken)

void	processAccessTokenResponse (BrokeredIdentityContext context, AccessTokenResponse response)

Response	exchangeStoredToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeSessionToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

BrokeredIdentityContext	extractIdentity (AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) throws IOException

String	getusernameClaimNameForIdToken ()

boolean	verify (JWSInput jws)

JsonWebToken	validateToken (String encodedToken)

String	getProfileEndpointForValidation (EventBuilder event)

BrokeredIdentityContext	extractIdentityFromProfile (EventBuilder event, JsonNode userInfo)

String	getUsernameFromUserInfo (JsonNode userInfo)

final BrokeredIdentityContext	validateJwt (EventBuilder event, String subjectToken, String subjectTokenType)

String	extractTokenFromResponse (String response, String tokenName)

Response	hasExternalExchangeToken (EventBuilder event, UserSessionModel tokenUserSession, MultivaluedMap< String, String > params)

String	getAccessTokenResponseParameter ()

BrokeredIdentityContext	doGetFederatedIdentity (String accessToken)

BrokeredIdentityContext	validateExternalTokenThroughUserInfo (EventBuilder event, String subjectToken, String subjectTokenType)

SimpleHttp	buildUserInfoRequest (String subjectToken, String userInfoUrl)

BrokeredIdentityContext	exchangeExternalUserInfoValidationOnly (EventBuilder event, MultivaluedMap< String, String > params)

静的限定公開変数類
static final Logger	logger = Logger.getLogger(OIDCIdentityProvider.class)

static ObjectMapper	mapper

静的非公開変数類
static final String	OIDC_PARAMETER_HOSTED_DOMAINS = "hd"

詳解

著者: Stian Thorgersen

構築子と解体子

◆ GoogleIdentityProvider()

org.keycloak.social.google.GoogleIdentityProvider.GoogleIdentityProvider	(	KeycloakSession	session,
		GoogleIdentityProviderConfig	config
	)

inline

                                                                                                 {
         super(session, config);
         config.setAuthorizationUrl(AUTH_URL);
         config.setTokenUrl(TOKEN_URL);
         config.setUserInfoUrl(PROFILE_URL);
     }

関数詳解

◆ asJsonNode()

JsonNode org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.asJsonNode ( String json ) throws IOException

inlineinherited

                                                                {
         return mapper.readTree(json);
     }

◆ authenticationFinished() [1/2]

void org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.authenticationFinished	(	AuthenticationSessionModel	authSession,
		BrokeredIdentityContext	context
	)

inherited

org.keycloak.social.twitter.TwitterIdentityProviderで実装されています。

◆ authenticationFinished() [2/2]

void org.keycloak.broker.oidc.OIDCIdentityProvider.authenticationFinished	(	AuthenticationSessionModel	authSession,
		BrokeredIdentityContext	context
	)

inlineinherited

                                                                                                                 {
         AccessTokenResponse tokenResponse = (AccessTokenResponse) context.getContextData().get(FEDERATED_ACCESS_TOKEN_RESPONSE);
         int currentTime = Time.currentTime();
         long expiration = tokenResponse.getExpiresIn() > 0 ? tokenResponse.getExpiresIn() + currentTime : 0;
         authSession.setUserSessionNote(FEDERATED_TOKEN_EXPIRATION, Long.toString(expiration));
         authSession.setUserSessionNote(FEDERATED_REFRESH_TOKEN, tokenResponse.getRefreshToken());
         authSession.setUserSessionNote(FEDERATED_ACCESS_TOKEN, tokenResponse.getToken());
         authSession.setUserSessionNote(FEDERATED_ID_TOKEN, tokenResponse.getIdToken());
     }

◆ backchannelLogout() [1/3]

void org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.backchannelLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inherited

◆ backchannelLogout() [2/3]

void org.keycloak.broker.oidc.OIDCIdentityProvider.backchannelLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inlineinherited

                                                                                                                             {
         if (getConfig().getLogoutUrl() == null || getConfig().getLogoutUrl().trim().equals("") || !getConfig().isBackchannelSupported())
             return;
         String idToken = getIDTokenForLogout(session, userSession);
         if (idToken == null) return;
         backchannelLogout(userSession, idToken);
     }

◆ backchannelLogout() [3/3]

void org.keycloak.broker.oidc.OIDCIdentityProvider.backchannelLogout	(	UserSessionModel	userSession,
		String	idToken
	)

inlineprotectedinherited

                                                                                    {
         String sessionId = userSession.getId();
         UriBuilder logoutUri = UriBuilder.fromUri(getConfig().getLogoutUrl())
                 .queryParam("state", sessionId);
         logoutUri.queryParam("id_token_hint", idToken);
         String url = logoutUri.build().toString();
         try {
             int status = SimpleHttp.doGet(url, session).asStatus();
             boolean success = status >= 200 && status < 400;
             if (!success) {
                 logger.warn("Failed backchannel broker logout to: " + url);
             }
         } catch (Exception e) {
             logger.warn("Failed backchannel broker logout to: " + url, e);
         }
     }

◆ buildUserInfoRequest()

SimpleHttp org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.buildUserInfoRequest	(	String	subjectToken,
		String	userInfoUrl
	)

inlineprotectedinherited

                                                                                        {
         return SimpleHttp.doGet(userInfoUrl, session)
                   .header("Authorization", "Bearer " + subjectToken);
     }

◆ callback() [1/2]

Object org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.callback	(	RealmModel	realm,
		AuthenticationCallback	callback,
		EventBuilder	event
	)

inherited

JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.

戻り値

org.keycloak.social.twitter.TwitterIdentityProviderで実装されています。

◆ callback() [2/2]

Object org.keycloak.broker.oidc.OIDCIdentityProvider.callback	(	RealmModel	realm,
		AuthenticationCallback	callback,
		EventBuilder	event
	)

inlineinherited

                                                                                                   {
         return new OIDCEndpoint(callback, realm, event);
     }

◆ close()

void org.keycloak.provider.Provider.close ( )

inherited

◆ createAuthorizationUrl()

UriBuilder org.keycloak.social.google.GoogleIdentityProvider.createAuthorizationUrl ( AuthenticationRequest request )

inlineprotected

                                                                                {
         UriBuilder uriBuilder = super.createAuthorizationUrl(request);
         String hostedDomain = ((GoogleIdentityProviderConfig) getConfig()).getHostedDomain();
 
         if (hostedDomain != null) {
             uriBuilder.queryParam(OIDC_PARAMETER_HOSTED_DOMAINS, hostedDomain);
         }
 
         return uriBuilder;
     }

◆ doGetFederatedIdentity()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.doGetFederatedIdentity ( String accessToken )

inlineprotectedinherited

                                                                                  {
         return null;
     }

◆ exchangeExternal() [1/2]

BrokeredIdentityContext org.keycloak.broker.provider.ExchangeExternalToken.exchangeExternal	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inherited

org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >で実装されています。

◆ exchangeExternal() [2/2]

final BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternal	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inlineinherited

                                                                                                                      {
         if (!supportsExternalExchange()) return null;
         BrokeredIdentityContext context = exchangeExternalImpl(event, params);
         if (context != null) {
             context.setIdp(this);
             context.setIdpConfig(getConfig());
         }
         return context;
     }

◆ exchangeExternalComplete() [1/2]

void org.keycloak.broker.provider.ExchangeExternalToken.exchangeExternalComplete	(	UserSessionModel	userSession,
		BrokeredIdentityContext	context,
		MultivaluedMap< String, String >	params
	)

inherited

org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >で実装されています。

◆ exchangeExternalComplete() [2/2]

void org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternalComplete	(	UserSessionModel	userSession,
		BrokeredIdentityContext	context,
		MultivaluedMap< String, String >	params
	)

inlineinherited

                                                                                                                                                {
         if (context.getContextData().containsKey(OIDCIdentityProvider.VALIDATED_ID_TOKEN))
             userSession.setNote(FEDERATED_ACCESS_TOKEN, params.getFirst(OAuth2Constants.SUBJECT_TOKEN));
         if (context.getContextData().containsKey(OIDCIdentityProvider.VALIDATED_ID_TOKEN))
             userSession.setNote(OIDCIdentityProvider.FEDERATED_ID_TOKEN, params.getFirst(OAuth2Constants.SUBJECT_TOKEN));
         userSession.setNote(OIDCIdentityProvider.EXCHANGE_PROVIDER, getConfig().getAlias());
 
     }

◆ exchangeExternalImpl()

BrokeredIdentityContext org.keycloak.social.google.GoogleIdentityProvider.exchangeExternalImpl	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inlineprotected

                                                                                                                       {
         return exchangeExternalUserInfoValidationOnly(event, params);
     }

◆ exchangeExternalUserInfoValidationOnly()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternalUserInfoValidationOnly	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inlineprotectedinherited

                                                                                                                                         {
         String subjectToken = params.getFirst(OAuth2Constants.SUBJECT_TOKEN);
         if (subjectToken == null) {
             event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN + " param unset");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "token not set", Response.Status.BAD_REQUEST);
         }
         String subjectTokenType = params.getFirst(OAuth2Constants.SUBJECT_TOKEN_TYPE);
         if (subjectTokenType == null) {
             subjectTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE;
         }
         if (!OAuth2Constants.ACCESS_TOKEN_TYPE.equals(subjectTokenType)) {
             event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN_TYPE + " invalid");
             event.error(Errors.INVALID_TOKEN_TYPE);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token type", Response.Status.BAD_REQUEST);
         }
         return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType);
     }

◆ exchangeFromToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeFromToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject,
		MultivaluedMap< String, String >	params
	)

inlineinherited

                                                                                                                                                                                                            {
         // check to see if we have a token exchange in session
         // in other words check to see if this session was created by an external exchange
         Response tokenResponse = hasExternalExchangeToken(event, tokenUserSession, params);
         if (tokenResponse != null) return tokenResponse;
 
         // going further we only support access token type?  Why?
         String requestedType = params.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
         if (requestedType != null && !requestedType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)) {
             event.detail(Details.REASON, "requested_token_type unsupported");
             event.error(Errors.INVALID_REQUEST);
             return exchangeUnsupportedRequiredType();
         }
         if (!getConfig().isStoreToken()) {
             // if token isn't stored, we need to see if this session has been linked
             String brokerId = tokenUserSession.getNote(Details.IDENTITY_PROVIDER);
             brokerId = brokerId == null ? tokenUserSession.getNote(IdentityProvider.EXTERNAL_IDENTITY_PROVIDER) : brokerId;
             if (brokerId == null || !brokerId.equals(getConfig().getAlias())) {
                 event.detail(Details.REASON, "requested_issuer has not linked");
                 event.error(Errors.INVALID_REQUEST);
                 return exchangeNotLinkedNoStore(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
             }
             return exchangeSessionToken(uriInfo, event, authorizedClient, tokenUserSession, tokenSubject);
         } else {
             return exchangeStoredToken(uriInfo, event, authorizedClient, tokenUserSession, tokenSubject);
         }
     }

◆ exchangeSessionToken()

Response org.keycloak.broker.oidc.OIDCIdentityProvider.exchangeSessionToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineprotectedinherited

                                                                                                                                                                           {
         String refreshToken = tokenUserSession.getNote(FEDERATED_REFRESH_TOKEN);
         String accessToken = tokenUserSession.getNote(FEDERATED_ACCESS_TOKEN);
         String idToken = tokenUserSession.getNote(FEDERATED_ID_TOKEN);
 
         if (accessToken == null) {
             event.detail(Details.REASON, "requested_issuer is not linked");
             event.error(Errors.INVALID_TOKEN);
             return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
         try {
             long expiration = Long.parseLong(tokenUserSession.getNote(FEDERATED_TOKEN_EXPIRATION));
             if (expiration == 0 || expiration > Time.currentTime()) {
                 AccessTokenResponse tokenResponse = new AccessTokenResponse();
                 tokenResponse.setExpiresIn(expiration);
                 tokenResponse.setToken(accessToken);
                 tokenResponse.setIdToken(null);
                 tokenResponse.setRefreshToken(null);
                 tokenResponse.setRefreshExpiresIn(0);
                 tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
                 tokenResponse.getOtherClaims().put(ACCOUNT_LINK_URL, getLinkingUrl(uriInfo, authorizedClient, tokenUserSession));
                 event.success();
                 return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
             }
             String response = SimpleHttp.doPost(getConfig().getTokenUrl(), session)
                     .param("refresh_token", refreshToken)
                     .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                     .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
                     .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
             if (response.contains("error")) {
                 logger.debugv("Error refreshing token, refresh token expiration?: {0}", response);
                 event.detail(Details.REASON, "requested_issuer token expired");
                 event.error(Errors.INVALID_TOKEN);
                 return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
             }
             AccessTokenResponse newResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
             long accessTokenExpiration = newResponse.getExpiresIn() > 0 ? Time.currentTime() + newResponse.getExpiresIn() : 0;
             tokenUserSession.setNote(FEDERATED_TOKEN_EXPIRATION, Long.toString(accessTokenExpiration));
             tokenUserSession.setNote(FEDERATED_REFRESH_TOKEN, newResponse.getRefreshToken());
             tokenUserSession.setNote(FEDERATED_ACCESS_TOKEN, newResponse.getToken());
             tokenUserSession.setNote(FEDERATED_ID_TOKEN, newResponse.getIdToken());
             newResponse.setIdToken(null);
             newResponse.setRefreshToken(null);
             newResponse.setRefreshExpiresIn(0);
             newResponse.getOtherClaims().clear();
             newResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
             newResponse.getOtherClaims().put(ACCOUNT_LINK_URL, getLinkingUrl(uriInfo, authorizedClient, tokenUserSession));
             event.success();
             return Response.ok(newResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
     }

◆ exchangeStoredToken()

Response org.keycloak.broker.oidc.OIDCIdentityProvider.exchangeStoredToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineprotectedinherited

                                                                                                                                                                          {
         FederatedIdentityModel model = session.users().getFederatedIdentity(tokenSubject, getConfig().getAlias(), authorizedClient.getRealm());
         if (model == null || model.getToken() == null) {
             event.detail(Details.REASON, "requested_issuer is not linked");
             event.error(Errors.INVALID_TOKEN);
             return exchangeNotLinked(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
         try {
             String modelTokenString = model.getToken();
             AccessTokenResponse tokenResponse = JsonSerialization.readValue(modelTokenString, AccessTokenResponse.class);
             Integer exp = (Integer) tokenResponse.getOtherClaims().get(ACCESS_TOKEN_EXPIRATION);
             if (exp != null && exp < Time.currentTime()) {
                 if (tokenResponse.getRefreshToken() == null) {
                     return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
                 }
                 String response = SimpleHttp.doPost(getConfig().getTokenUrl(), session)
                         .param("refresh_token", tokenResponse.getRefreshToken())
                         .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                         .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
                         .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
                 if (response.contains("error")) {
                     logger.debugv("Error refreshing token, refresh token expiration?: {0}", response);
                     model.setToken(null);
                     session.users().updateFederatedIdentity(authorizedClient.getRealm(), tokenSubject, model);
                     event.detail(Details.REASON, "requested_issuer token expired");
                     event.error(Errors.INVALID_TOKEN);
                     return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
                 }
                 AccessTokenResponse newResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
                 if (newResponse.getExpiresIn() > 0) {
                     int accessTokenExpiration = Time.currentTime() + (int) newResponse.getExpiresIn();
                     newResponse.getOtherClaims().put(ACCESS_TOKEN_EXPIRATION, accessTokenExpiration);
                     response = JsonSerialization.writeValueAsString(newResponse);
                 }
                 String oldToken = tokenUserSession.getNote(FEDERATED_ACCESS_TOKEN);
                 if (oldToken != null && oldToken.equals(tokenResponse.getToken())) {
                     int accessTokenExpiration = newResponse.getExpiresIn() > 0 ? Time.currentTime() + (int) newResponse.getExpiresIn() : 0;
                     tokenUserSession.setNote(FEDERATED_TOKEN_EXPIRATION, Long.toString(accessTokenExpiration));
                     tokenUserSession.setNote(FEDERATED_REFRESH_TOKEN, newResponse.getRefreshToken());
                     tokenUserSession.setNote(FEDERATED_ACCESS_TOKEN, newResponse.getToken());
                     tokenUserSession.setNote(FEDERATED_ID_TOKEN, newResponse.getIdToken());
 
                 }
                 model.setToken(response);
                 tokenResponse = newResponse;
             } else if (exp != null) {
                 tokenResponse.setExpiresIn(exp - Time.currentTime());
             }
             tokenResponse.setIdToken(null);
             tokenResponse.setRefreshToken(null);
             tokenResponse.setRefreshExpiresIn(0);
             tokenResponse.getOtherClaims().clear();
             tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
             tokenResponse.getOtherClaims().put(ACCOUNT_LINK_URL, getLinkingUrl(uriInfo, authorizedClient, tokenUserSession));
             event.success();
             return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
     }

◆ export()

Response org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.export	(	UriInfo	uriInfo,
		RealmModel	realm,
		String	format
	)

inherited

Export a representation of the IdentityProvider in a specific format. For example, a SAML EntityDescriptor

戻り値

◆ extractIdentity()

BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.extractIdentity	(	AccessTokenResponse	tokenResponse,
		String	accessToken,
		JsonWebToken	idToken
	)		throws IOException

inlineprotectedinherited

                                                                                                                                                       {
         String id = idToken.getSubject();
         BrokeredIdentityContext identity = new BrokeredIdentityContext(id);
         String name = (String) idToken.getOtherClaims().get(IDToken.NAME);
         String preferredUsername = (String) idToken.getOtherClaims().get(getusernameClaimNameForIdToken());
         String email = (String) idToken.getOtherClaims().get(IDToken.EMAIL);
 
         if (!getConfig().isDisableUserInfoService()) {
             String userInfoUrl = getUserInfoUrl();
             if (userInfoUrl != null && !userInfoUrl.isEmpty() && (id == null || name == null || preferredUsername == null || email == null)) {
 
                 if (accessToken != null) {
                     SimpleHttp.Response response = SimpleHttp.doGet(userInfoUrl, session)
                             .header("Authorization", "Bearer " + accessToken).asResponse();
                     if (response.getStatus() != 200) {
                         String msg = "failed to invoke user info url";
                         try {
                             String tmp = response.asString();
                             if (tmp != null) msg = tmp;
 
                         } catch (IOException e) {
 
                         }
                         throw new IdentityBrokerException("Failed to invoke on user info url: " + msg);
                     }
                     JsonNode userInfo = response.asJson();
 
                     id = getJsonProperty(userInfo, "sub");
                     name = getJsonProperty(userInfo, "name");
                     preferredUsername = getUsernameFromUserInfo(userInfo);
                     email = getJsonProperty(userInfo, "email");
                     AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, userInfo, getConfig().getAlias());
                 }
             }
         }
         identity.getContextData().put(VALIDATED_ID_TOKEN, idToken);
 
         identity.setId(id);
         identity.setName(name);
         identity.setEmail(email);
 
         identity.setBrokerUserId(getConfig().getAlias() + "." + id);
 
         if (preferredUsername == null) {
             preferredUsername = email;
         }
 
         if (preferredUsername == null) {
             preferredUsername = id;
         }
 
         identity.setUsername(preferredUsername);
         if (tokenResponse != null && tokenResponse.getSessionState() != null) {
             identity.setBrokerSessionId(getConfig().getAlias() + "." + tokenResponse.getSessionState());
         }
         if (tokenResponse != null) identity.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, tokenResponse);
         if (tokenResponse != null) processAccessTokenResponse(identity, tokenResponse);
         return identity;
     }

◆ extractIdentityFromProfile()

BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.extractIdentityFromProfile	(	EventBuilder	event,
		JsonNode	userInfo
	)

inlineprotectedinherited

                                                                                                         {
         String id = getJsonProperty(userInfo, "sub");
         if (id == null) {
             event.detail(Details.REASON, "sub claim is null from user info json");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         BrokeredIdentityContext identity = new BrokeredIdentityContext(id);
 
         String name = getJsonProperty(userInfo, "name");
         String preferredUsername = getUsernameFromUserInfo(userInfo);
         String email = getJsonProperty(userInfo, "email");
         AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, userInfo, getConfig().getAlias());
 
         identity.setId(id);
         identity.setName(name);
         identity.setEmail(email);
 
         identity.setBrokerUserId(getConfig().getAlias() + "." + id);
 
         if (preferredUsername == null) {
             preferredUsername = email;
         }
 
         if (preferredUsername == null) {
             preferredUsername = id;
         }
 
         identity.setUsername(preferredUsername);
         return identity;
     }

◆ extractTokenFromResponse()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.extractTokenFromResponse	(	String	response,
		String	tokenName
	)

inlineprotectedinherited

                                                                                  {
           if(response == null)
                 return null;
           
         if (response.startsWith("{")) {
             try {
                         JsonNode node = mapper.readTree(response);
                         if(node.has(tokenName)){
                                 String s = node.get(tokenName).textValue();
                                 if(s == null || s.trim().isEmpty())
                                         return null;
                   return s;
                         } else {
                                 return null;
                         }
             } catch (IOException e) {
                 throw new IdentityBrokerException("Could not extract token [" + tokenName + "] from response [" + response + "] due: " + e.getMessage(), e);
             }
         } else {
             Matcher matcher = Pattern.compile(tokenName + "=([^&]+)").matcher(response);
 
             if (matcher.find()) {
                 return matcher.group(1);
             }
         }
 
         return null;
     }

◆ getAccessTokenResponseParameter()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getAccessTokenResponseParameter ( )

inlineprotectedinherited

                                                        {
         return OAUTH2_PARAMETER_ACCESS_TOKEN;
     }

◆ getConfig()

C org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getConfig ( )

inlineinherited

                          {
         return super.getConfig();
     }

◆ getDefaultScopes()

String org.keycloak.social.google.GoogleIdentityProvider.getDefaultScopes ( )

inlineprotected

                                         {
         return DEFAULT_SCOPE;
     }

◆ getFederatedIdentity()

BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity ( String response )

inlineinherited

                                                                          {
         AccessTokenResponse tokenResponse = null;
         try {
             tokenResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
         } catch (IOException e) {
             throw new IdentityBrokerException("Could not decode access token response.", e);
         }
         String accessToken = verifyAccessToken(tokenResponse);
 
         String encodedIdToken = tokenResponse.getIdToken();
 
         JsonWebToken idToken = validateToken(encodedIdToken);
 
         try {
             BrokeredIdentityContext identity = extractIdentity(tokenResponse, accessToken, idToken);
 
             if (getConfig().isStoreToken()) {
                 if (tokenResponse.getExpiresIn() > 0) {
                     long accessTokenExpiration = Time.currentTime() + tokenResponse.getExpiresIn();
                     tokenResponse.getOtherClaims().put(ACCESS_TOKEN_EXPIRATION, accessTokenExpiration);
                     response = JsonSerialization.writeValueAsString(tokenResponse);
                 }
                 identity.setToken(response);
             }
 
             return identity;
         } catch (Exception e) {
             throw new IdentityBrokerException("Could not fetch attributes from userinfo endpoint.", e);
         }
     }

◆ getJsonProperty()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getJsonProperty	(	JsonNode	jsonNode,
		String	name
	)

inlineinherited

Get JSON property as text. JSON numbers and booleans are converted to text. Empty string is converted to null.

引数

jsonNode	to get property from
name	of property to get

戻り値: string value of the property or null.

                                                                   {
         if (jsonNode.has(name) && !jsonNode.get(name).isNull()) {
                   String s = jsonNode.get(name).asText();
                   if(s != null && !s.isEmpty())
                                 return s;
                   else
                                 return null;
         }
 
         return null;
     }

◆ getMarshaller()

IdentityProviderDataMarshaller org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.getMarshaller ( )

inherited

Implementation of marshaller to serialize/deserialize attached data to Strings, which can be saved in clientSession

戻り値

◆ getProfileEndpointForValidation()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getProfileEndpointForValidation ( EventBuilder event )

inlineprotectedinherited

                                                                          {
         String userInfoUrl = getUserInfoUrl();
         if (getConfig().isDisableUserInfoService() || userInfoUrl == null || userInfoUrl.isEmpty()) {
             event.detail(Details.REASON, "user info service disabled");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
 
         }
         return userInfoUrl;
     }

◆ getUserInfoUrl()

String org.keycloak.social.google.GoogleIdentityProvider.getUserInfoUrl ( )

inlineprotected

                                       {
         String uri = super.getUserInfoUrl();
         if (((GoogleIdentityProviderConfig)getConfig()).isUserIp()) {
             ClientConnection connection = ResteasyProviderFactory.getContextData(ClientConnection.class);
             if (connection != null) {
                 uri = KeycloakUriBuilder.fromUri(super.getUserInfoUrl()).queryParam("userIp", connection.getRemoteAddr()).build().toString();
             }
 
         }
         logger.debugv("GOOGLE userInfoUrl: {0}", uri);
         return uri;
     }

◆ getusernameClaimNameForIdToken()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getusernameClaimNameForIdToken ( )

inlineprotectedinherited

                                                       {
         return IDToken.PREFERRED_USERNAME;
     }

◆ getUsernameFromUserInfo()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getUsernameFromUserInfo ( JsonNode userInfo )

inlineprotectedinherited

                                                                 {
         return getJsonProperty(userInfo, "preferred_username");
     }

◆ hasExternalExchangeToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.hasExternalExchangeToken	(	EventBuilder	event,
		UserSessionModel	tokenUserSession,
		MultivaluedMap< String, String >	params
	)

inlineprotectedinherited

check to see if we have a token exchange in session in other words check to see if this session was created by an external exchange

引数

tokenUserSession
params

戻り値

                                                                                                                                               {
         if (getConfig().getAlias().equals(tokenUserSession.getNote(OIDCIdentityProvider.EXCHANGE_PROVIDER))) {
 
             String requestedType = params.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
             if ((requestedType == null || requestedType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE))) {
                 String accessToken = tokenUserSession.getNote(FEDERATED_ACCESS_TOKEN);
                 if (accessToken != null) {
                     AccessTokenResponse tokenResponse = new AccessTokenResponse();
                     tokenResponse.setToken(accessToken);
                     tokenResponse.setIdToken(null);
                     tokenResponse.setRefreshToken(null);
                     tokenResponse.setRefreshExpiresIn(0);
                     tokenResponse.setExpiresIn(0);
                     tokenResponse.getOtherClaims().clear();
                     tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
                     event.success();
                     return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
                 }
             } else if (OAuth2Constants.ID_TOKEN_TYPE.equals(requestedType)) {
                 String idToken = tokenUserSession.getNote(OIDCIdentityProvider.FEDERATED_ID_TOKEN);
                 if (idToken != null) {
                     AccessTokenResponse tokenResponse = new AccessTokenResponse();
                     tokenResponse.setToken(null);
                     tokenResponse.setIdToken(idToken);
                     tokenResponse.setRefreshToken(null);
                     tokenResponse.setRefreshExpiresIn(0);
                     tokenResponse.setExpiresIn(0);
                     tokenResponse.getOtherClaims().clear();
                     tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ID_TOKEN_TYPE);
                     event.success();
                     return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
                 }
 
             }
 
         }
         return null;
     }

◆ importNewUser()

void org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.importNewUser	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user,
		BrokeredIdentityContext	context
	)

inherited

◆ isIssuer()

boolean org.keycloak.social.google.GoogleIdentityProvider.isIssuer	(	String	issuer,
		MultivaluedMap< String, String >	params
	)

inline

org.keycloak.broker.provider.ExchangeExternalTokenを実装しています。

                                                                                   {
         String requestedIssuer = params.getFirst(OAuth2Constants.SUBJECT_ISSUER);
         if (requestedIssuer == null) requestedIssuer = issuer;
         return requestedIssuer.equals(getConfig().getAlias());
     }

◆ keycloakInitiatedBrowserLogout() [1/2]

Response org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.keycloakInitiatedBrowserLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inherited

Called when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP

引数

userSession
uriInfo
realm

戻り値: null if this is not supported by this provider

◆ keycloakInitiatedBrowserLogout() [2/2]

Response org.keycloak.broker.oidc.OIDCIdentityProvider.keycloakInitiatedBrowserLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inlineinherited

                                                                                                                                              {
         if (getConfig().getLogoutUrl() == null || getConfig().getLogoutUrl().trim().equals("")) return null;
         String idToken = getIDTokenForLogout(session, userSession);
         if (idToken != null && getConfig().isBackchannelSupported()) {
             backchannelLogout(userSession, idToken);
             return null;
         } else {
             String sessionId = userSession.getId();
             UriBuilder logoutUri = UriBuilder.fromUri(getConfig().getLogoutUrl())
                     .queryParam("state", sessionId);
             if (idToken != null) logoutUri.queryParam("id_token_hint", idToken);
             String redirect = RealmsResource.brokerUrl(uriInfo)
                     .path(IdentityBrokerService.class, "getEndpoint")
                     .path(OIDCEndpoint.class, "logoutResponse")
                     .build(realm.getName(), getConfig().getAlias()).toString();
             logoutUri.queryParam("post_logout_redirect_uri", redirect);
             Response response = Response.status(302).location(logoutUri.build()).build();
             return response;
         }
     }

◆ performLogin() [1/2]

Response org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.performLogin ( AuthenticationRequest request )

inherited

Initiates the authentication process by sending an authentication request to an identity provider. This method is called only once during the authentication.

引数

request The initial authentication request. Contains all the contextual information in order to build an authentication request to the identity provider.

戻り値

org.keycloak.social.twitter.TwitterIdentityProviderで実装されています。

◆ performLogin() [2/2]

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.performLogin ( AuthenticationRequest request )

inlineinherited

                                                                 {
         try {
             URI authorizationUrl = createAuthorizationUrl(request).build();
 
             return Response.seeOther(authorizationUrl).build();
         } catch (Exception e) {
             throw new IdentityBrokerException("Could not create authentication request.", e);
         }
     }

◆ preprocessFederatedIdentity()

void org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.preprocessFederatedIdentity	(	KeycloakSession	session,
		RealmModel	realm,
		BrokeredIdentityContext	context
	)

inherited

◆ processAccessTokenResponse()

void org.keycloak.broker.oidc.OIDCIdentityProvider.processAccessTokenResponse	(	BrokeredIdentityContext	context,
		AccessTokenResponse	response
	)

inlineprotectedinherited

                                                                                                              {
 
     }

◆ refreshTokenForLogout()

String org.keycloak.broker.oidc.OIDCIdentityProvider.refreshTokenForLogout	(	KeycloakSession	session,
		UserSessionModel	userSession
	)

inlineinherited

Returns access token response as a string from a refresh token invocation on the remote OIDC broker

引数

session
userSession

戻り値

                                                                                                {
         String refreshToken = userSession.getNote(FEDERATED_REFRESH_TOKEN);
         try {
             return SimpleHttp.doPost(getConfig().getTokenUrl(), session)
                     .param("refresh_token", refreshToken)
                     .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                     .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
                     .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
     }

◆ retrieveToken() [1/2]

Response org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.retrieveToken	(	KeycloakSession	session,
		FederatedIdentityModel	identity
	)

inherited

Returns a javax.ws.rs.core.Response containing the token previously stored during the authentication process for a specific user.

引数

identity

戻り値

org.keycloak.social.twitter.TwitterIdentityProviderで実装されています。

◆ retrieveToken() [2/2]

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.retrieveToken	(	KeycloakSession	session,
		FederatedIdentityModel	identity
	)

inlineinherited

                                                                                             {
         return Response.ok(identity.getToken()).build();
     }

◆ supportsExternalExchange()

boolean org.keycloak.social.google.GoogleIdentityProvider.supportsExternalExchange ( )

inlineprotected

                                                  {
         return true;
     }

◆ updateBrokeredUser()

void org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.updateBrokeredUser	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user,
		BrokeredIdentityContext	context
	)

inherited

◆ validateExternalTokenThroughUserInfo()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.validateExternalTokenThroughUserInfo	(	EventBuilder	event,
		String	subjectToken,
		String	subjectTokenType
	)

inlineprotectedinherited

                                                                                                                                              {
         event.detail("validation_method", "user info");
         SimpleHttp.Response response = null;
         int status = 0;
         try {
             String userInfoUrl = getProfileEndpointForValidation(event);
             response = buildUserInfoRequest(subjectToken, userInfoUrl).asResponse();
             status = response.getStatus();
         } catch (IOException e) {
             logger.debug("Failed to invoke user info for external exchange", e);
         }
         if (status != 200) {
             logger.debug("Failed to invoke user info status: " + status);
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         JsonNode profile = null;
         try {
             profile = response.asJson();
         } catch (IOException e) {
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         BrokeredIdentityContext context = extractIdentityFromProfile(event, profile);
         if (context.getId() == null) {
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         return context;
     }

◆ validateJwt()

final BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.validateJwt	(	EventBuilder	event,
		String	subjectToken,
		String	subjectTokenType
	)

inlineprotectedinherited

                                                                                                                           {
         if (!getConfig().isValidateSignature()) {
             return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType);
         }
         event.detail("validation_method", "signature");
         if (getConfig().isUseJwksUrl()) {
             if (getConfig().getJwksUrl() == null) {
                 event.detail(Details.REASON, "jwks url unset");
                 event.error(Errors.INVALID_CONFIG);
                 throw new ErrorResponseException(Errors.INVALID_CONFIG, "Invalid server config", Response.Status.BAD_REQUEST);
             }
         } else if (getConfig().getPublicKeySignatureVerifier() == null) {
             event.detail(Details.REASON, "public key unset");
             event.error(Errors.INVALID_CONFIG);
             throw new ErrorResponseException(Errors.INVALID_CONFIG, "Invalid server config", Response.Status.BAD_REQUEST);
         }
 
         JsonWebToken parsedToken = null;
         try {
             parsedToken = validateToken(subjectToken, true);
         } catch (IdentityBrokerException e) {
             logger.debug("Unable to validate token for exchange", e);
             event.detail(Details.REASON, "token validation failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
 
         try {
 
             boolean idTokenType = OAuth2Constants.ID_TOKEN_TYPE.equals(subjectTokenType);
             BrokeredIdentityContext context = extractIdentity(null, idTokenType ? null : subjectToken, parsedToken);
             if (context == null) {
                 event.detail(Details.REASON, "Failed to extract identity from token");
                 event.error(Errors.INVALID_TOKEN);
                 throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
 
             }
             if (idTokenType) {
                 context.getContextData().put(VALIDATED_ID_TOKEN, subjectToken);
             } else {
                 context.getContextData().put(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN, parsedToken);
             }
             context.getContextData().put(EXCHANGE_PROVIDER, getConfig().getAlias());
             context.setIdp(this);
             context.setIdpConfig(getConfig());
             return context;
         } catch (IOException e) {
             logger.debug("Unable to extract identity from identity token", e);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
 
 
     }

◆ validateToken() [1/2]

JsonWebToken org.keycloak.social.google.GoogleIdentityProvider.validateToken	(	final String	encodedToken,
		final boolean	ignoreAudience
	)

inlineprotected

                                                                                                   {
         JsonWebToken token = super.validateToken(encodedToken, ignoreAudience);
         String hostedDomain = ((GoogleIdentityProviderConfig) getConfig()).getHostedDomain();
 
         if (hostedDomain == null) {
             return token;
         }
 
         Object receivedHdParam = token.getOtherClaims().get(OIDC_PARAMETER_HOSTED_DOMAINS);
 
         if (receivedHdParam == null) {
             throw new IdentityBrokerException("Identity token does not contain hosted domain parameter.");
         }
 
         if (hostedDomain.equals("*") || hostedDomain.equals(receivedHdParam))  {
             return token;
         }
 
         throw new IdentityBrokerException("Hosted domain does not match.");
     }

◆ validateToken() [2/2]

JsonWebToken org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken ( String encodedToken )

inlineprotectedinherited

                                                               {
         boolean ignoreAudience = false;
 
         return validateToken(encodedToken, ignoreAudience);
     }

◆ verify()

boolean org.keycloak.broker.oidc.OIDCIdentityProvider.verify ( JWSInput jws )

inlineprotectedinherited

                                            {
         if (!getConfig().isValidateSignature()) return true;
 
         PublicKey publicKey = PublicKeyStorageManager.getIdentityProviderPublicKey(session, session.getContext().getRealm(), getConfig(), jws);
 
         return publicKey != null && RSAProvider.verify(jws, publicKey);
     }

メンバ詳解

◆ ACCESS_DENIED

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.ACCESS_DENIED

staticinherited

◆ ACCESS_TOKEN_EXPIRATION

final String org.keycloak.broker.oidc.OIDCIdentityProvider.ACCESS_TOKEN_EXPIRATION = "accessTokenExpiration"

staticinherited

◆ AUTH_URL

final String org.keycloak.social.google.GoogleIdentityProvider.AUTH_URL = "https://accounts.google.com/o/oauth2/auth"

static

◆ DEFAULT_SCOPE

final String org.keycloak.social.google.GoogleIdentityProvider.DEFAULT_SCOPE = "openid profile email"

static

◆ EXCHANGE_PROVIDER

final String org.keycloak.broker.oidc.OIDCIdentityProvider.EXCHANGE_PROVIDER = "EXCHANGE_PROVIDER"

staticinherited

◆ EXTERNAL_IDENTITY_PROVIDER

String org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.EXTERNAL_IDENTITY_PROVIDER = "EXTERNAL_IDENTITY_PROVIDER"

inherited

◆ FEDERATED_ACCESS_TOKEN

String org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.FEDERATED_ACCESS_TOKEN = "FEDERATED_ACCESS_TOKEN"

inherited

◆ FEDERATED_ACCESS_TOKEN_RESPONSE

final String org.keycloak.broker.oidc.OIDCIdentityProvider.FEDERATED_ACCESS_TOKEN_RESPONSE = "FEDERATED_ACCESS_TOKEN_RESPONSE"

staticinherited

◆ FEDERATED_ID_TOKEN

final String org.keycloak.broker.oidc.OIDCIdentityProvider.FEDERATED_ID_TOKEN = "FEDERATED_ID_TOKEN"

staticinherited

◆ FEDERATED_REFRESH_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.FEDERATED_REFRESH_TOKEN

staticinherited

◆ FEDERATED_TOKEN_EXPIRATION

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.FEDERATED_TOKEN_EXPIRATION

staticinherited

◆ logger

final Logger org.keycloak.broker.oidc.OIDCIdentityProvider.logger = Logger.getLogger(OIDCIdentityProvider.class)

staticprotectedinherited

◆ mapper

ObjectMapper org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.mapper

staticprotectedinherited

◆ OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

staticinherited

◆ OAUTH2_GRANT_TYPE_REFRESH_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_GRANT_TYPE_REFRESH_TOKEN

staticinherited

◆ OAUTH2_PARAMETER_ACCESS_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_ACCESS_TOKEN

staticinherited

◆ OAUTH2_PARAMETER_CLIENT_ID

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CLIENT_ID

staticinherited

◆ OAUTH2_PARAMETER_CLIENT_SECRET

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CLIENT_SECRET

staticinherited

◆ OAUTH2_PARAMETER_CODE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CODE

staticinherited

◆ OAUTH2_PARAMETER_GRANT_TYPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_GRANT_TYPE

staticinherited

◆ OAUTH2_PARAMETER_REDIRECT_URI

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_REDIRECT_URI

staticinherited

◆ OAUTH2_PARAMETER_RESPONSE_TYPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_RESPONSE_TYPE

staticinherited

◆ OAUTH2_PARAMETER_SCOPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_SCOPE

staticinherited

◆ OAUTH2_PARAMETER_STATE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_STATE

staticinherited

◆ OIDC_PARAMETER_HOSTED_DOMAINS

final String org.keycloak.social.google.GoogleIdentityProvider.OIDC_PARAMETER_HOSTED_DOMAINS = "hd"

staticprivate

◆ PROFILE_URL

final String org.keycloak.social.google.GoogleIdentityProvider.PROFILE_URL = "https://www.googleapis.com/plus/v1/people/me/openIdConnect"

static

◆ SCOPE_OPENID

final String org.keycloak.broker.oidc.OIDCIdentityProvider.SCOPE_OPENID = "openid"

staticinherited

◆ TOKEN_URL

final String org.keycloak.social.google.GoogleIdentityProvider.TOKEN_URL = "https://www.googleapis.com/oauth2/v3/token"

static

◆ USER_INFO

final String org.keycloak.broker.oidc.OIDCIdentityProvider.USER_INFO = "UserInfo"

staticinherited

◆ VALIDATED_ID_TOKEN

final String org.keycloak.broker.oidc.OIDCIdentityProvider.VALIDATED_ID_TOKEN = "VALIDATED_ID_TOKEN"

staticinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java

公開メンバ関数

公開変数類

静的公開変数類

限定公開メンバ関数

静的限定公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ GoogleIdentityProvider()

関数詳解

◆ asJsonNode()

◆ authenticationFinished() [1/2]

◆ authenticationFinished() [2/2]

◆ backchannelLogout() [1/3]

◆ backchannelLogout() [2/3]

◆ backchannelLogout() [3/3]

◆ buildUserInfoRequest()

◆ callback() [1/2]

◆ callback() [2/2]

◆ close()

◆ createAuthorizationUrl()

◆ doGetFederatedIdentity()

◆ exchangeExternal() [1/2]

◆ exchangeExternal() [2/2]

◆ exchangeExternalComplete() [1/2]

◆ exchangeExternalComplete() [2/2]

◆ exchangeExternalImpl()

◆ exchangeExternalUserInfoValidationOnly()

◆ exchangeFromToken()

◆ exchangeSessionToken()

◆ exchangeStoredToken()

◆ export()

◆ extractIdentity()

◆ extractIdentityFromProfile()

◆ extractTokenFromResponse()

◆ getAccessTokenResponseParameter()

◆ getConfig()

◆ getDefaultScopes()

◆ getFederatedIdentity()

◆ getJsonProperty()

◆ getMarshaller()

◆ getProfileEndpointForValidation()

◆ getUserInfoUrl()

◆ getusernameClaimNameForIdToken()

◆ getUsernameFromUserInfo()

◆ hasExternalExchangeToken()

◆ importNewUser()

◆ isIssuer()

◆ keycloakInitiatedBrowserLogout() [1/2]

◆ keycloakInitiatedBrowserLogout() [2/2]

◆ performLogin() [1/2]

◆ performLogin() [2/2]

◆ preprocessFederatedIdentity()

◆ processAccessTokenResponse()

◆ refreshTokenForLogout()

◆ retrieveToken() [1/2]

◆ retrieveToken() [2/2]

◆ supportsExternalExchange()

◆ updateBrokeredUser()

◆ validateExternalTokenThroughUserInfo()

◆ validateJwt()

◆ validateToken() [1/2]

◆ validateToken() [2/2]

◆ verify()

メンバ詳解

◆ ACCESS_DENIED

◆ ACCESS_TOKEN_EXPIRATION

◆ AUTH_URL

◆ DEFAULT_SCOPE

◆ EXCHANGE_PROVIDER

◆ EXTERNAL_IDENTITY_PROVIDER

◆ FEDERATED_ACCESS_TOKEN

◆ FEDERATED_ACCESS_TOKEN_RESPONSE

◆ FEDERATED_ID_TOKEN

◆ FEDERATED_REFRESH_TOKEN

◆ FEDERATED_TOKEN_EXPIRATION

◆ logger

◆ mapper

◆ OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

◆ OAUTH2_GRANT_TYPE_REFRESH_TOKEN