org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig > の継承関係図

org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig > 連携図

クラス
class	Endpoint

公開メンバ関数
	AbstractOAuth2IdentityProvider (KeycloakSession session, C config)

Object	callback (RealmModel realm, AuthenticationCallback callback, EventBuilder event)

Response	performLogin (AuthenticationRequest request)

Response	retrieveToken (KeycloakSession session, FederatedIdentityModel identity)

C	getConfig ()

Response	exchangeFromToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject, MultivaluedMap< String, String > params)

BrokeredIdentityContext	getFederatedIdentity (String response)

String	getJsonProperty (JsonNode jsonNode, String name)

JsonNode	asJsonNode (String json) throws IOException

void	authenticationFinished (AuthenticationSessionModel authSession, BrokeredIdentityContext context)

boolean	isIssuer (String issuer, MultivaluedMap< String, String > params)

final BrokeredIdentityContext	exchangeExternal (EventBuilder event, MultivaluedMap< String, String > params)

void	exchangeExternalComplete (UserSessionModel userSession, BrokeredIdentityContext context, MultivaluedMap< String, String > params)

Response	export (UriInfo uriInfo, RealmModel realm, String format)

void	close ()

Response	keycloakInitiatedBrowserLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

void	backchannelLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

Response	exchangeNotSupported ()

Response	exchangeNotLinked (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeNotLinkedNoStore (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeTokenExpired (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeUnsupportedRequiredType ()

void	preprocessFederatedIdentity (KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)

void	importNewUser (KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context)

void	updateBrokeredUser (KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context)

IdentityProviderDataMarshaller	getMarshaller ()

公開変数類
String	EXTERNAL_IDENTITY_PROVIDER

String	FEDERATED_ACCESS_TOKEN

静的公開変数類
static final String	OAUTH2_GRANT_TYPE_REFRESH_TOKEN = "refresh_token"

static final String	OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"

static final String	FEDERATED_REFRESH_TOKEN = "FEDERATED_REFRESH_TOKEN"

static final String	FEDERATED_TOKEN_EXPIRATION = "FEDERATED_TOKEN_EXPIRATION"

static final String	ACCESS_DENIED = "access_denied"

static final String	OAUTH2_PARAMETER_ACCESS_TOKEN = "access_token"

static final String	OAUTH2_PARAMETER_SCOPE = "scope"

static final String	OAUTH2_PARAMETER_STATE = "state"

static final String	OAUTH2_PARAMETER_RESPONSE_TYPE = "response_type"

static final String	OAUTH2_PARAMETER_REDIRECT_URI = "redirect_uri"

static final String	OAUTH2_PARAMETER_CODE = "code"

static final String	OAUTH2_PARAMETER_CLIENT_ID = "client_id"

static final String	OAUTH2_PARAMETER_CLIENT_SECRET = "client_secret"

static final String	OAUTH2_PARAMETER_GRANT_TYPE = "grant_type"

static final String	ACCOUNT_LINK_URL = "account-link-url"

限定公開メンバ関数
String	extractTokenFromResponse (String response, String tokenName)

Response	hasExternalExchangeToken (EventBuilder event, UserSessionModel tokenUserSession, MultivaluedMap< String, String > params)

Response	exchangeStoredToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeSessionToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

String	getAccessTokenResponseParameter ()

BrokeredIdentityContext	doGetFederatedIdentity (String accessToken)

UriBuilder	createAuthorizationUrl (AuthenticationRequest request)

abstract String	getDefaultScopes ()

String	getProfileEndpointForValidation (EventBuilder event)

BrokeredIdentityContext	extractIdentityFromProfile (EventBuilder event, JsonNode node)

BrokeredIdentityContext	validateExternalTokenThroughUserInfo (EventBuilder event, String subjectToken, String subjectTokenType)

SimpleHttp	buildUserInfoRequest (String subjectToken, String userInfoUrl)

boolean	supportsExternalExchange ()

BrokeredIdentityContext	exchangeExternalImpl (EventBuilder event, MultivaluedMap< String, String > params)

BrokeredIdentityContext	exchangeExternalUserInfoValidationOnly (EventBuilder event, MultivaluedMap< String, String > params)

Response	exchangeErrorResponse (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession, String errorCode, String reason)

String	getLinkingUrl (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession)

限定公開変数類
final KeycloakSession	session

静的限定公開変数類
static final Logger	logger = Logger.getLogger(AbstractOAuth2IdentityProvider.class)

static ObjectMapper	mapper = new ObjectMapper()

詳解

著者: Pedro Igor

構築子と解体子

◆ AbstractOAuth2IdentityProvider()

org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.AbstractOAuth2IdentityProvider	(	KeycloakSession	session,
		C	config
	)

inline

                                                                              {
         super(session, config);
 
         if (config.getDefaultScope() == null || config.getDefaultScope().isEmpty()) {
             config.setDefaultScope(getDefaultScopes());
         }
     }

関数詳解

◆ asJsonNode()

JsonNode org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.asJsonNode ( String json ) throws IOException

inline

                                                                {
         return mapper.readTree(json);
     }

◆ authenticationFinished()

void org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.authenticationFinished	(	AuthenticationSessionModel	authSession,
		BrokeredIdentityContext	context
	)

inline

                                                                                                                 {
         String token = (String) context.getContextData().get(FEDERATED_ACCESS_TOKEN);
         if (token != null) authSession.setUserSessionNote(FEDERATED_ACCESS_TOKEN, token);
     }

◆ backchannelLogout()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.backchannelLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inlineinherited

                                                                                                                             {
 
     }

◆ buildUserInfoRequest()

SimpleHttp org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.buildUserInfoRequest	(	String	subjectToken,
		String	userInfoUrl
	)

inlineprotected

                                                                                        {
         return SimpleHttp.doGet(userInfoUrl, session)
                   .header("Authorization", "Bearer " + subjectToken);
     }

◆ callback()

Object org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.callback	(	RealmModel	realm,
		AuthenticationCallback	callback,
		EventBuilder	event
	)

inline

                                                                                                   {
         return new Endpoint(callback, realm, event);
     }

◆ close()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.close ( )

inlineinherited

                         {
         // no-op
     }

◆ createAuthorizationUrl()

UriBuilder org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.createAuthorizationUrl ( AuthenticationRequest request )

inlineprotected

                                                                                {
         final UriBuilder uriBuilder = UriBuilder.fromUri(getConfig().getAuthorizationUrl())
                 .queryParam(OAUTH2_PARAMETER_SCOPE, getConfig().getDefaultScope())
                 .queryParam(OAUTH2_PARAMETER_STATE, request.getState().getEncoded())
                 .queryParam(OAUTH2_PARAMETER_RESPONSE_TYPE, "code")
                 .queryParam(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
                 .queryParam(OAUTH2_PARAMETER_REDIRECT_URI, request.getRedirectUri());
 
         String loginHint = request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM);
         if (getConfig().isLoginHint() && loginHint != null) {
             uriBuilder.queryParam(OIDCLoginProtocol.LOGIN_HINT_PARAM, loginHint);
         }
 
         if (getConfig().isUiLocales()) {
             uriBuilder.queryParam(OIDCLoginProtocol.UI_LOCALES_PARAM, session.getContext().resolveLocale(null).toLanguageTag());
         }
 
         String prompt = getConfig().getPrompt();
         if (prompt == null || prompt.isEmpty()) {
             prompt = request.getAuthenticationSession().getClientNote(OAuth2Constants.PROMPT);
         }
         if (prompt != null) {
             uriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
         }
 
         String nonce = request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.NONCE_PARAM);
         if (nonce == null || nonce.isEmpty()) {
             nonce = UUID.randomUUID().toString();
             request.getAuthenticationSession().setClientNote(OIDCLoginProtocol.NONCE_PARAM, nonce);
         }
         uriBuilder.queryParam(OIDCLoginProtocol.NONCE_PARAM, nonce);
 
         String acr = request.getAuthenticationSession().getClientNote(OAuth2Constants.ACR_VALUES);
         if (acr != null) {
             uriBuilder.queryParam(OAuth2Constants.ACR_VALUES, acr);
         }
         String forwardParameterConfig = getConfig().getForwardParameters() != null ? getConfig().getForwardParameters(): "";
         List<String> forwardParameters = Arrays.asList(forwardParameterConfig.split("\\s*,\\s*"));
         for(String forwardParameter: forwardParameters) {
             String name = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + forwardParameter.trim();
             String parameter = request.getAuthenticationSession().getClientNote(name);
             if(parameter != null && !parameter.isEmpty()) {
                 uriBuilder.queryParam(forwardParameter, parameter);
             }
         }
         return uriBuilder;
     }

◆ doGetFederatedIdentity()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.doGetFederatedIdentity ( String accessToken )

inlineprotected

                                                                                  {
         return null;
     }

◆ exchangeErrorResponse()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeErrorResponse	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		String	errorCode,
		String	reason
	)

inlineprotectedinherited

                                                                                                                                                                 {
         Map<String, String> error = new HashMap<>();
         error.put("error", errorCode);
         error.put("error_description", reason);
         String accountLinkUrl = getLinkingUrl(uriInfo, authorizedClient, tokenUserSession);
         if (accountLinkUrl != null) error.put(ACCOUNT_LINK_URL, accountLinkUrl);
         return Response.status(400).entity(error).type(MediaType.APPLICATION_JSON_TYPE).build();
     }

◆ exchangeExternal()

final BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternal	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inline

org.keycloak.broker.provider.ExchangeExternalTokenを実装しています。

                                                                                                                      {
         if (!supportsExternalExchange()) return null;
         BrokeredIdentityContext context = exchangeExternalImpl(event, params);
         if (context != null) {
             context.setIdp(this);
             context.setIdpConfig(getConfig());
         }
         return context;
     }

◆ exchangeExternalComplete()

void org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternalComplete	(	UserSessionModel	userSession,
		BrokeredIdentityContext	context,
		MultivaluedMap< String, String >	params
	)

inline

org.keycloak.broker.provider.ExchangeExternalTokenを実装しています。

                                                                                                                                                {
         if (context.getContextData().containsKey(OIDCIdentityProvider.VALIDATED_ID_TOKEN))
             userSession.setNote(FEDERATED_ACCESS_TOKEN, params.getFirst(OAuth2Constants.SUBJECT_TOKEN));
         if (context.getContextData().containsKey(OIDCIdentityProvider.VALIDATED_ID_TOKEN))
             userSession.setNote(OIDCIdentityProvider.FEDERATED_ID_TOKEN, params.getFirst(OAuth2Constants.SUBJECT_TOKEN));
         userSession.setNote(OIDCIdentityProvider.EXCHANGE_PROVIDER, getConfig().getAlias());
 
     }

◆ exchangeExternalImpl()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternalImpl	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inlineprotected

                                                                                                                       {
         return exchangeExternalUserInfoValidationOnly(event, params);
 
     }

◆ exchangeExternalUserInfoValidationOnly()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternalUserInfoValidationOnly	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inlineprotected

                                                                                                                                         {
         String subjectToken = params.getFirst(OAuth2Constants.SUBJECT_TOKEN);
         if (subjectToken == null) {
             event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN + " param unset");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "token not set", Response.Status.BAD_REQUEST);
         }
         String subjectTokenType = params.getFirst(OAuth2Constants.SUBJECT_TOKEN_TYPE);
         if (subjectTokenType == null) {
             subjectTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE;
         }
         if (!OAuth2Constants.ACCESS_TOKEN_TYPE.equals(subjectTokenType)) {
             event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN_TYPE + " invalid");
             event.error(Errors.INVALID_TOKEN_TYPE);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token type", Response.Status.BAD_REQUEST);
         }
         return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType);
     }

◆ exchangeFromToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeFromToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject,
		MultivaluedMap< String, String >	params
	)

inline

org.keycloak.broker.provider.ExchangeTokenToIdentityProviderTokenを実装しています。

                                                                                                                                                                                                            {
         // check to see if we have a token exchange in session
         // in other words check to see if this session was created by an external exchange
         Response tokenResponse = hasExternalExchangeToken(event, tokenUserSession, params);
         if (tokenResponse != null) return tokenResponse;
 
         // going further we only support access token type?  Why?
         String requestedType = params.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
         if (requestedType != null && !requestedType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)) {
             event.detail(Details.REASON, "requested_token_type unsupported");
             event.error(Errors.INVALID_REQUEST);
             return exchangeUnsupportedRequiredType();
         }
         if (!getConfig().isStoreToken()) {
             // if token isn't stored, we need to see if this session has been linked
             String brokerId = tokenUserSession.getNote(Details.IDENTITY_PROVIDER);
             brokerId = brokerId == null ? tokenUserSession.getNote(IdentityProvider.EXTERNAL_IDENTITY_PROVIDER) : brokerId;
             if (brokerId == null || !brokerId.equals(getConfig().getAlias())) {
                 event.detail(Details.REASON, "requested_issuer has not linked");
                 event.error(Errors.INVALID_REQUEST);
                 return exchangeNotLinkedNoStore(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
             }
             return exchangeSessionToken(uriInfo, event, authorizedClient, tokenUserSession, tokenSubject);
         } else {
             return exchangeStoredToken(uriInfo, event, authorizedClient, tokenUserSession, tokenSubject);
         }
     }

◆ exchangeNotLinked()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeNotLinked	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineinherited

                                                                                                                                                 {
         return exchangeErrorResponse(uriInfo, authorizedClient, tokenUserSession, "not_linked", "identity provider is not linked");
     }

◆ exchangeNotLinkedNoStore()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeNotLinkedNoStore	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineinherited

                                                                                                                                                        {
         return exchangeErrorResponse(uriInfo, authorizedClient, tokenUserSession, "not_linked", "identity provider is not linked, can only link to current user session");
     }

◆ exchangeNotSupported()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeNotSupported ( )

inlineinherited

                                            {
         Map<String, String> error = new HashMap<>();
         error.put("error", "invalid_target");
         error.put("error_description", "target_exchange_unsupported");
         return  Response.status(400).entity(error).type(MediaType.APPLICATION_JSON_TYPE).build();
     }

◆ exchangeSessionToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeSessionToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineprotected

                                                                                                                                                                           {
         String accessToken = tokenUserSession.getNote(FEDERATED_ACCESS_TOKEN);
         if (accessToken == null) {
             event.detail(Details.REASON, "requested_issuer is not linked");
             event.error(Errors.INVALID_TOKEN);
             return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
         AccessTokenResponse tokenResponse = new AccessTokenResponse();
         tokenResponse.setToken(accessToken);
         tokenResponse.setIdToken(null);
         tokenResponse.setRefreshToken(null);
         tokenResponse.setRefreshExpiresIn(0);
         tokenResponse.getOtherClaims().clear();
         tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
         tokenResponse.getOtherClaims().put(ACCOUNT_LINK_URL, getLinkingUrl(uriInfo, authorizedClient, tokenUserSession));
         event.success();
         return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
     }

◆ exchangeStoredToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeStoredToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineprotected

                                                                                                                                                                          {
         FederatedIdentityModel model = session.users().getFederatedIdentity(tokenSubject, getConfig().getAlias(), authorizedClient.getRealm());
         if (model == null || model.getToken() == null) {
             event.detail(Details.REASON, "requested_issuer is not linked");
             event.error(Errors.INVALID_TOKEN);
             return exchangeNotLinked(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
         String accessToken = extractTokenFromResponse(model.getToken(), getAccessTokenResponseParameter());
         if (accessToken == null) {
             model.setToken(null);
             session.users().updateFederatedIdentity(authorizedClient.getRealm(), tokenSubject, model);
             event.detail(Details.REASON, "requested_issuer token expired");
             event.error(Errors.INVALID_TOKEN);
             return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
         AccessTokenResponse tokenResponse = new AccessTokenResponse();
         tokenResponse.setToken(accessToken);
         tokenResponse.setIdToken(null);
         tokenResponse.setRefreshToken(null);
         tokenResponse.setRefreshExpiresIn(0);
         tokenResponse.getOtherClaims().clear();
         tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
         tokenResponse.getOtherClaims().put(ACCOUNT_LINK_URL, getLinkingUrl(uriInfo, authorizedClient, tokenUserSession));
         event.success();
         return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
     }

◆ exchangeTokenExpired()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeTokenExpired	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineinherited

                                                                                                                                                    {
         return exchangeErrorResponse(uriInfo, authorizedClient, tokenUserSession, "token_expired", "linked token is expired");
     }

◆ exchangeUnsupportedRequiredType()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeUnsupportedRequiredType ( )

inlineinherited

                                                       {
         Map<String, String> error = new HashMap<>();
         error.put("error", "invalid_target");
         error.put("error_description", "response_token_type_unsupported");
         return Response.status(400).entity(error).type(MediaType.APPLICATION_JSON_TYPE).build();
     }

◆ export()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.export	(	UriInfo	uriInfo,
		RealmModel	realm,
		String	format
	)

inlineinherited

                                                                              {
         return Response.noContent().build();
     }

◆ extractIdentityFromProfile()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.extractIdentityFromProfile	(	EventBuilder	event,
		JsonNode	node
	)

inlineprotected

                                                                                                     {
         return null;
     }

◆ extractTokenFromResponse()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.extractTokenFromResponse	(	String	response,
		String	tokenName
	)

inlineprotected

                                                                                  {
           if(response == null)
                 return null;
           
         if (response.startsWith("{")) {
             try {
                         JsonNode node = mapper.readTree(response);
                         if(node.has(tokenName)){
                                 String s = node.get(tokenName).textValue();
                                 if(s == null || s.trim().isEmpty())
                                         return null;
                   return s;
                         } else {
                                 return null;
                         }
             } catch (IOException e) {
                 throw new IdentityBrokerException("Could not extract token [" + tokenName + "] from response [" + response + "] due: " + e.getMessage(), e);
             }
         } else {
             Matcher matcher = Pattern.compile(tokenName + "=([^&]+)").matcher(response);
 
             if (matcher.find()) {
                 return matcher.group(1);
             }
         }
 
         return null;
     }

◆ getAccessTokenResponseParameter()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getAccessTokenResponseParameter ( )

inlineprotected

                                                        {
         return OAUTH2_PARAMETER_ACCESS_TOKEN;
     }

◆ getConfig()

C org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getConfig ( )

inline

                          {
         return super.getConfig();
     }

◆ getDefaultScopes()

abstract String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getDefaultScopes ( )

abstractprotected

◆ getFederatedIdentity()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getFederatedIdentity ( String response )

inline

                                                                          {
         String accessToken = extractTokenFromResponse(response, getAccessTokenResponseParameter());
 
         if (accessToken == null) {
             throw new IdentityBrokerException("No access token available in OAuth server response: " + response);
         }
 
         BrokeredIdentityContext context = doGetFederatedIdentity(accessToken);
         context.getContextData().put(FEDERATED_ACCESS_TOKEN, accessToken);
         return context;
     }

◆ getJsonProperty()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getJsonProperty	(	JsonNode	jsonNode,
		String	name
	)

inline

Get JSON property as text. JSON numbers and booleans are converted to text. Empty string is converted to null.

引数

jsonNode	to get property from
name	of property to get

戻り値: string value of the property or null.

                                                                   {
         if (jsonNode.has(name) && !jsonNode.get(name).isNull()) {
                   String s = jsonNode.get(name).asText();
                   if(s != null && !s.isEmpty())
                                 return s;
                   else
                                 return null;
         }
 
         return null;
     }

◆ getLinkingUrl()

String org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.getLinkingUrl	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession
	)

inlineprotectedinherited

                                                                                                                      {
         String provider = getConfig().getAlias();
         String clientId = authorizedClient.getClientId();
         String nonce = UUID.randomUUID().toString();
         MessageDigest md = null;
         try {
             md = MessageDigest.getInstance("SHA-256");
         } catch (NoSuchAlgorithmException e) {
             throw new RuntimeException(e);
         }
         String input = nonce + tokenUserSession.getId() + clientId + provider;
         byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
         String hash = Base64Url.encode(check);
         return KeycloakUriBuilder.fromUri(uriInfo.getBaseUri())
                 .path("/realms/{realm}/broker/{provider}/link")
                 .queryParam("nonce", nonce)
                 .queryParam("hash", hash)
                 .queryParam("client_id", clientId)
                 .build(authorizedClient.getRealm().getName(), provider)
                 .toString();
     }

◆ getMarshaller()

IdentityProviderDataMarshaller org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.getMarshaller ( )

inlineinherited

                                                           {
         return new DefaultDataMarshaller();
     }

◆ getProfileEndpointForValidation()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getProfileEndpointForValidation ( EventBuilder event )

inlineprotected

                                                                          {
         event.detail(Details.REASON, "exchange unsupported");
         event.error(Errors.INVALID_TOKEN);
         throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
     }

◆ hasExternalExchangeToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.hasExternalExchangeToken	(	EventBuilder	event,
		UserSessionModel	tokenUserSession,
		MultivaluedMap< String, String >	params
	)

inlineprotected

check to see if we have a token exchange in session in other words check to see if this session was created by an external exchange

引数

tokenUserSession
params

戻り値

                                                                                                                                               {
         if (getConfig().getAlias().equals(tokenUserSession.getNote(OIDCIdentityProvider.EXCHANGE_PROVIDER))) {
 
             String requestedType = params.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
             if ((requestedType == null || requestedType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE))) {
                 String accessToken = tokenUserSession.getNote(FEDERATED_ACCESS_TOKEN);
                 if (accessToken != null) {
                     AccessTokenResponse tokenResponse = new AccessTokenResponse();
                     tokenResponse.setToken(accessToken);
                     tokenResponse.setIdToken(null);
                     tokenResponse.setRefreshToken(null);
                     tokenResponse.setRefreshExpiresIn(0);
                     tokenResponse.setExpiresIn(0);
                     tokenResponse.getOtherClaims().clear();
                     tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
                     event.success();
                     return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
                 }
             } else if (OAuth2Constants.ID_TOKEN_TYPE.equals(requestedType)) {
                 String idToken = tokenUserSession.getNote(OIDCIdentityProvider.FEDERATED_ID_TOKEN);
                 if (idToken != null) {
                     AccessTokenResponse tokenResponse = new AccessTokenResponse();
                     tokenResponse.setToken(null);
                     tokenResponse.setIdToken(idToken);
                     tokenResponse.setRefreshToken(null);
                     tokenResponse.setRefreshExpiresIn(0);
                     tokenResponse.setExpiresIn(0);
                     tokenResponse.getOtherClaims().clear();
                     tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ID_TOKEN_TYPE);
                     event.success();
                     return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
                 }
 
             }
 
         }
         return null;
     }

◆ importNewUser()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.importNewUser	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user,
		BrokeredIdentityContext	context
	)

inlineinherited

                                                                                                                           {
 
     }

◆ isIssuer()

boolean org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.isIssuer	(	String	issuer,
		MultivaluedMap< String, String >	params
	)

inline

org.keycloak.broker.provider.ExchangeExternalTokenを実装しています。

                                                                                   {
         if (!supportsExternalExchange()) return false;
         String requestedIssuer = params.getFirst(OAuth2Constants.SUBJECT_ISSUER);
         if (requestedIssuer == null) requestedIssuer = issuer;
         return requestedIssuer.equals(getConfig().getAlias());
     }

◆ keycloakInitiatedBrowserLogout()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.keycloakInitiatedBrowserLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inlineinherited

                                                                                                                                              {
         return null;
     }

◆ performLogin()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.performLogin ( AuthenticationRequest request )

inline

                                                                 {
         try {
             URI authorizationUrl = createAuthorizationUrl(request).build();
 
             return Response.seeOther(authorizationUrl).build();
         } catch (Exception e) {
             throw new IdentityBrokerException("Could not create authentication request.", e);
         }
     }

◆ preprocessFederatedIdentity()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.preprocessFederatedIdentity	(	KeycloakSession	session,
		RealmModel	realm,
		BrokeredIdentityContext	context
	)

inlineinherited

                                                                                                                         {
 
     }

◆ retrieveToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.retrieveToken	(	KeycloakSession	session,
		FederatedIdentityModel	identity
	)

inline

                                                                                             {
         return Response.ok(identity.getToken()).build();
     }

◆ supportsExternalExchange()

boolean org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.supportsExternalExchange ( )

inlineprotected

                                                  {
         return false;
     }

◆ updateBrokeredUser()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.updateBrokeredUser	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user,
		BrokeredIdentityContext	context
	)

inlineinherited

                                                                                                                                {
 
     }

◆ validateExternalTokenThroughUserInfo()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.validateExternalTokenThroughUserInfo	(	EventBuilder	event,
		String	subjectToken,
		String	subjectTokenType
	)

inlineprotected

                                                                                                                                              {
         event.detail("validation_method", "user info");
         SimpleHttp.Response response = null;
         int status = 0;
         try {
             String userInfoUrl = getProfileEndpointForValidation(event);
             response = buildUserInfoRequest(subjectToken, userInfoUrl).asResponse();
             status = response.getStatus();
         } catch (IOException e) {
             logger.debug("Failed to invoke user info for external exchange", e);
         }
         if (status != 200) {
             logger.debug("Failed to invoke user info status: " + status);
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         JsonNode profile = null;
         try {
             profile = response.asJson();
         } catch (IOException e) {
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         BrokeredIdentityContext context = extractIdentityFromProfile(event, profile);
         if (context.getId() == null) {
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         return context;
     }

メンバ詳解

◆ ACCESS_DENIED

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.ACCESS_DENIED = "access_denied"

static

◆ ACCOUNT_LINK_URL

final String org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.ACCOUNT_LINK_URL = "account-link-url"

staticinherited

◆ EXTERNAL_IDENTITY_PROVIDER

String org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.EXTERNAL_IDENTITY_PROVIDER

inherited

◆ FEDERATED_ACCESS_TOKEN

String org.keycloak.broker.provider.IdentityProvider< C extends IdentityProviderModel >.FEDERATED_ACCESS_TOKEN

inherited

◆ FEDERATED_REFRESH_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.FEDERATED_REFRESH_TOKEN = "FEDERATED_REFRESH_TOKEN"

static

◆ FEDERATED_TOKEN_EXPIRATION

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.FEDERATED_TOKEN_EXPIRATION = "FEDERATED_TOKEN_EXPIRATION"

static

◆ logger

final Logger org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.logger = Logger.getLogger(AbstractOAuth2IdentityProvider.class)

staticprotected

◆ mapper

ObjectMapper org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.mapper = new ObjectMapper()

staticprotected

◆ OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"

static

◆ OAUTH2_GRANT_TYPE_REFRESH_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_GRANT_TYPE_REFRESH_TOKEN = "refresh_token"

static

◆ OAUTH2_PARAMETER_ACCESS_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_ACCESS_TOKEN = "access_token"

static

◆ OAUTH2_PARAMETER_CLIENT_ID

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CLIENT_ID = "client_id"

static

◆ OAUTH2_PARAMETER_CLIENT_SECRET

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CLIENT_SECRET = "client_secret"

static

◆ OAUTH2_PARAMETER_CODE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CODE = "code"

static

◆ OAUTH2_PARAMETER_GRANT_TYPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_GRANT_TYPE = "grant_type"

static

◆ OAUTH2_PARAMETER_REDIRECT_URI

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_REDIRECT_URI = "redirect_uri"

static

◆ OAUTH2_PARAMETER_RESPONSE_TYPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_RESPONSE_TYPE = "response_type"

static

◆ OAUTH2_PARAMETER_SCOPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_SCOPE = "scope"

static

◆ OAUTH2_PARAMETER_STATE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_STATE = "state"

static

◆ session

final KeycloakSession org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.session

protectedinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java

クラス

公開メンバ関数

公開変数類

静的公開変数類

限定公開メンバ関数

限定公開変数類

静的限定公開変数類

詳解

構築子と解体子

◆ AbstractOAuth2IdentityProvider()

関数詳解

◆ asJsonNode()

◆ authenticationFinished()

◆ backchannelLogout()

◆ buildUserInfoRequest()

◆ callback()

◆ close()

◆ createAuthorizationUrl()

◆ doGetFederatedIdentity()

◆ exchangeErrorResponse()

◆ exchangeExternal()

◆ exchangeExternalComplete()

◆ exchangeExternalImpl()

◆ exchangeExternalUserInfoValidationOnly()

◆ exchangeFromToken()

◆ exchangeNotLinked()

◆ exchangeNotLinkedNoStore()

◆ exchangeNotSupported()

◆ exchangeSessionToken()

◆ exchangeStoredToken()

◆ exchangeTokenExpired()

◆ exchangeUnsupportedRequiredType()

◆ export()

◆ extractIdentityFromProfile()

◆ extractTokenFromResponse()

◆ getAccessTokenResponseParameter()

◆ getConfig()

◆ getDefaultScopes()

◆ getFederatedIdentity()

◆ getJsonProperty()

◆ getLinkingUrl()

◆ getMarshaller()

◆ getProfileEndpointForValidation()

◆ hasExternalExchangeToken()

◆ importNewUser()

◆ isIssuer()

◆ keycloakInitiatedBrowserLogout()

◆ performLogin()

◆ preprocessFederatedIdentity()

◆ retrieveToken()

◆ supportsExternalExchange()

◆ updateBrokeredUser()

◆ validateExternalTokenThroughUserInfo()

メンバ詳解

◆ ACCESS_DENIED

◆ ACCOUNT_LINK_URL

◆ EXTERNAL_IDENTITY_PROVIDER

◆ FEDERATED_ACCESS_TOKEN

◆ FEDERATED_REFRESH_TOKEN

◆ FEDERATED_TOKEN_EXPIRATION

◆ logger

◆ mapper

◆ OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

◆ OAUTH2_GRANT_TYPE_REFRESH_TOKEN

◆ OAUTH2_PARAMETER_ACCESS_TOKEN

◆ OAUTH2_PARAMETER_CLIENT_ID

◆ OAUTH2_PARAMETER_CLIENT_SECRET

◆ OAUTH2_PARAMETER_CODE

◆ OAUTH2_PARAMETER_GRANT_TYPE

◆ OAUTH2_PARAMETER_REDIRECT_URI

◆ OAUTH2_PARAMETER_RESPONSE_TYPE

◆ OAUTH2_PARAMETER_SCOPE

◆ OAUTH2_PARAMETER_STATE

◆ session