org.keycloak.authentication.authenticators.client.JWTClientAuthenticator の継承関係図

org.keycloak.authentication.authenticators.client.JWTClientAuthenticator 連携図

公開メンバ関数
void	authenticateClient (ClientAuthenticationFlowContext context)

String	getDisplayType ()

boolean	isConfigurable ()

AuthenticationExecutionModel.Requirement []	getRequirementChoices ()

String	getHelpText ()

List< ProviderConfigProperty >	getConfigProperties ()

List< ProviderConfigProperty >	getConfigPropertiesPerClient ()

Map< String, Object >	getAdapterConfiguration (ClientModel client)

String	getId ()

Set< String >	getProtocolAuthenticatorMethods (String loginProtocol)

ClientAuthenticator	create ()

ClientAuthenticator	create (KeycloakSession session)

void	close ()

void	init (Config.Scope config)

void	postInit (KeycloakSessionFactory factory)

boolean	isUserSetupAllowed ()

String	getReferenceCategory ()

default int	order ()

静的公開変数類
static final String	PROVIDER_ID = "client-jwt"

static final String	ATTR_PREFIX = "jwt.credential"

static final String	CERTIFICATE_ATTR = "jwt.credential.certificate"

static final AuthenticationExecutionModel.Requirement []	REQUIREMENT_CHOICES

限定公開メンバ関数
PublicKey	getSignatureValidationKey (ClientModel client, ClientAuthenticationFlowContext context, JWSInput jws)

詳解

Client authentication based on JWT signed by client private key . See specs for more details.

This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by org.keycloak.adapters.authentication.JWTClientCredentialsProvider

著者: Marek Posolda

関数詳解

◆ authenticateClient()

void org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.authenticateClient ( ClientAuthenticationFlowContext context )

inline

org.keycloak.authentication.ClientAuthenticatorを実装しています。

                                                                             {
         MultivaluedMap<String, String> params = context.getHttpRequest().getDecodedFormParameters();
 
         String clientAssertionType = params.getFirst(OAuth2Constants.CLIENT_ASSERTION_TYPE);
         String clientAssertion = params.getFirst(OAuth2Constants.CLIENT_ASSERTION);
 
         if (clientAssertionType == null) {
             Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type is missing");
             context.challenge(challengeResponse);
             return;
         }
 
         if (!clientAssertionType.equals(OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT)) {
             Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type has value '"
                     + clientAssertionType + "' but expected is '" + OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT + "'");
             context.challenge(challengeResponse);
             return;
         }
 
         if (clientAssertion == null) {
             Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "client_assertion parameter missing");
             context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
             return;
         }
 
         try {
             JWSInput jws = new JWSInput(clientAssertion);
             JsonWebToken token = jws.readJsonContent(JsonWebToken.class);
 
             RealmModel realm = context.getRealm();
             String clientId = token.getSubject();
             if (clientId == null) {
                 throw new RuntimeException("Can't identify client. Issuer missing on JWT token");
             }
 
             context.getEvent().client(clientId);
             ClientModel client = realm.getClientByClientId(clientId);
             if (client == null) {
                 context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
                 return;
             } else {
                 context.setClient(client);
             }
 
             if (!client.isEnabled()) {
                 context.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
                 return;
             }
 
             // Get client key and validate signature
             PublicKey clientPublicKey = getSignatureValidationKey(client, context, jws);
             if (clientPublicKey == null) {
                 // Error response already set to context
                 return;
             }
 
             boolean signatureValid;
             try {
                 signatureValid = RSAProvider.verify(jws, clientPublicKey);
             } catch (RuntimeException e) {
                 Throwable cause = e.getCause() != null ? e.getCause() : e;
                 throw new RuntimeException("Signature on JWT token failed validation", cause);
             }
             if (!signatureValid) {
                 throw new RuntimeException("Signature on JWT token failed validation");
             }
 
             // Allow both "issuer" or "token-endpoint" as audience
             String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName());
             String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
             if (!token.hasAudience(issuerUrl) && !token.hasAudience(tokenUrl)) {
                 throw new RuntimeException("Token audience doesn't match domain. Realm issuer is '" + issuerUrl + "' but audience from token is '" + Arrays.asList(token.getAudience()).toString() + "'");
             }
 
             if (!token.isActive()) {
                 throw new RuntimeException("Token is not active");
             }
 
             // KEYCLOAK-2986
             if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < Time.currentTime()) {
                 throw new RuntimeException("Token is not active");
             }
 
             context.success();
         } catch (Exception e) {
             ServicesLogger.LOGGER.errorValidatingAssertion(e);
             Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Client authentication with signed JWT failed: " + e.getMessage());
             context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
         }
     }

◆ close()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.close ( )

inlineinherited

org.keycloak.provider.Providerを実装しています。

                         {
 
     }

◆ create() [1/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( )

inlineinherited

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                         {
         return this;
     }

◆ create() [2/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( KeycloakSession session )

inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

                                                                {
         return this;
     }

◆ getAdapterConfiguration()

Map<String, Object> org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getAdapterConfiguration ( ClientModel client )

inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                                                            {
         Map<String, Object> props = new HashMap<>();
         props.put("client-keystore-file", "REPLACE WITH THE LOCATION OF YOUR KEYSTORE FILE");
         props.put("client-keystore-type", "jks");
         props.put("client-keystore-password", "REPLACE WITH THE KEYSTORE PASSWORD");
         props.put("client-key-password", "REPLACE WITH THE KEY PASSWORD IN KEYSTORE");
         props.put("client-key-alias", client.getClientId());
         props.put("token-timeout", 10);
 
         Map<String, Object> config = new HashMap<>();
         config.put("jwt", props);
         return config;
     }

◆ getConfigProperties()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getConfigProperties ( )

inline

org.keycloak.provider.ConfiguredProviderを実装しています。

                                                               {
         return new LinkedList<>();
     }

◆ getConfigPropertiesPerClient()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getConfigPropertiesPerClient ( )

inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                                                        {
         // This impl doesn't use generic screen in admin console, but has its own screen. So no need to return anything here
         return Collections.emptyList();
     }

◆ getDisplayType()

String org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getDisplayType ( )

inline

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

                                    {
         return "Signed Jwt";
     }

◆ getHelpText()

String org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getHelpText ( )

inline

org.keycloak.provider.ConfiguredProviderを実装しています。

                                 {
         return "Validates client based on signed JWT issued by client and signed with the Client private key";
     }

◆ getId()

String org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getId ( )

inline

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

                           {
         return PROVIDER_ID;
     }

◆ getProtocolAuthenticatorMethods()

Set<String> org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getProtocolAuthenticatorMethods ( String loginProtocol )

inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                                                              {
         if (loginProtocol.equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
             Set<String> results = new HashSet<>();
             results.add(OIDCLoginProtocol.PRIVATE_KEY_JWT);
             return results;
         } else {
             return Collections.emptySet();
         }
     }

◆ getReferenceCategory()

String org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.getReferenceCategory ( )

inlineinherited

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

                                          {
         return null;
     }

◆ getRequirementChoices()

AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getRequirementChoices ( )

inline

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

                                                                               {
         return REQUIREMENT_CHOICES;
     }

◆ getSignatureValidationKey()

PublicKey org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.getSignatureValidationKey	(	ClientModel	client,
		ClientAuthenticationFlowContext	context,
		JWSInput	jws
	)

inlineprotected

                                                                                                                              {
         PublicKey publicKey = PublicKeyStorageManager.getClientPublicKey(context.getSession(), client, jws);
         if (publicKey == null) {
             Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Unable to load public key");
             context.failure(AuthenticationFlowError.CLIENT_CREDENTIALS_SETUP_REQUIRED, challengeResponse);
             return null;
         } else {
             return publicKey;
         }
     }

◆ init()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.init ( Config.Scope config )

inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

                                           {
 
     }

◆ isConfigurable()

boolean org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.isConfigurable ( )

inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                     {
         return false;
     }

◆ isUserSetupAllowed()

boolean org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.isUserSetupAllowed ( )

inlineinherited

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

                                         {
         return false;
     }

◆ order()

default int org.keycloak.provider.ProviderFactory< T extends Provider >.order ( )

inlineinherited

org.keycloak.urls.HostnameProviderFactory, org.keycloak.protocol.oidc.ext.OIDCExtProviderFactoryで実装されています。

                         {
         return 0;
     }

◆ postInit()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.postInit ( KeycloakSessionFactory factory )

inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

                                                          {
 
     }

メンバ詳解

◆ ATTR_PREFIX

final String org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.ATTR_PREFIX = "jwt.credential"

static

◆ CERTIFICATE_ATTR

final String org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.CERTIFICATE_ATTR = "jwt.credential.certificate"

static

◆ PROVIDER_ID

final String org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.PROVIDER_ID = "client-jwt"

static

◆ REQUIREMENT_CHOICES

final AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.REQUIREMENT_CHOICES

static

初期値:

= {
            AuthenticationExecutionModel.Requirement.ALTERNATIVE,
            AuthenticationExecutionModel.Requirement.DISABLED
    }

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/oidc-service/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java

公開メンバ関数

静的公開変数類

限定公開メンバ関数

詳解

関数詳解

◆ authenticateClient()

◆ close()

◆ create() [1/2]

◆ create() [2/2]

◆ getAdapterConfiguration()

◆ getConfigProperties()

◆ getConfigPropertiesPerClient()

◆ getDisplayType()

◆ getHelpText()

◆ getId()

◆ getProtocolAuthenticatorMethods()

◆ getReferenceCategory()

◆ getRequirementChoices()

◆ getSignatureValidationKey()

◆ init()

◆ isConfigurable()

◆ isUserSetupAllowed()

◆ order()

◆ postInit()

メンバ詳解

◆ ATTR_PREFIX

◆ CERTIFICATE_ATTR

◆ PROVIDER_ID

◆ REQUIREMENT_CHOICES