keycloak-oidc-service
公開メンバ関数 | 静的公開メンバ関数 | 静的公開変数類 | 限定公開メンバ関数 | 静的限定公開メンバ関数 | 静的関数 | 静的非公開メンバ関数 | 静的非公開変数類 | 全メンバ一覧
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper クラス
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper の継承関係図
Inheritance graph
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper 連携図
Collaboration graph

公開メンバ関数

List< ProviderConfigPropertygetConfigProperties ()
 
String getId ()
 
String getDisplayType ()
 
String getDisplayCategory ()
 
String getHelpText ()
 
String getProtocol ()
 
void close ()
 
final ProtocolMapper create (KeycloakSession session)
 
void init (Config.Scope config)
 
void postInit (KeycloakSessionFactory factory)
 
AccessToken transformUserInfoToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
 
AccessToken transformUserInfoToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
 
AccessToken transformAccessToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
 
AccessToken transformAccessToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
 
IDToken transformIDToken (IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
 
IDToken transformIDToken (IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
 
default void validateConfig (KeycloakSession session, RealmModel realm, ProtocolMapperContainerModel client, ProtocolMapperModel mapperModel) throws ProtocolMapperConfigException
 
default int order ()
 

静的公開メンバ関数

static ProtocolMapperModel create (String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken)
 
static ProtocolMapperModel create (String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken, boolean multiValued)
 
static Stream< RoleModelgetAllUserRolesStream (UserModel user)
 

静的公開変数類

static final String PROVIDER_ID = "oidc-usermodel-client-role-mapper"
 
static final String TOKEN_MAPPER_CATEGORY = "Token mapper"
 

限定公開メンバ関数

void setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
 
void setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession)
 

静的限定公開メンバ関数

static void setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, Predicate< RoleModel > restriction, String prefix)
 

静的関数

 [static initializer]
 

静的非公開メンバ関数

static Predicate< RoleModelgetClientRoleFilter (String clientId, UserSessionModel userSession)
 

静的非公開変数類

static final List< ProviderConfigPropertyCONFIG_PROPERTIES = new ArrayList<>()
 

詳解

Allows mapping of user client role mappings to an ID and Access Token claim.

著者
Thomas Darimont

関数詳解

◆ [static initializer]()

org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.[static initializer] ( )
inlinestaticpackage

◆ close()

void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.close ( )
inlineinherited

org.keycloak.provider.Providerを実装しています。

45  {
46 
47  }

◆ create() [1/3]

final ProtocolMapper org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.create ( KeycloakSession  session)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

50  {
51  throw new RuntimeException("UNSUPPORTED METHOD");
52  }

◆ create() [2/3]

static ProtocolMapperModel org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.create ( String  clientId,
String  clientRolePrefix,
String  name,
String  tokenClaimName,
boolean  accessToken,
boolean  idToken 
)
inlinestatic
148  {
149  return create(clientId, clientRolePrefix, name, tokenClaimName, accessToken, idToken, false);
150 
151  }
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.create
static ProtocolMapperModel create(String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken)
Definition: UserClientRoleMappingMapper.java:145

◆ create() [3/3]

static ProtocolMapperModel org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.create ( String  clientId,
String  clientRolePrefix,
String  name,
String  tokenClaimName,
boolean  accessToken,
boolean  idToken,
boolean  multiValued 
)
inlinestatic
156  {
157  ProtocolMapperModel mapper = OIDCAttributeMapperHelper.createClaimMapper(name, "foo",
158  tokenClaimName, "String",
159  accessToken, idToken,
160  PROVIDER_ID);
161 
162  mapper.getConfig().put(ProtocolMapperUtils.MULTIVALUED, String.valueOf(multiValued));
163  mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId);
164  mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix);
165  return mapper;
166  }
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.PROVIDER_ID
static final String PROVIDER_ID
Definition: UserClientRoleMappingMapper.java:46

◆ getAllUserRolesStream()

static Stream<RoleModel> org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.getAllUserRolesStream ( UserModel  user)
inlinestaticinherited

Returns a stream with roles that come from:

  • Direct assignment of the role to the user
  • Direct assignment of the role to any group of the user or any of its parent group
  • Composite roles are expanded recursively, the composite role itself is also contained in the returned stream
引数
userUser to enumerate the roles for
戻り値
52  {
53  return Stream.concat(
54  user.getRoleMappings().stream(),
55  user.getGroups().stream()
56  .flatMap(g -> groupAndItsParentsStream(g))
57  .flatMap(g -> g.getRoleMappings().stream()))
58  .flatMap(RoleUtils::expandCompositeRolesStream);
59  }
org.keycloak.models.utils.RoleUtils.expandCompositeRolesStream
static Stream< RoleModel > expandCompositeRolesStream(RoleModel role)
Definition: RoleUtils.java:110
org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.groupAndItsParentsStream
static Stream< GroupModel > groupAndItsParentsStream(GroupModel group)
Definition: AbstractUserRoleMappingMapper.java:66

◆ getClientRoleFilter()

static Predicate<RoleModel> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getClientRoleFilter ( String  clientId,
UserSessionModel  userSession 
)
inlinestaticprivate
110  {
111  if (clientId == null) {
112  return RoleModel::isClientRole;
113  }
114 
115  RealmModel clientRealm = userSession.getRealm();
116  ClientModel client = clientRealm.getClientByClientId(clientId.trim());
117 
118  if (client == null) {
119  return RoleModel::isClientRole;
120  }
121 
122  boolean fullScopeAllowed = client.isFullScopeAllowed();
123  Set<RoleModel> clientRoleMappings = client.getRoles();
124  if (fullScopeAllowed) {
125  return clientRoleMappings::contains;
126  }
127 
128  Set<RoleModel> scopeMappings = new HashSet<>();
129 
130  // Add scope mappings of current client + all clientScopes of this client (including optional scopes if scope parameter matches)
131  String scopeParam = null;
132  AuthenticatedClientSessionModel authClientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
133  if (authClientSession != null) {
134  scopeParam = authClientSession.getNote(OAuth2Constants.SCOPE);
135  }
136 
137  Set<ClientScopeModel> clientScopes = TokenManager.getRequestedClientScopes(scopeParam, client);
138  for (ClientScopeModel clientScope : clientScopes) {
139  scopeMappings.addAll(clientScope.getScopeMappings());
140  }
141 
142  return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role);
143  }

◆ getConfigProperties()

List<ProviderConfigProperty> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getConfigProperties ( )
inline

org.keycloak.provider.ConfiguredProviderを実装しています。

78  {
79  return CONFIG_PROPERTIES;
80  }
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.CONFIG_PROPERTIES
static final List< ProviderConfigProperty > CONFIG_PROPERTIES
Definition: UserClientRoleMappingMapper.java:48

◆ getDisplayCategory()

String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getDisplayCategory ( )
inline

org.keycloak.protocol.ProtocolMapperを実装しています。

93  {
94  return TOKEN_MAPPER_CATEGORY;
95  }
org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.TOKEN_MAPPER_CATEGORY
static final String TOKEN_MAPPER_CATEGORY
Definition: AbstractOIDCProtocolMapper.java:37

◆ getDisplayType()

String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getDisplayType ( )
inline

org.keycloak.protocol.ProtocolMapperを実装しています。

88  {
89  return "User Client Role";
90  }

◆ getHelpText()

String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getHelpText ( )
inline

org.keycloak.provider.ConfiguredProviderを実装しています。

98  {
99  return "Map a user client role to a token claim.";
100  }

◆ getId()

String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getId ( )
inline

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

83  {
84  return PROVIDER_ID;
85  }
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.PROVIDER_ID
static final String PROVIDER_ID
Definition: UserClientRoleMappingMapper.java:46

◆ getProtocol()

String org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.getProtocol ( )
inlineinherited

org.keycloak.protocol.ProtocolMapperを実装しています。

40  {
41  return OIDCLoginProtocol.LOGIN_PROTOCOL;
42  }

◆ init()

void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.init ( Config.Scope  config)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

55  {
56  }

◆ order()

default int org.keycloak.provider.ProviderFactory< T extends Provider >.order ( )
inlineinherited

org.keycloak.urls.HostnameProviderFactory, org.keycloak.protocol.oidc.ext.OIDCExtProviderFactoryで実装されています。

56  {
57  return 0;
58  }

◆ postInit()

void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.postInit ( KeycloakSessionFactory  factory)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

59  {
60 
61  }

◆ setClaim() [1/3]

static void org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.setClaim ( IDToken  token,
ProtocolMapperModel  mappingModel,
UserSessionModel  userSession,
Predicate< RoleModel restriction,
String  prefix 
)
inlinestaticprotectedinherited

Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. Then it recursively expands all composite roles, and restricts according to the given predicate

restriction

. If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into a claim.

引数
token
mappingModel
userSession
restriction
prefix
89  {
90  String rolePrefix = prefix == null ? "" : prefix;
91  UserModel user = userSession.getUser();
92 
93  // get a set of all realm roles assigned to the user or its group
94  Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);
95 
96  boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
97  if (! dontLimitScope) {
98  Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
99  .flatMap(cs -> cs.getClient().getScopeMappings().stream())
100  .collect(Collectors.toSet());
101 
102  clientUserRoles = clientUserRoles.filter(clientRoles::contains);
103  }
104 
105  List<String> realmRoleNames = clientUserRoles
106  .map(m -> rolePrefix + m.getName())
107  .collect(Collectors.toList());
108 
109  Object claimValue = realmRoleNames;
110 
111  boolean multiValued = "true".equals(mappingModel.getConfig().get(ProtocolMapperUtils.MULTIVALUED));
112  if (!multiValued) {
113  claimValue = realmRoleNames.toString();
114  }
115 
116  OIDCAttributeMapperHelper.mapClaim(token, mappingModel, claimValue);
117  }
org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.getAllUserRolesStream
static Stream< RoleModel > getAllUserRolesStream(UserModel user)
Definition: AbstractUserRoleMappingMapper.java:52

◆ setClaim() [2/3]

void org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.setClaim ( IDToken  token,
ProtocolMapperModel  mappingModel,
UserSessionModel  userSession 
)
inlineprotected
103  {
104  String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID);
105  String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX);
106 
107  setClaim(token, mappingModel, userSession, getClientRoleFilter(clientId, userSession), rolePrefix);
108  }
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.setClaim
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: UserClientRoleMappingMapper.java:103
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getClientRoleFilter
static Predicate< RoleModel > getClientRoleFilter(String clientId, UserSessionModel userSession)
Definition: UserClientRoleMappingMapper.java:110

◆ setClaim() [3/3]

void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim ( IDToken  token,
ProtocolMapperModel  mappingModel,
UserSessionModel  userSession,
KeycloakSession  keycloakSession 
)
inlineprotectedinherited

Intended to be overridden in ProtocolMapper implementations to add claims to an token.

引数
token
mappingModel
userSession
keycloakSession
115  {
116  // we delegate to the old #setClaim(...) method for backwards compatibility
117  setClaim(token, mappingModel, userSession);
118  }
org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105

◆ transformAccessToken() [1/2]

AccessToken org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper.transformAccessToken ( AccessToken  token,
ProtocolMapperModel  mappingModel,
KeycloakSession  session,
UserSessionModel  userSession,
AuthenticatedClientSessionModel  clientSession 
)
inherited

org.keycloak.protocol.oidc.mappers.RoleNameMapper, org.keycloak.protocol.oidc.mappers.HardcodedRole, org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapperで実装されています。

◆ transformAccessToken() [2/2]

AccessToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken ( AccessToken  token,
ProtocolMapperModel  mappingModel,
KeycloakSession  session,
UserSessionModel  userSession,
AuthenticatedClientSessionModel  clientSession 
)
inlineinherited
75  {
76 
77  if (!OIDCAttributeMapperHelper.includeInAccessToken(mappingModel)){
78  return token;
79  }
80 
81  setClaim(token, mappingModel, userSession, session);
82  return token;
83  }
org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105

◆ transformIDToken() [1/2]

IDToken org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper.transformIDToken ( IDToken  token,
ProtocolMapperModel  mappingModel,
KeycloakSession  session,
UserSessionModel  userSession,
AuthenticatedClientSessionModel  clientSession 
)
inherited

org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapperで実装されています。

◆ transformIDToken() [2/2]

IDToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformIDToken ( IDToken  token,
ProtocolMapperModel  mappingModel,
KeycloakSession  session,
UserSessionModel  userSession,
AuthenticatedClientSessionModel  clientSession 
)
inlineinherited
86  {
87 
88  if (!OIDCAttributeMapperHelper.includeInIDToken(mappingModel)){
89  return token;
90  }
91 
92  setClaim(token, mappingModel, userSession, session);
93  return token;
94  }
org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105

◆ transformUserInfoToken() [1/2]

AccessToken org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper.transformUserInfoToken ( AccessToken  token,
ProtocolMapperModel  mappingModel,
KeycloakSession  session,
UserSessionModel  userSession,
AuthenticatedClientSessionModel  clientSession 
)
inherited

org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapperで実装されています。

◆ transformUserInfoToken() [2/2]

AccessToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformUserInfoToken ( AccessToken  token,
ProtocolMapperModel  mappingModel,
KeycloakSession  session,
UserSessionModel  userSession,
AuthenticatedClientSessionModel  clientSession 
)
inlineinherited
64  {
65 
66  if (!OIDCAttributeMapperHelper.includeInUserInfo(mappingModel)) {
67  return token;
68  }
69 
70  setClaim(token, mappingModel, userSession, session);
71  return token;
72  }
org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105

◆ validateConfig()

default void org.keycloak.protocol.ProtocolMapper.validateConfig ( KeycloakSession  session,
RealmModel  realm,
ProtocolMapperContainerModel  client,
ProtocolMapperModel  mapperModel 
) throws ProtocolMapperConfigException
inlineinherited

Called when instance of mapperModel is created/updated for this protocolMapper through admin endpoint

引数
session
realm
clientclient or clientTemplate
mapperModel
例外
ProtocolMapperConfigExceptionif configuration provided in mapperModel is not valid

org.keycloak.protocol.oidc.mappers.ScriptBasedOIDCProtocolMapper, org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapperで実装されています。

46  {
47  };

メンバ詳解

◆ CONFIG_PROPERTIES

final List<ProviderConfigProperty> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.CONFIG_PROPERTIES = new ArrayList<>()
staticprivate

◆ PROVIDER_ID

final String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.PROVIDER_ID = "oidc-usermodel-client-role-mapper"
static

◆ TOKEN_MAPPER_CATEGORY

final String org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.TOKEN_MAPPER_CATEGORY = "Token mapper"
staticinherited
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時17分45秒作成 - keycloak-oidc-service / 構成:   doxygen 1.8.13