org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator クラス

org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator の継承関係図

org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator 連携図

公開メンバ関数
void	authenticateClient (ClientAuthenticationFlowContext context)
boolean	isConfigurable ()
List< ProviderConfigProperty >	getConfigPropertiesPerClient ()
Map< String, Object >	getAdapterConfiguration (ClientModel client)
Set< String >	getProtocolAuthenticatorMethods (String loginProtocol)
String	getId ()
String	getDisplayType ()
Requirement []	getRequirementChoices ()
String	getHelpText ()
List< ProviderConfigProperty >	getConfigProperties ()
ClientAuthenticator	create ()
ClientAuthenticator	create (KeycloakSession session)
void	close ()
void	init (Config.Scope config)
void	postInit (KeycloakSessionFactory factory)
boolean	isUserSetupAllowed ()
String	getReferenceCategory ()
default int	order ()

静的公開変数類
static final String	PROVIDER_ID = "client-secret-jwt"
static final AuthenticationExecutionModel.Requirement []	REQUIREMENT_CHOICES

静的非公開変数類
static final Logger	logger = Logger.getLogger(JWTClientSecretAuthenticator.class)

詳解

Client authentication based on JWT signed by client secret instead of private key . See specs for more details.

This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by org.keycloak.adapters.authentication.JWTClientSecretCredentialsProvider

著者

Takashi Norimatsu

関数詳解

authenticateClient()

void org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.authenticateClient ( ClientAuthenticationFlowContext  context )

inline

org.keycloak.authentication.ClientAuthenticatorを実装しています。

                                                                            {
        MultivaluedMap<String, String> params = context.getHttpRequest().getDecodedFormParameters();

        String clientAssertionType = params.getFirst(OAuth2Constants.CLIENT_ASSERTION_TYPE);
        String clientAssertion = params.getFirst(OAuth2Constants.CLIENT_ASSERTION);
        
        if (clientAssertionType == null) {
            Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type is missing");
            context.challenge(challengeResponse);
            return;
        }

        if (!clientAssertionType.equals(OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT)) {
            Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type has value '"
                    + clientAssertionType + "' but expected is '" + OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT + "'");
            context.challenge(challengeResponse);
            return;
        }

        if (clientAssertion == null) {
            Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "client_assertion parameter missing");
            context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
            return;
        }
        
        try {
            JWSInput jws = new JWSInput(clientAssertion);
            JsonWebToken token = jws.readJsonContent(JsonWebToken.class);

            RealmModel realm = context.getRealm();
            String clientId = token.getSubject();
            if (clientId == null) {
                throw new RuntimeException("Can't identify client. Issuer missing on JWT token");
            }

            context.getEvent().client(clientId);
            ClientModel client = realm.getClientByClientId(clientId);
            if (client == null) {
                context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
                return;
            } else {
                context.setClient(client);
            }

            if (!client.isEnabled()) {
                context.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
                return;
            }
            
            String clientSecretString = client.getSecret();
            if (clientSecretString == null) {
                context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, null);
                return;
            }

            // Get client secret and validate signature
            // According to <a href="http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication">OIDC's client authentication spec</a>,
            // The HMAC (Hash-based Message Authentication Code) is calculated using the octets of the UTF-8 representation of the client_secret as the shared key. 
            // Use "HmacSHA256" consulting <a href="https://docs.oracle.com/javase/jp/8/docs/api/javax/crypto/Mac.html">java8 api</a>.
            SecretKey clientSecret = new SecretKeySpec(clientSecretString.getBytes("UTF-8"), "HmacSHA256");

            boolean signatureValid;
            try {
                signatureValid = HMACProvider.verify(jws, clientSecret);
            } catch (RuntimeException e) {
                Throwable cause = e.getCause() != null ? e.getCause() : e;
                throw new RuntimeException("Signature on JWT token by client secret failed validation", cause);
            }
            if (!signatureValid) {
                throw new RuntimeException("Signature on JWT token by client secret  failed validation");
            }
            // According to <a href="http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication">OIDC's client authentication spec</a>,
            // JWT contents and verification in client_secret_jwt is the same as in private_key_jwt
            
            // Allow both "issuer" or "token-endpoint" as audience
            String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName());
            String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
            if (!token.hasAudience(issuerUrl) && !token.hasAudience(tokenUrl)) {
                throw new RuntimeException("Token audience doesn't match domain. Realm issuer is '" + issuerUrl + "' but audience from token is '" + Arrays.asList(token.getAudience()).toString() + "'");
            }

            if (!token.isActive()) {
                throw new RuntimeException("Token is not active");
            }

            // KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used
            if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < Time.currentTime()) {
                throw new RuntimeException("Token is not active");
            }

            context.success();
        } catch (Exception e) {
            ServicesLogger.LOGGER.errorValidatingAssertion(e);
            Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Client authentication with client secret signed JWT failed: " + e.getMessage());
            context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
        }
    }

close()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.close ( )

inlineinherited

org.keycloak.provider.Providerを実装しています。

                        {

    }

create() [1/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( )

inlineinherited

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                        {
        return this;
    }

create() [2/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( KeycloakSession  session )

inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

                                                               {
        return this;
    }

getAdapterConfiguration()

Map<String, Object> org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.getAdapterConfiguration ( ClientModel  client )

inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                                                           {
        // e.g.
        // "credentials": {
        //   "secret-jwt": {
        //     "secret": "234234-234234-234234"
        //   }
        // }
        Map<String, Object> props = new HashMap<>();
        props.put("secret", client.getSecret());

        Map<String, Object> config = new HashMap<>();
        config.put("secret-jwt", props);
        return config;
    }

getConfigProperties()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.getConfigProperties ( )

inline

org.keycloak.provider.ConfiguredProviderを実装しています。

                                                              {
        return new LinkedList<>();
    }

getConfigPropertiesPerClient()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.getConfigPropertiesPerClient ( )

inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                                                       {
        // This impl doesn't use generic screen in admin console, but has its own screen. So no need to return anything here
        return Collections.emptyList();
    }

getDisplayType()

String org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.getDisplayType ( )

inline

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

                                   {
        return "Signed Jwt with Client Secret";
    }

getHelpText()

String org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.getHelpText ( )

inline

org.keycloak.provider.ConfiguredProviderを実装しています。

                                {
        return "Validates client based on signed JWT issued by client and signed with the Client Secret";

    }

getId()

String org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.getId ( )

inline

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

                          {
        return PROVIDER_ID;
    }

getProtocolAuthenticatorMethods()

Set<String> org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.getProtocolAuthenticatorMethods ( String  loginProtocol )

inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                                                             {
        if (loginProtocol.equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
            Set<String> results = new HashSet<>();
            results.add(OIDCLoginProtocol.CLIENT_SECRET_JWT);
            return results;
        } else {
            return Collections.emptySet();
        }
    }

getReferenceCategory()

String org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.getReferenceCategory ( )

inlineinherited

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

                                         {
        return null;
    }

getRequirementChoices()

Requirement [] org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.getRequirementChoices ( )

inline

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

                                                 {
        return REQUIREMENT_CHOICES;
    }

init()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.init ( Config.Scope  config )

inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

                                          {

    }

isConfigurable()

boolean org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.isConfigurable ( )

inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

                                    {
        return false;
    }

isUserSetupAllowed()

boolean org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.isUserSetupAllowed ( )

inlineinherited

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

                                        {
        return false;
    }

order()

default int org.keycloak.provider.ProviderFactory< T extends Provider >.order ( )

inlineinherited

org.keycloak.urls.HostnameProviderFactory, org.keycloak.protocol.oidc.ext.OIDCExtProviderFactoryで実装されています。

                        {
        return 0;
    }

postInit()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.postInit ( KeycloakSessionFactory  factory )

inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

                                                         {

    }

メンバ詳解

logger

final Logger org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.logger = Logger.getLogger(JWTClientSecretAuthenticator.class)

staticprivate

PROVIDER_ID

final String org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.PROVIDER_ID = "client-secret-jwt"

static

REQUIREMENT_CHOICES

final AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator.REQUIREMENT_CHOICES

static

初期値:

= {
            AuthenticationExecutionModel.Requirement.ALTERNATIVE,
            AuthenticationExecutionModel.Requirement.DISABLED
    }

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/oidc-service/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientSecretAuthenticator.java