org.keycloak.services.clientregistration.ClientRegistrationAuth クラス

org.keycloak.services.clientregistration.ClientRegistrationAuth 連携図

公開メンバ関数
	ClientRegistrationAuth (KeycloakSession session, ClientRegistrationProvider provider, EventBuilder event)
String	getToken ()
String	getKid ()
JsonWebToken	getJwt ()
boolean	isInitialAccessToken ()
boolean	isRegistrationAccessToken ()
RegistrationAuth	requireCreate (ClientRegistrationContext context)
void	requireView (ClientModel client)
RegistrationAuth	getRegistrationAuth ()
RegistrationAuth	requireUpdate (ClientRegistrationContext context, ClientModel client)
void	requireDelete (ClientModel client)
ClientInitialAccessModel	getInitialAccessModel ()

非公開メンバ関数
void	init ()
boolean	isBearerToken ()
RegistrationAuth	requireUpdateAuth (ClientModel client)
boolean	hasRole (String... roles)
boolean	hasRoleInModel (String[] roles)
boolean	hasRoleInToken (String[] role)
boolean	authenticateClient (ClientModel client)
Failure	unauthorized (String errorDescription)
Failure	forbidden ()
Failure	forbidden (String errorDescription)
Failure	notFound ()

非公開変数類
final KeycloakSession	session
final ClientRegistrationProvider	provider
final EventBuilder	event
RealmModel	realm
JsonWebToken	jwt
ClientInitialAccessModel	initialAccessModel
String	kid
String	token

詳解

著者

Stian Thorgersen

構築子と解体子

ClientRegistrationAuth()

org.keycloak.services.clientregistration.ClientRegistrationAuth.ClientRegistrationAuth ( KeycloakSession  session, ClientRegistrationProvider  provider, EventBuilder  event  )

inline

                                                                                                                    {
        this.session = session;
        this.provider = provider;
        this.event = event;
    }

関数詳解

authenticateClient()

boolean org.keycloak.services.clientregistration.ClientRegistrationAuth.authenticateClient ( ClientModel  client )

inlineprivate

                                                           {
        if (client == null) {
            return false;
        }

        if (client.isPublicClient()) {
            return true;
        }

        AuthenticationProcessor processor = AuthorizeClientUtil.getAuthenticationProcessor(session, event);

        Response response = processor.authenticateClient();
        if (response != null) {
            event.client(client.getClientId()).error(Errors.NOT_ALLOWED);
            throw unauthorized("Failed to authenticate client");
        }

        ClientModel authClient = processor.getClient();
        if (authClient == null) {
            event.client(client.getClientId()).error(Errors.NOT_ALLOWED);
            throw unauthorized("No client authenticated");
        }

        if (!authClient.getClientId().equals(client.getClientId())) {
            event.client(client.getClientId()).error(Errors.NOT_ALLOWED);
            throw unauthorized("Different client authenticated");
        }

        return true;
    }

forbidden() [1/2]

Failure org.keycloak.services.clientregistration.ClientRegistrationAuth.forbidden ( )

inlineprivate

                                {
        return forbidden("Forbidden");
    }

forbidden() [2/2]

Failure org.keycloak.services.clientregistration.ClientRegistrationAuth.forbidden ( String  errorDescription )

inlineprivate

                                                       {
        event.error(Errors.NOT_ALLOWED);
        throw new ErrorResponseException(OAuthErrorException.INSUFFICIENT_SCOPE, errorDescription, Response.Status.FORBIDDEN);
    }

getInitialAccessModel()

ClientInitialAccessModel org.keycloak.services.clientregistration.ClientRegistrationAuth.getInitialAccessModel ( )

inline

                                                            {
        return initialAccessModel;
    }

getJwt()

JsonWebToken org.keycloak.services.clientregistration.ClientRegistrationAuth.getJwt ( )

inline

                                 {
        return jwt;
    }

getKid()

String org.keycloak.services.clientregistration.ClientRegistrationAuth.getKid ( )

inline

                           {
        return kid;
    }

getRegistrationAuth()

RegistrationAuth org.keycloak.services.clientregistration.ClientRegistrationAuth.getRegistrationAuth ( )

inline

                                                  {
        String str = (String) jwt.getOtherClaims().get(RegistrationAccessToken.REGISTRATION_AUTH);
        return RegistrationAuth.fromString(str);
    }

getToken()

String org.keycloak.services.clientregistration.ClientRegistrationAuth.getToken ( )

inline

                             {
        return token;
    }

hasRole()

boolean org.keycloak.services.clientregistration.ClientRegistrationAuth.hasRole ( String...  roles )

inlineprivate

                                             {
        try {
            if (jwt.getIssuedFor().equals(Constants.ADMIN_CLI_CLIENT_ID)
                    || jwt.getIssuedFor().equals(Constants.ADMIN_CONSOLE_CLIENT_ID)) {
                return hasRoleInModel(roles);

            } else {
                return hasRoleInToken(roles);
            }
        } catch (Throwable t) {
            return false;
        }
    }

hasRoleInModel()

boolean org.keycloak.services.clientregistration.ClientRegistrationAuth.hasRoleInModel ( String []  roles )

inlineprivate

                                                   {
        ClientModel roleNamespace;
        UserModel user = session.users().getUserById(jwt.getSubject(), realm);
        if (user == null) {
            return false;
        }
        if (realm.getName().equals(Config.getAdminRealm())) {
            roleNamespace = realm.getMasterAdminClient();
        } else {
            roleNamespace = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
        }
        for (String role : roles) {
            RoleModel roleModel = roleNamespace.getRole(role);
            if (user.hasRole(roleModel)) return true;
        }
        return false;
    }

hasRoleInToken()

boolean org.keycloak.services.clientregistration.ClientRegistrationAuth.hasRoleInToken ( String []  role )

inlineprivate

                                                  {
        Map<String, Object> otherClaims = jwt.getOtherClaims();
        if (otherClaims != null) {
            Map<String, Map<String, List<String>>> resourceAccess = (Map<String, Map<String, List<String>>>) jwt.getOtherClaims().get("resource_access");
            if (resourceAccess == null) {
                return false;
            }

            List<String> roles = null;

            Map<String, List<String>> map;
            if (realm.getName().equals(Config.getAdminRealm())) {
                map = resourceAccess.get(realm.getMasterAdminClient().getClientId());
            } else {
                map = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
            }

            if (map != null) {
                roles = map.get("roles");
            }

            if (roles == null) {
                return false;
            }

            for (String r : role) {
                if (roles.contains(r)) {
                    return true;
                }
            }
        }
        return false;
    }

init()

void org.keycloak.services.clientregistration.ClientRegistrationAuth.init ( )

inlineprivate

                        {
        realm = session.getContext().getRealm();

        String authorizationHeader = session.getContext().getRequestHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
        if (authorizationHeader == null) {
            return;
        }

        String[] split = authorizationHeader.split(" ");
        if (!split[0].equalsIgnoreCase("bearer")) {
            return;
        }

        token = split[1];

        ClientRegistrationTokenUtils.TokenVerification tokenVerification = ClientRegistrationTokenUtils.verifyToken(session, realm, token);
        if (tokenVerification.getError() != null) {
            throw unauthorized(tokenVerification.getError().getMessage());
        }
        kid = tokenVerification.getKid();
        jwt = tokenVerification.getJwt();

        if (isInitialAccessToken()) {
            initialAccessModel = session.realms().getClientInitialAccessModel(session.getContext().getRealm(), jwt.getId());
            if (initialAccessModel == null) {
                throw unauthorized("Initial Access Token not found");
            }
        }
    }

isBearerToken()

boolean org.keycloak.services.clientregistration.ClientRegistrationAuth.isBearerToken ( )

inlineprivate

                                    {
        return jwt != null && TokenUtil.TOKEN_TYPE_BEARER.equals(jwt.getType());
    }

isInitialAccessToken()

boolean org.keycloak.services.clientregistration.ClientRegistrationAuth.isInitialAccessToken ( )

inline

                                          {
        return jwt != null && ClientRegistrationTokenUtils.TYPE_INITIAL_ACCESS_TOKEN.equals(jwt.getType());
    }

isRegistrationAccessToken()

boolean org.keycloak.services.clientregistration.ClientRegistrationAuth.isRegistrationAccessToken ( )

inline

                                               {
        return jwt != null && ClientRegistrationTokenUtils.TYPE_REGISTRATION_ACCESS_TOKEN.equals(jwt.getType());
    }

notFound()

Failure org.keycloak.services.clientregistration.ClientRegistrationAuth.notFound ( )

inlineprivate

                               {
        event.error(Errors.CLIENT_NOT_FOUND);
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client not found", Response.Status.NOT_FOUND);
    }

requireCreate()

RegistrationAuth org.keycloak.services.clientregistration.ClientRegistrationAuth.requireCreate ( ClientRegistrationContext  context )

inline

                                                                             {
        init();

        RegistrationAuth registrationAuth = RegistrationAuth.ANONYMOUS;

        if (isBearerToken()) {
            if (hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.CREATE_CLIENT)) {
                registrationAuth = RegistrationAuth.AUTHENTICATED;
            } else {
                throw forbidden();
            }
        } else if (isInitialAccessToken()) {
            if (initialAccessModel.getRemainingCount() > 0) {
                if (initialAccessModel.getExpiration() == 0 || (initialAccessModel.getTimestamp() + initialAccessModel.getExpiration()) > Time.currentTime()) {
                    registrationAuth = RegistrationAuth.AUTHENTICATED;
                } else {
                    throw unauthorized("Expired initial access token");
                }
            } else {
                throw unauthorized("No remaining count on initial access token");
            }
        }

        try {
            ClientRegistrationPolicyManager.triggerBeforeRegister(context, registrationAuth);
        } catch (ClientRegistrationPolicyException crpe) {
            throw forbidden(crpe.getMessage());
        }

        return registrationAuth;
    }

requireDelete()

void org.keycloak.services.clientregistration.ClientRegistrationAuth.requireDelete ( ClientModel  client )

inline

                                                  {
        RegistrationAuth chainType = requireUpdateAuth(client);

        try {
            ClientRegistrationPolicyManager.triggerBeforeRemove(session, provider, chainType, client);
        } catch (ClientRegistrationPolicyException crpe) {
            throw forbidden(crpe.getMessage());
        }
    }

requireUpdate()

RegistrationAuth org.keycloak.services.clientregistration.ClientRegistrationAuth.requireUpdate ( ClientRegistrationContext  context, ClientModel  client  )

inline

                                                                                                 {
        RegistrationAuth regAuth = requireUpdateAuth(client);

        try {
            ClientRegistrationPolicyManager.triggerBeforeUpdate(context, regAuth, client);
        } catch (ClientRegistrationPolicyException crpe) {
            throw forbidden(crpe.getMessage());
        }

        return regAuth;
    }

requireUpdateAuth()

RegistrationAuth org.keycloak.services.clientregistration.ClientRegistrationAuth.requireUpdateAuth ( ClientModel  client )

inlineprivate

                                                                   {
        init();

        if (isBearerToken()) {
            if (hasRole(AdminRoles.MANAGE_CLIENTS)) {
                if (client == null) {
                    throw notFound();
                }

                return RegistrationAuth.AUTHENTICATED;
            } else {
                throw forbidden();
            }
        } else if (isRegistrationAccessToken()) {
            if (client != null && client.getRegistrationToken() != null && client.getRegistrationToken().equals(jwt.getId())) {
                return getRegistrationAuth();
            }
        }

        throw unauthorized("Not authorized to update client. Maybe missing token or bad token type.");
    }

requireView()

void org.keycloak.services.clientregistration.ClientRegistrationAuth.requireView ( ClientModel  client )

inline

                                                {
        RegistrationAuth authType = null;
        boolean authenticated = false;

        init();

        if (isBearerToken()) {
            if (hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.VIEW_CLIENTS)) {
                if (client == null) {
                    throw notFound();
                }

                authenticated = true;
                authType = RegistrationAuth.AUTHENTICATED;
            } else {
                throw forbidden();
            }
        } else if (isRegistrationAccessToken()) {
            if (client != null && client.getRegistrationToken() != null && client.getRegistrationToken().equals(jwt.getId())) {
                authenticated = true;
                authType = getRegistrationAuth();
            }
        } else if (isInitialAccessToken()) {
            throw unauthorized("Not initial access token allowed");
        } else {
            if (authenticateClient(client)) {
                authenticated = true;
                authType = RegistrationAuth.AUTHENTICATED;
            }
        }

        if (authenticated) {
            try {
                ClientRegistrationPolicyManager.triggerBeforeView(session, provider, authType, client);
            } catch (ClientRegistrationPolicyException crpe) {
                throw forbidden(crpe.getMessage());
            }
        } else {
            throw unauthorized("Not authorized to view client. Not valid token or client credentials provided.");
        }
    }

unauthorized()

Failure org.keycloak.services.clientregistration.ClientRegistrationAuth.unauthorized ( String  errorDescription )

inlineprivate

                                                          {
        event.detail(Details.REASON, errorDescription).error(Errors.INVALID_TOKEN);
        throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, errorDescription, Response.Status.UNAUTHORIZED);
    }

メンバ詳解

event

final EventBuilder org.keycloak.services.clientregistration.ClientRegistrationAuth.event

private

initialAccessModel

ClientInitialAccessModel org.keycloak.services.clientregistration.ClientRegistrationAuth.initialAccessModel

private

jwt

JsonWebToken org.keycloak.services.clientregistration.ClientRegistrationAuth.jwt

private

kid

String org.keycloak.services.clientregistration.ClientRegistrationAuth.kid

private

provider

final ClientRegistrationProvider org.keycloak.services.clientregistration.ClientRegistrationAuth.provider

private

realm

RealmModel org.keycloak.services.clientregistration.ClientRegistrationAuth.realm

private

session

final KeycloakSession org.keycloak.services.clientregistration.ClientRegistrationAuth.session

private

token

String org.keycloak.services.clientregistration.ClientRegistrationAuth.token

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/oidc-service/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java