keycloak-oidc-service
公開メンバ関数 | 静的公開変数類 | 全メンバ一覧
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator クラス
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator の継承関係図
Inheritance graph
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator 連携図
Collaboration graph

公開メンバ関数

void authenticateClient (ClientAuthenticationFlowContext context)
 
String getDisplayType ()
 
boolean isConfigurable ()
 
AuthenticationExecutionModel.Requirement [] getRequirementChoices ()
 
String getHelpText ()
 
List< ProviderConfigPropertygetConfigProperties ()
 
List< ProviderConfigPropertygetConfigPropertiesPerClient ()
 
Map< String, Object > getAdapterConfiguration (ClientModel client)
 
String getId ()
 
Set< String > getProtocolAuthenticatorMethods (String loginProtocol)
 
ClientAuthenticator create ()
 
ClientAuthenticator create (KeycloakSession session)
 
void close ()
 
void init (Config.Scope config)
 
void postInit (KeycloakSessionFactory factory)
 
boolean isUserSetupAllowed ()
 
String getReferenceCategory ()
 
default int order ()
 

静的公開変数類

static final String PROVIDER_ID = "client-secret"
 
static final AuthenticationExecutionModel.Requirement [] REQUIREMENT_CHOICES
 

詳解

Validates client based on "client_id" and "client_secret" sent either in request parameters or in "Authorization: Basic" header .

See org.keycloak.adapters.authentication.ClientIdAndSecretAuthenticator for the adapter

著者
Marek Posolda

関数詳解

◆ authenticateClient()

void org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.authenticateClient ( ClientAuthenticationFlowContext  context)
inline

org.keycloak.authentication.ClientAuthenticatorを実装しています。

59  {
60  String client_id = null;
61  String clientSecret = null;
62 
63  String authorizationHeader = context.getHttpRequest().getHttpHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
64 
65  MediaType mediaType = context.getHttpRequest().getHttpHeaders().getMediaType();
66  boolean hasFormData = mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
67 
68  MultivaluedMap<String, String> formData = hasFormData ? context.getHttpRequest().getDecodedFormParameters() : null;
69 
70  if (authorizationHeader != null) {
71  String[] usernameSecret = BasicAuthHelper.parseHeader(authorizationHeader);
72  if (usernameSecret != null) {
73  client_id = usernameSecret[0];
74  clientSecret = usernameSecret[1];
75  } else {
76 
77  // Don't send 401 if client_id parameter was sent in request. For example IE may automatically send "Authorization: Negotiate" in XHR requests even for public clients
78  if (formData != null && !formData.containsKey(OAuth2Constants.CLIENT_ID)) {
79  Response challengeResponse = Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"" + context.getRealm().getName() + "\"").build();
80  context.challenge(challengeResponse);
81  return;
82  }
83  }
84  }
85 
86  if (formData != null) {
87  // even if basic challenge response exist, we check if client id was explicitly set in the request as a form param,
88  // so we can also support clients overriding flows and using challenges (e.g: basic) to authenticate their users
89  if (formData.containsKey(OAuth2Constants.CLIENT_ID)) {
90  client_id = formData.getFirst(OAuth2Constants.CLIENT_ID);
91  }
92  if (formData.containsKey(OAuth2Constants.CLIENT_SECRET)) {
93  clientSecret = formData.getFirst(OAuth2Constants.CLIENT_SECRET);
94  }
95  }
96 
97  if (client_id == null) {
98  client_id = context.getSession().getAttribute("client_id", String.class);
99  }
100 
101  if (client_id == null) {
102  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter");
103  context.challenge(challengeResponse);
104  return;
105  }
106 
107  context.getEvent().client(client_id);
108 
109  ClientModel client = context.getRealm().getClientByClientId(client_id);
110  if (client == null) {
111  context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
112  return;
113  }
114 
115  context.setClient(client);
116 
117  if (!client.isEnabled()) {
118  context.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
119  return;
120  }
121 
122  // Skip client_secret validation for public client
123  if (client.isPublicClient()) {
124  context.success();
125  return;
126  }
127 
128  if (clientSecret == null) {
129  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Client secret not provided in request");
130  context.challenge(challengeResponse);
131  return;
132  }
133 
134  if (client.getSecret() == null) {
135  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Invalid client secret");
136  context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
137  return;
138  }
139 
140  if (!client.validateSecret(clientSecret)) {
141  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Invalid client secret");
142  context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
143  return;
144  }
145 
146  context.success();
147  }

◆ close()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.close ( )
inlineinherited

org.keycloak.provider.Providerを実装しています。

37  {
38 
39  }

◆ create() [1/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( )
inlineinherited

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

32  {
33  return this;
34  }

◆ create() [2/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( KeycloakSession  session)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

42  {
43  return this;
44  }

◆ getAdapterConfiguration()

Map<String, Object> org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getAdapterConfiguration ( ClientModel  client)
inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

181  {
182  Map<String, Object> result = new HashMap<>();
183  result.put(CredentialRepresentation.SECRET, client.getSecret());
184  return result;
185  }

◆ getConfigProperties()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getConfigProperties ( )
inline

org.keycloak.provider.ConfiguredProviderを実装しています。

170  {
171  return new LinkedList<>();
172  }

◆ getConfigPropertiesPerClient()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getConfigPropertiesPerClient ( )
inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

175  {
176  // This impl doesn't use generic screen in admin console, but has its own screen. So no need to return anything here
177  return Collections.emptyList();
178  }

◆ getDisplayType()

String org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getDisplayType ( )
inline

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

150  {
151  return "Client Id and Secret";
152  }

◆ getHelpText()

String org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getHelpText ( )
inline

org.keycloak.provider.ConfiguredProviderを実装しています。

165  {
166  return "Validates client based on 'client_id' and 'client_secret' sent either in request parameters or in 'Authorization: Basic' header";
167  }

◆ getId()

String org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getId ( )
inline

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

188  {
189  return PROVIDER_ID;
190  }
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.PROVIDER_ID
static final String PROVIDER_ID
Definition: ClientIdAndSecretAuthenticator.java:51

◆ getProtocolAuthenticatorMethods()

Set<String> org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getProtocolAuthenticatorMethods ( String  loginProtocol)
inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

193  {
194  if (loginProtocol.equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
195  Set<String> results = new LinkedHashSet<>();
196  results.add(OIDCLoginProtocol.CLIENT_SECRET_BASIC);
197  results.add(OIDCLoginProtocol.CLIENT_SECRET_POST);
198  return results;
199  } else {
200  return Collections.emptySet();
201  }
202  }

◆ getReferenceCategory()

String org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.getReferenceCategory ( )
inlineinherited

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

62  {
63  return null;
64  }

◆ getRequirementChoices()

AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getRequirementChoices ( )
inline

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

160  {
161  return REQUIREMENT_CHOICES;
162  }
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.REQUIREMENT_CHOICES
static final AuthenticationExecutionModel.Requirement [] REQUIREMENT_CHOICES
Definition: ClientIdAndSecretAuthenticator.java:53

◆ init()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.init ( Config.Scope  config)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

47  {
48 
49  }

◆ isConfigurable()

boolean org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.isConfigurable ( )
inline

org.keycloak.authentication.ClientAuthenticatorFactoryを実装しています。

155  {
156  return false;
157  }

◆ isUserSetupAllowed()

boolean org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.isUserSetupAllowed ( )
inlineinherited

org.keycloak.authentication.ConfigurableAuthenticatorFactoryを実装しています。

57  {
58  return false;
59  }

◆ order()

default int org.keycloak.provider.ProviderFactory< T extends Provider >.order ( )
inlineinherited

org.keycloak.urls.HostnameProviderFactory, org.keycloak.protocol.oidc.ext.OIDCExtProviderFactoryで実装されています。

56  {
57  return 0;
58  }

◆ postInit()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.postInit ( KeycloakSessionFactory  factory)
inlineinherited

org.keycloak.provider.ProviderFactory< T extends Provider >を実装しています。

52  {
53 
54  }

メンバ詳解

◆ PROVIDER_ID

final String org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.PROVIDER_ID = "client-secret"
static

◆ REQUIREMENT_CHOICES

final AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.REQUIREMENT_CHOICES
static
初期値:
= {
AuthenticationExecutionModel.Requirement.ALTERNATIVE,
AuthenticationExecutionModel.Requirement.DISABLED
}
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時17分16秒作成 - keycloak-oidc-service / 構成:   doxygen 1.8.13