keycloak-service
公開メンバ関数 | 静的公開変数類 | 静的限定公開変数類 | 全メンバ一覧
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator クラス
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator の継承関係図
Inheritance graph
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator 連携図
Collaboration graph

公開メンバ関数

void authenticateClient (ClientAuthenticationFlowContext context)
 
String getDisplayType ()
 
boolean isConfigurable ()
 
AuthenticationExecutionModel.Requirement [] getRequirementChoices ()
 
List< ProviderConfigProperty > getConfigPropertiesPerClient ()
 
Map< String, Object > getAdapterConfiguration (ClientModel client)
 
Set< String > getProtocolAuthenticatorMethods (String loginProtocol)
 
String getHelpText ()
 
List< ProviderConfigProperty > getConfigProperties ()
 
String getId ()
 
ClientAuthenticator create ()
 
ClientAuthenticator create (KeycloakSession session)
 
void close ()
 
void init (Config.Scope config)
 
void postInit (KeycloakSessionFactory factory)
 
boolean isUserSetupAllowed ()
 
String getReferenceCategory ()
 

静的公開変数類

static final String PROVIDER_ID = "client-x509"
 
static final String ATTR_PREFIX = "x509"
 
static final String ATTR_SUBJECT_DN = ATTR_PREFIX + ".subjectdn"
 
static final AuthenticationExecutionModel.Requirement [] REQUIREMENT_CHOICES
 

静的限定公開変数類

static ServicesLogger logger = ServicesLogger.LOGGER
 

詳解

関数詳解

◆ authenticateClient()

void org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.authenticateClient ( ClientAuthenticationFlowContext  context)
inline
41  {
42 
43  X509ClientCertificateLookup provider = context.getSession().getProvider(X509ClientCertificateLookup.class);
44  if (provider == null) {
45  logger.errorv("\"{0}\" Spi is not available, did you forget to update the configuration?",
46  X509ClientCertificateLookup.class);
47  return;
48  }
49 
50  X509Certificate[] certs = null;
51  ClientModel client = null;
52  try {
53  certs = provider.getCertificateChain(context.getHttpRequest());
54  String client_id = null;
55  MediaType mediaType = context.getHttpRequest().getHttpHeaders().getMediaType();
56  boolean hasFormData = mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
57 
58  MultivaluedMap<String, String> formData = hasFormData ? context.getHttpRequest().getDecodedFormParameters() : null;
59  MultivaluedMap<String, String> queryParams = context.getHttpRequest().getUri().getQueryParameters();
60 
61  if (formData != null) {
62  client_id = formData.getFirst(OAuth2Constants.CLIENT_ID);
63  }
64 
65  if (client_id == null && queryParams != null) {
66  client_id = queryParams.getFirst(OAuth2Constants.CLIENT_ID);
67  }
68 
69  if (client_id == null) {
70  client_id = context.getSession().getAttribute("client_id", String.class);
71  }
72 
73  if (client_id == null) {
74  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter");
75  context.challenge(challengeResponse);
76  return;
77  }
78 
79  client = context.getRealm().getClientByClientId(client_id);
80  if (client == null) {
81  context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
82  return;
83  }
84  context.getEvent().client(client_id);
85  context.setClient(client);
86 
87  if (!client.isEnabled()) {
88  context.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
89  return;
90  }
91  } catch (GeneralSecurityException e) {
92  logger.errorf("[X509ClientCertificateAuthenticator:authenticate] Exception: %s", e.getMessage());
93  context.attempted();
94  return;
95  }
96 
97  if (certs == null || certs.length == 0) {
98  // No x509 client cert, fall through and
99  // continue processing the rest of the authentication flow
100  logger.debug("[X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.");
101  context.attempted();
102  return;
103  }
104 
105  String subjectDNRegexp = client.getAttribute(ATTR_SUBJECT_DN);
106  if (subjectDNRegexp == null || subjectDNRegexp.length() == 0) {
107  logger.errorf("[X509ClientCertificateAuthenticator:authenticate] " + ATTR_SUBJECT_DN + " is null or empty");
108  context.attempted();
109  return;
110  }
111  Pattern subjectDNPattern = Pattern.compile(subjectDNRegexp);
112 
113  Optional<String> matchedCertificate = Arrays.stream(certs)
114  .map(certificate -> certificate.getSubjectDN().getName())
115  .filter(subjectdn -> subjectDNPattern.matcher(subjectdn).matches())
116  .findFirst();
117 
118  if (!matchedCertificate.isPresent()) {
119  // We do quite expensive operation here, so better check the logging level beforehand.
120  if (logger.isDebugEnabled()) {
121  logger.debug("[X509ClientCertificateAuthenticator:authenticate] Couldn't match any certificate for pattern " + subjectDNRegexp);
122  logger.debug("[X509ClientCertificateAuthenticator:authenticate] Available SubjectDNs: " +
123  Arrays.stream(certs)
124  .map(cert -> cert.getSubjectDN().getName())
125  .collect(Collectors.toList()));
126  }
127  context.attempted();
128  return;
129  } else {
130  logger.debug("[X509ClientCertificateAuthenticator:authenticate] Matched " + matchedCertificate.get() + " certificate.");
131  }
132 
133  context.success();
134  }
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.logger
static ServicesLogger logger
Definition: X509ClientAuthenticator.java:33
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.ATTR_SUBJECT_DN
static final String ATTR_SUBJECT_DN
Definition: X509ClientAuthenticator.java:31

◆ close()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.close ( )
inlineinherited
37  {
38 
39  }

◆ create() [1/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( )
inlineinherited
32  {
33  return this;
34  }

◆ create() [2/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( KeycloakSession  session)
inlineinherited
42  {
43  return this;
44  }

◆ getAdapterConfiguration()

Map<String, Object> org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getAdapterConfiguration ( ClientModel  client)
inline
156  {
157  return Collections.emptyMap();
158  }

◆ getConfigProperties()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getConfigProperties ( )
inline
176  {
177  return Collections.emptyList();
178  }

◆ getConfigPropertiesPerClient()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getConfigPropertiesPerClient ( )
inline
151  {
152  return Collections.emptyList();
153  }

◆ getDisplayType()

String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getDisplayType ( )
inline
136  {
137  return "X509 Certificate";
138  }

◆ getHelpText()

String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getHelpText ( )
inline
171  {
172  return "Validates client based on a X509 Certificate";
173  }

◆ getId()

String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getId ( )
inline
181  {
182  return PROVIDER_ID;
183  }
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.PROVIDER_ID
static final String PROVIDER_ID
Definition: X509ClientAuthenticator.java:29

◆ getProtocolAuthenticatorMethods()

Set<String> org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getProtocolAuthenticatorMethods ( String  loginProtocol)
inline
161  {
162  if (loginProtocol.equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
163  Set<String> results = new HashSet<>();
164  return results;
165  } else {
166  return Collections.emptySet();
167  }
168  }

◆ getReferenceCategory()

String org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.getReferenceCategory ( )
inlineinherited
62  {
63  return null;
64  }

◆ getRequirementChoices()

AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.getRequirementChoices ( )
inline
146  {
147  return REQUIREMENT_CHOICES;
148  }
org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.REQUIREMENT_CHOICES
static final AuthenticationExecutionModel.Requirement [] REQUIREMENT_CHOICES
Definition: X509ClientAuthenticator.java:35

◆ init()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.init ( Config.Scope  config)
inlineinherited
47  {
48 
49  }

◆ isConfigurable()

boolean org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.isConfigurable ( )
inline
141  {
142  return false;
143  }

◆ isUserSetupAllowed()

boolean org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.isUserSetupAllowed ( )
inlineinherited
57  {
58  return false;
59  }

◆ postInit()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.postInit ( KeycloakSessionFactory  factory)
inlineinherited
52  {
53 
54  }

メンバ詳解

◆ ATTR_PREFIX

final String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.ATTR_PREFIX = "x509"
static

◆ ATTR_SUBJECT_DN

final String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.ATTR_SUBJECT_DN = ATTR_PREFIX + ".subjectdn"
static

◆ logger

ServicesLogger org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.logger = ServicesLogger.LOGGER
staticprotected

◆ PROVIDER_ID

final String org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.PROVIDER_ID = "client-x509"
static

◆ REQUIREMENT_CHOICES

final AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.X509ClientAuthenticator.REQUIREMENT_CHOICES
static
初期値:
= {
AuthenticationExecutionModel.Requirement.ALTERNATIVE,
AuthenticationExecutionModel.Requirement.DISABLED
}
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時00分04秒作成 - keycloak-service / 構成:   doxygen 1.8.13