org.keycloak.services.clientregistration.oidc.DescriptionConverter クラス

org.keycloak.services.clientregistration.oidc.DescriptionConverter 連携図

静的公開メンバ関数
static ClientRepresentation	toInternal (KeycloakSession session, OIDCClientRepresentation clientOIDC) throws ClientRegistrationException
static OIDCClientRepresentation	toExternalResponse (KeycloakSession session, ClientRepresentation client, URI uri)

静的非公開メンバ関数
static boolean	setPublicKey (OIDCClientRepresentation clientOIDC, ClientRepresentation clientRep)
static List< String >	getOIDCResponseTypes (ClientRepresentation client)
static List< String >	getOIDCGrantTypes (ClientRepresentation client)

詳解

著者

Stian Thorgersen

関数詳解

getOIDCGrantTypes()

static List<String> org.keycloak.services.clientregistration.oidc.DescriptionConverter.getOIDCGrantTypes ( ClientRepresentation  client )

inlinestaticprivate

                                                                               {
        List<String> grantTypes = new ArrayList<>();
        if (client.isStandardFlowEnabled()) {
            grantTypes.add(OAuth2Constants.AUTHORIZATION_CODE);
        }
        if (client.isImplicitFlowEnabled()) {
            grantTypes.add(OAuth2Constants.IMPLICIT);
        }
        if (client.isDirectAccessGrantsEnabled()) {
            grantTypes.add(OAuth2Constants.PASSWORD);
        }
        if (client.isServiceAccountsEnabled()) {
            grantTypes.add(OAuth2Constants.CLIENT_CREDENTIALS);
        }
        if (client.getAuthorizationServicesEnabled() != null && client.getAuthorizationServicesEnabled()) {
            grantTypes.add(OAuth2Constants.UMA_GRANT_TYPE);
        }
        grantTypes.add(OAuth2Constants.REFRESH_TOKEN);
        return grantTypes;
    }

getOIDCResponseTypes()

static List<String> org.keycloak.services.clientregistration.oidc.DescriptionConverter.getOIDCResponseTypes ( ClientRepresentation  client )

inlinestaticprivate

                                                                                  {
        List<String> responseTypes = new ArrayList<>();
        if (client.isStandardFlowEnabled()) {
            responseTypes.add(OAuth2Constants.CODE);
            responseTypes.add(OIDCResponseType.NONE);
        }
        if (client.isImplicitFlowEnabled()) {
            responseTypes.add(OIDCResponseType.ID_TOKEN);
            responseTypes.add("id_token token");
        }
        if (client.isStandardFlowEnabled() && client.isImplicitFlowEnabled()) {
            responseTypes.add("code id_token");
            responseTypes.add("code token");
            responseTypes.add("code id_token token");
        }
        return responseTypes;
    }

setPublicKey()

static boolean org.keycloak.services.clientregistration.oidc.DescriptionConverter.setPublicKey ( OIDCClientRepresentation  clientOIDC, ClientRepresentation  clientRep  )

inlinestaticprivate

                                                                                                             {
        if (clientOIDC.getJwksUri() == null && clientOIDC.getJwks() == null) {
            return false;
        }

        if (clientOIDC.getJwksUri() != null && clientOIDC.getJwks() != null) {
            throw new ClientRegistrationException("Illegal to use both jwks_uri and jwks");
        }

        OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);

        if (clientOIDC.getJwks() != null) {
            JSONWebKeySet keySet = clientOIDC.getJwks();
            JWK publicKeyJWk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
            if (publicKeyJWk == null) {
                return false;
            } else {
                PublicKey publicKey = JWKParser.create(publicKeyJWk).toPublicKey();
                String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
                CertificateRepresentation rep = new CertificateRepresentation();
                rep.setPublicKey(publicKeyPem);
                rep.setKid(publicKeyJWk.getKeyId());
                CertificateInfoHelper.updateClientRepresentationCertificateInfo(clientRep, rep, JWTClientAuthenticator.ATTR_PREFIX);

                configWrapper.setUseJwksUrl(false);

                return true;
            }
        } else {
            configWrapper.setUseJwksUrl(true);
            configWrapper.setJwksUrl(clientOIDC.getJwksUri());
            return true;
        }
    }

toExternalResponse()

static OIDCClientRepresentation org.keycloak.services.clientregistration.oidc.DescriptionConverter.toExternalResponse ( KeycloakSession  session, ClientRepresentation  client, URI  uri  )

inlinestatic

                                                                                                                             {
        OIDCClientRepresentation response = new OIDCClientRepresentation();
        response.setClientId(client.getClientId());

        ClientAuthenticatorFactory clientAuth = (ClientAuthenticatorFactory) session.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, client.getClientAuthenticatorType());
        Set<String> oidcClientAuthMethods = clientAuth.getProtocolAuthenticatorMethods(OIDCLoginProtocol.LOGIN_PROTOCOL);
        if (oidcClientAuthMethods != null && !oidcClientAuthMethods.isEmpty()) {
            response.setTokenEndpointAuthMethod(oidcClientAuthMethods.iterator().next());
        }

        if (client.getClientAuthenticatorType().equals(ClientIdAndSecretAuthenticator.PROVIDER_ID)) {
            response.setClientSecret(client.getSecret());
            response.setClientSecretExpiresAt(0);
        }

        response.setClientName(client.getName());
        response.setClientUri(client.getBaseUrl());
        response.setRedirectUris(client.getRedirectUris());
        response.setRegistrationAccessToken(client.getRegistrationAccessToken());
        response.setRegistrationClientUri(uri.toString());
        response.setResponseTypes(getOIDCResponseTypes(client));
        response.setGrantTypes(getOIDCGrantTypes(client));

        OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
        if (config.isUserInfoSignatureRequired()) {
            response.setUserinfoSignedResponseAlg(config.getUserInfoSignedResponseAlg().toString());
        }
        if (config.getRequestObjectSignatureAlg() != null) {
            response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg().toString());
        }
        if (config.isUseJwksUrl()) {
            response.setJwksUri(config.getJwksUrl());
        }
        // KEYCLOAK-6771 Certificate Bound Token
        // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.5
        if (config.isUseMtlsHokToken()) {
            response.setTlsClientCertificateBoundAccessTokens(Boolean.TRUE);
        } else {
            response.setTlsClientCertificateBoundAccessTokens(Boolean.FALSE);
        }
        if (config.getIdTokenSignedResponseAlg() != null) {
            response.setIdTokenSignedResponseAlg(config.getIdTokenSignedResponseAlg());
        }

        List<ProtocolMapperRepresentation> foundPairwiseMappers = PairwiseSubMapperUtils.getPairwiseSubMappers(client);
        SubjectType subjectType = foundPairwiseMappers.isEmpty() ? SubjectType.PUBLIC : SubjectType.PAIRWISE;
        response.setSubjectType(subjectType.toString().toLowerCase());
        if (subjectType.equals(SubjectType.PAIRWISE)) {
            // Get sectorIdentifier from 1st found
            String sectorIdentifierUri = PairwiseSubMapperHelper.getSectorIdentifierUri(foundPairwiseMappers.get(0));
            response.setSectorIdentifierUri(sectorIdentifierUri);
        }

        return response;
    }

toInternal()

static ClientRepresentation org.keycloak.services.clientregistration.oidc.DescriptionConverter.toInternal ( KeycloakSession  session, OIDCClientRepresentation  clientOIDC  ) throws ClientRegistrationException

inlinestatic

                                                                                                                                                   {
        ClientRepresentation client = new ClientRepresentation();

        client.setClientId(clientOIDC.getClientId());
        client.setName(clientOIDC.getClientName());
        client.setRedirectUris(clientOIDC.getRedirectUris());
        client.setBaseUrl(clientOIDC.getClientUri());

        List<String> oidcResponseTypes = clientOIDC.getResponseTypes();
        if (oidcResponseTypes == null || oidcResponseTypes.isEmpty()) {
            oidcResponseTypes = Collections.singletonList(OIDCResponseType.CODE);
        }
        List<String> oidcGrantTypes = clientOIDC.getGrantTypes();

        try {
            OIDCResponseType responseType = OIDCResponseType.parse(oidcResponseTypes);
            client.setStandardFlowEnabled(responseType.hasResponseType(OIDCResponseType.CODE));
            client.setImplicitFlowEnabled(responseType.isImplicitOrHybridFlow());

            client.setPublicClient(responseType.isImplicitFlow());

            if (oidcGrantTypes != null) {
                client.setDirectAccessGrantsEnabled(oidcGrantTypes.contains(OAuth2Constants.PASSWORD));
                client.setServiceAccountsEnabled(oidcGrantTypes.contains(OAuth2Constants.CLIENT_CREDENTIALS));
            }
        } catch (IllegalArgumentException iae) {
            throw new ClientRegistrationException(iae.getMessage(), iae);
        }

        String authMethod = clientOIDC.getTokenEndpointAuthMethod();
        ClientAuthenticatorFactory clientAuthFactory;
        if (authMethod == null) {
            clientAuthFactory = (ClientAuthenticatorFactory) session.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, KeycloakModelUtils.getDefaultClientAuthenticatorType());
        } else {
            clientAuthFactory = AuthorizeClientUtil.findClientAuthenticatorForOIDCAuthMethod(session, authMethod);
        }

        if (clientAuthFactory == null) {
            throw new ClientRegistrationException("Not found clientAuthenticator for requested token_endpoint_auth_method");
        }
        client.setClientAuthenticatorType(clientAuthFactory.getId());

        boolean publicKeySet = setPublicKey(clientOIDC, client);
        if (authMethod != null && authMethod.equals(OIDCLoginProtocol.PRIVATE_KEY_JWT) && !publicKeySet) {
            throw new ClientRegistrationException("Didn't find key of supported keyType for use " + JWK.Use.SIG.asString());
        }

        OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
        if (clientOIDC.getUserinfoSignedResponseAlg() != null) {
            Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getUserinfoSignedResponseAlg());
            configWrapper.setUserInfoSignedResponseAlg(algorithm);
        }

        if (clientOIDC.getRequestObjectSigningAlg() != null) {
            Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getRequestObjectSigningAlg());
            configWrapper.setRequestObjectSignatureAlg(algorithm);
        }

        // KEYCLOAK-6771 Certificate Bound Token
        // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.5
        Boolean tlsClientCertificateBoundAccessTokens = clientOIDC.getTlsClientCertificateBoundAccessTokens();
        if (tlsClientCertificateBoundAccessTokens != null) {
            if (tlsClientCertificateBoundAccessTokens.booleanValue()) configWrapper.setUseMtlsHoKToken(true);
            else configWrapper.setUseMtlsHoKToken(false);
        }

        if (clientOIDC.getIdTokenSignedResponseAlg() != null) {
            configWrapper.setIdTokenSignedResponseAlg(clientOIDC.getIdTokenSignedResponseAlg());
        }

        return client;
    }

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java