keycloak-service
公開メンバ関数 | 静的公開変数類 | 全メンバ一覧
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator クラス
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator の継承関係図
Inheritance graph
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator 連携図
Collaboration graph

公開メンバ関数

void authenticateClient (ClientAuthenticationFlowContext context)
 
String getDisplayType ()
 
boolean isConfigurable ()
 
AuthenticationExecutionModel.Requirement [] getRequirementChoices ()
 
String getHelpText ()
 
List< ProviderConfigProperty > getConfigProperties ()
 
List< ProviderConfigProperty > getConfigPropertiesPerClient ()
 
Map< String, Object > getAdapterConfiguration (ClientModel client)
 
String getId ()
 
Set< String > getProtocolAuthenticatorMethods (String loginProtocol)
 
ClientAuthenticator create ()
 
ClientAuthenticator create (KeycloakSession session)
 
void close ()
 
void init (Config.Scope config)
 
void postInit (KeycloakSessionFactory factory)
 
boolean isUserSetupAllowed ()
 
String getReferenceCategory ()
 

静的公開変数類

static final String PROVIDER_ID = "client-secret"
 
static final AuthenticationExecutionModel.Requirement [] REQUIREMENT_CHOICES
 

詳解

Validates client based on "client_id" and "client_secret" sent either in request parameters or in "Authorization: Basic" header .

See org.keycloak.adapters.authentication.ClientIdAndSecretAuthenticator for the adapter

著者
Marek Posolda

関数詳解

◆ authenticateClient()

void org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.authenticateClient ( ClientAuthenticationFlowContext  context)
inline
59  {
60  String client_id = null;
61  String clientSecret = null;
62 
63  String authorizationHeader = context.getHttpRequest().getHttpHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
64 
65  MediaType mediaType = context.getHttpRequest().getHttpHeaders().getMediaType();
66  boolean hasFormData = mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
67 
68  MultivaluedMap<String, String> formData = hasFormData ? context.getHttpRequest().getDecodedFormParameters() : null;
69 
70  if (authorizationHeader != null) {
71  String[] usernameSecret = BasicAuthHelper.parseHeader(authorizationHeader);
72  if (usernameSecret != null) {
73  client_id = usernameSecret[0];
74  clientSecret = usernameSecret[1];
75  } else {
76 
77  // Don't send 401 if client_id parameter was sent in request. For example IE may automatically send "Authorization: Negotiate" in XHR requests even for public clients
78  if (formData != null && !formData.containsKey(OAuth2Constants.CLIENT_ID)) {
79  Response challengeResponse = Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"" + context.getRealm().getName() + "\"").build();
80  context.challenge(challengeResponse);
81  return;
82  }
83  }
84  }
85 
86  if (formData != null) {
87  // even if basic challenge response exist, we check if client id was explicitly set in the request as a form param,
88  // so we can also support clients overriding flows and using challenges (e.g: basic) to authenticate their users
89  if (formData.containsKey(OAuth2Constants.CLIENT_ID)) {
90  client_id = formData.getFirst(OAuth2Constants.CLIENT_ID);
91  }
92  if (formData.containsKey(OAuth2Constants.CLIENT_SECRET)) {
93  clientSecret = formData.getFirst(OAuth2Constants.CLIENT_SECRET);
94  }
95  }
96 
97  if (client_id == null) {
98  client_id = context.getSession().getAttribute("client_id", String.class);
99  }
100 
101  if (client_id == null) {
102  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter");
103  context.challenge(challengeResponse);
104  return;
105  }
106 
107  context.getEvent().client(client_id);
108 
109  ClientModel client = context.getRealm().getClientByClientId(client_id);
110  if (client == null) {
111  context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
112  return;
113  }
114 
115  context.setClient(client);
116 
117  if (!client.isEnabled()) {
118  context.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
119  return;
120  }
121 
122  // Skip client_secret validation for public client
123  if (client.isPublicClient()) {
124  context.success();
125  return;
126  }
127 
128  if (clientSecret == null) {
129  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Client secret not provided in request");
130  context.challenge(challengeResponse);
131  return;
132  }
133 
134  if (client.getSecret() == null) {
135  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Invalid client secret");
136  context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
137  return;
138  }
139 
140  if (!client.validateSecret(clientSecret)) {
141  Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Invalid client secret");
142  context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
143  return;
144  }
145 
146  context.success();
147  }

◆ close()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.close ( )
inlineinherited
37  {
38 
39  }

◆ create() [1/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( )
inlineinherited
32  {
33  return this;
34  }

◆ create() [2/2]

ClientAuthenticator org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.create ( KeycloakSession  session)
inlineinherited
42  {
43  return this;
44  }

◆ getAdapterConfiguration()

Map<String, Object> org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getAdapterConfiguration ( ClientModel  client)
inline
181  {
182  Map<String, Object> result = new HashMap<>();
183  result.put(CredentialRepresentation.SECRET, client.getSecret());
184  return result;
185  }

◆ getConfigProperties()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getConfigProperties ( )
inline
170  {
171  return new LinkedList<>();
172  }

◆ getConfigPropertiesPerClient()

List<ProviderConfigProperty> org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getConfigPropertiesPerClient ( )
inline
175  {
176  // This impl doesn't use generic screen in admin console, but has its own screen. So no need to return anything here
177  return Collections.emptyList();
178  }

◆ getDisplayType()

String org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getDisplayType ( )
inline
150  {
151  return "Client Id and Secret";
152  }

◆ getHelpText()

String org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getHelpText ( )
inline
165  {
166  return "Validates client based on 'client_id' and 'client_secret' sent either in request parameters or in 'Authorization: Basic' header";
167  }

◆ getId()

String org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getId ( )
inline
188  {
189  return PROVIDER_ID;
190  }
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.PROVIDER_ID
static final String PROVIDER_ID
Definition: ClientIdAndSecretAuthenticator.java:51

◆ getProtocolAuthenticatorMethods()

Set<String> org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getProtocolAuthenticatorMethods ( String  loginProtocol)
inline
193  {
194  if (loginProtocol.equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
195  Set<String> results = new LinkedHashSet<>();
196  results.add(OIDCLoginProtocol.CLIENT_SECRET_BASIC);
197  results.add(OIDCLoginProtocol.CLIENT_SECRET_POST);
198  return results;
199  } else {
200  return Collections.emptySet();
201  }
202  }

◆ getReferenceCategory()

String org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.getReferenceCategory ( )
inlineinherited
62  {
63  return null;
64  }

◆ getRequirementChoices()

AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.getRequirementChoices ( )
inline
160  {
161  return REQUIREMENT_CHOICES;
162  }
org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.REQUIREMENT_CHOICES
static final AuthenticationExecutionModel.Requirement [] REQUIREMENT_CHOICES
Definition: ClientIdAndSecretAuthenticator.java:53

◆ init()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.init ( Config.Scope  config)
inlineinherited
47  {
48 
49  }

◆ isConfigurable()

boolean org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.isConfigurable ( )
inline
155  {
156  return false;
157  }

◆ isUserSetupAllowed()

boolean org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.isUserSetupAllowed ( )
inlineinherited
57  {
58  return false;
59  }

◆ postInit()

void org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator.postInit ( KeycloakSessionFactory  factory)
inlineinherited
52  {
53 
54  }

メンバ詳解

◆ PROVIDER_ID

final String org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.PROVIDER_ID = "client-secret"
static

◆ REQUIREMENT_CHOICES

final AuthenticationExecutionModel.Requirement [] org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.REQUIREMENT_CHOICES
static
初期値:
= {
AuthenticationExecutionModel.Requirement.ALTERNATIVE,
AuthenticationExecutionModel.Requirement.DISABLED
}
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時00分04秒作成 - keycloak-service / 構成:   doxygen 1.8.13