org.keycloak.authorization.authorization.AuthorizationTokenService 連携図

クラス
class	KeycloakAuthorizationRequest

公開メンバ関数
Response	authorize (KeycloakAuthorizationRequest request)

静的公開メンバ関数
static AuthorizationTokenService	instance ()

静的公開変数類
static final String	CLAIM_TOKEN_FORMAT_ID_TOKEN = "http://openid.net/specs/openid-connect-core-1_0.html#IDToken"

静的関数
	[static initializer]

非公開メンバ関数
Response	createSuccessfulResponse (Object response, KeycloakAuthorizationRequest request)

boolean	isPublicClientRequestingEntitlementWithClaims (KeycloakAuthorizationRequest request)

Collection< Permission >	evaluatePermissions (KeycloakAuthorizationRequest request, PermissionTicketToken ticket, ResourceServer resourceServer, KeycloakEvaluationContext evaluationContext, KeycloakIdentity identity)

Collection< Permission >	evaluateUserManagedPermissions (KeycloakAuthorizationRequest request, PermissionTicketToken ticket, ResourceServer resourceServer, KeycloakEvaluationContext evaluationContext, KeycloakIdentity identity)

Collection< Permission >	evaluateAllPermissions (KeycloakAuthorizationRequest request, ResourceServer resourceServer, KeycloakEvaluationContext evaluationContext, KeycloakIdentity identity)

AuthorizationResponse	createAuthorizationResponse (KeycloakIdentity identity, Collection< Permission > entitlements, KeycloakAuthorizationRequest request, ClientModel targetClient)

boolean	isUpgraded (AuthorizationRequest request, Authorization authorization)

PermissionTicketToken	getPermissionTicket (KeycloakAuthorizationRequest request)

ResourceServer	getResourceServer (PermissionTicketToken ticket, KeycloakAuthorizationRequest request)

KeycloakEvaluationContext	createEvaluationContext (KeycloakAuthorizationRequest request)

Collection< ResourcePermission >	createPermissions (PermissionTicketToken ticket, KeycloakAuthorizationRequest request, ResourceServer resourceServer, KeycloakIdentity identity, AuthorizationProvider authorization)

PermissionTicketToken	verifyPermissionTicket (KeycloakAuthorizationRequest request)

boolean	isGranted (PermissionTicketToken ticket, AuthorizationRequest request, Collection< Permission > permissions)

静的非公開変数類
static final Logger	logger = Logger.getLogger(AuthorizationTokenService.class)

static final String	RESPONSE_MODE_DECISION = "decision"

static final String	RESPONSE_MODE_PERMISSIONS = "permissions"

static final String	RESPONSE_MODE_DECISION_RESULT = "result"

static Map< String, BiFunction< AuthorizationRequest, AuthorizationProvider, KeycloakEvaluationContext > >	SUPPORTED_CLAIM_TOKEN_FORMATS

static final AuthorizationTokenService	INSTANCE = new AuthorizationTokenService()

詳解

著者: Pedro Igor

関数詳解

◆ [static initializer]()

org.keycloak.authorization.authorization.AuthorizationTokenService.[static initializer] ( )

inlinestaticpackage

◆ authorize()

Response org.keycloak.authorization.authorization.AuthorizationTokenService.authorize ( KeycloakAuthorizationRequest request )

inline

                                                                     {
         if (request == null) {
             throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.INVALID_GRANT, "Invalid authorization request.", Status.BAD_REQUEST);
         }
 
         // it is not secure to allow public clients to push arbitrary claims because message can be tampered
         if (isPublicClientRequestingEntitlementWithClaims(request)) {
             throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.INVALID_GRANT, "Public clients are not allowed to send claims", Status.FORBIDDEN);
         }
 
         try {
             PermissionTicketToken ticket = getPermissionTicket(request);
 
             request.setClaims(ticket.getClaims());
 
             ResourceServer resourceServer = getResourceServer(ticket, request);
             KeycloakEvaluationContext evaluationContext = createEvaluationContext(request);
             KeycloakIdentity identity = KeycloakIdentity.class.cast(evaluationContext.getIdentity());
             Collection<Permission> permissions;
 
             if (request.getTicket() != null) {
                 permissions = evaluateUserManagedPermissions(request, ticket, resourceServer, evaluationContext, identity);
             } else if (ticket.getPermissions().isEmpty() && request.getRpt() == null) {
                 permissions = evaluateAllPermissions(request, resourceServer, evaluationContext, identity);
             } else {
                 permissions = evaluatePermissions(request, ticket, resourceServer, evaluationContext, identity);
             }
 
             if (isGranted(ticket, request, permissions)) {
                 AuthorizationProvider authorization = request.getAuthorization();
                 ClientModel targetClient = authorization.getRealm().getClientById(resourceServer.getId());
                 Metadata metadata = request.getMetadata();
                 String responseMode = metadata != null ? metadata.getResponseMode() : null;
 
                 if (responseMode != null) {
                     if (RESPONSE_MODE_DECISION.equals(metadata.getResponseMode())) {
                         Map<String, Object> responseClaims = new HashMap<>();
 
                         responseClaims.put(RESPONSE_MODE_DECISION_RESULT, true);
 
                         return createSuccessfulResponse(responseClaims, request);
                     } else if (RESPONSE_MODE_PERMISSIONS.equals(metadata.getResponseMode())) {
                         return createSuccessfulResponse(permissions, request);
                     } else {
                         throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.INVALID_REQUEST, "Invalid response_mode", Status.BAD_REQUEST);
                     }
                 } else {
                     return createSuccessfulResponse(createAuthorizationResponse(identity, permissions, request, targetClient), request);
                 }
             }
 
             if (request.isSubmitRequest()) {
                 throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.ACCESS_DENIED, "request_submitted", Status.FORBIDDEN);
             } else {
                 throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.ACCESS_DENIED, "not_authorized", Status.FORBIDDEN);
             }
         } catch (ErrorResponseException | CorsErrorResponseException cause) {
             if (logger.isDebugEnabled()) {
                 logger.debug("Error while evaluating permissions", cause);
             }
             throw cause;
         } catch (Exception cause) {
             logger.error("Unexpected error while evaluating permissions", cause);
             throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.SERVER_ERROR, "Unexpected error while evaluating permissions", Status.INTERNAL_SERVER_ERROR);
         }
     }

◆ createAuthorizationResponse()

AuthorizationResponse org.keycloak.authorization.authorization.AuthorizationTokenService.createAuthorizationResponse	(	KeycloakIdentity	identity,
		Collection< Permission >	entitlements,
		KeycloakAuthorizationRequest	request,
		ClientModel	targetClient
	)

inlineprivate

                                                                                                                                                                                               {
         KeycloakSession keycloakSession = request.getKeycloakSession();
         AccessToken accessToken = identity.getAccessToken();
         RealmModel realm = request.getRealm();
         UserSessionProvider sessions = keycloakSession.sessions();
         UserSessionModel userSessionModel = sessions.getUserSession(realm, accessToken.getSessionState());
 
         if (userSessionModel == null) {
             userSessionModel = sessions.getOfflineUserSession(realm, accessToken.getSessionState());
         }
 
         ClientModel client = realm.getClientByClientId(accessToken.getIssuedFor());
         AuthenticatedClientSessionModel clientSession = userSessionModel.getAuthenticatedClientSessionByClient(client.getId());
         ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession);
         TokenManager tokenManager = request.getTokenManager();
         EventBuilder event = request.getEvent();
         AccessTokenResponseBuilder responseBuilder = tokenManager.responseBuilder(realm, clientSession.getClient(), event, keycloakSession, userSessionModel, clientSessionCtx)
                 .generateAccessToken()
                 .generateRefreshToken();
         AccessToken rpt = responseBuilder.getAccessToken();
 
         rpt.issuedFor(client.getClientId());
 
         Authorization authorization = new Authorization();
 
         authorization.setPermissions(entitlements);
 
         rpt.setAuthorization(authorization);
 
         RefreshToken refreshToken = responseBuilder.getRefreshToken();
 
         refreshToken.issuedFor(client.getClientId());
         refreshToken.setAuthorization(authorization);
 
         if (!rpt.hasAudience(targetClient.getClientId())) {
             rpt.audience(targetClient.getClientId());
         }
 
         return new AuthorizationResponse(responseBuilder.build(), isUpgraded(request, authorization));
     }

◆ createEvaluationContext()

KeycloakEvaluationContext org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext ( KeycloakAuthorizationRequest request )

inlineprivate

                                                                                                     {
         String claimTokenFormat = request.getClaimTokenFormat();
 
         if (claimTokenFormat == null) {
             claimTokenFormat = CLAIM_TOKEN_FORMAT_ID_TOKEN;
         }
 
         BiFunction<AuthorizationRequest, AuthorizationProvider, KeycloakEvaluationContext> evaluationContextProvider = SUPPORTED_CLAIM_TOKEN_FORMATS.get(claimTokenFormat);
 
         if (evaluationContextProvider == null) {
             throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.INVALID_REQUEST, "Claim token format [" + claimTokenFormat + "] not supported", Status.BAD_REQUEST);
         }
 
         return evaluationContextProvider.apply(request, request.getAuthorization());
     }

◆ createPermissions()

Collection<ResourcePermission> org.keycloak.authorization.authorization.AuthorizationTokenService.createPermissions	(	PermissionTicketToken	ticket,
		KeycloakAuthorizationRequest	request,
		ResourceServer	resourceServer,
		KeycloakIdentity	identity,
		AuthorizationProvider	authorization
	)

inlineprivate

                                                                                                                                                                                                                                 {
         StoreFactory storeFactory = authorization.getStoreFactory();
         Map<String, ResourcePermission> permissionsToEvaluate = new LinkedHashMap<>();
         ResourceStore resourceStore = storeFactory.getResourceStore();
         ScopeStore scopeStore = storeFactory.getScopeStore();
         Metadata metadata = request.getMetadata();
         final AtomicInteger limit = metadata != null && metadata.getLimit() != null ? new AtomicInteger(metadata.getLimit()) : null;
 
         for (Permission permission : ticket.getPermissions()) {
             if (limit != null && limit.get() <= 0) {
                 break;
             }
 
             Set<String> requestedScopes = permission.getScopes();
 
             if (permission.getScopes() == null) {
                 requestedScopes = new HashSet<>();
             }
 
             List<Resource> requestedResources = new ArrayList<>();
             String resourceId = permission.getResourceId();
 
             if (resourceId != null) {
                 Resource resource = null;
 
                 if (resourceId.indexOf('-') != -1) {
                     resource = resourceStore.findById(resourceId, resourceServer.getId());
                 }
 
                 if (resource != null) {
                     requestedResources.add(resource);
                 } else {
                     String resourceName = resourceId;
                     Resource ownerResource = resourceStore.findByName(resourceName, identity.getId(), resourceServer.getId());
 
                     if (ownerResource != null) {
                         permission.setResourceId(ownerResource.getId());
                         requestedResources.add(ownerResource);
                     }
 
                     if (!identity.isResourceServer()) {
                         Resource serverResource = resourceStore.findByName(resourceName, resourceServer.getId());
 
                         if (serverResource != null) {
                             permission.setResourceId(serverResource.getId());
                             requestedResources.add(serverResource);
                         }
                     }
                 }
             }
 
             String clientAdditionalScopes = request.getScope();
 
             if (clientAdditionalScopes != null) {
                 requestedScopes.addAll(Arrays.asList(clientAdditionalScopes.split(" ")));
             }
 
             Set<Scope> requestedScopesModel = requestedScopes.stream().map(s -> scopeStore.findByName(s, resourceServer.getId())).filter(Objects::nonNull).collect(Collectors.toSet());
 
             if (resourceId != null && requestedResources.isEmpty()) {
                 throw new CorsErrorResponseException(request.getCors(), "invalid_resource", "Resource with id [" + resourceId + "] does not exist.", Status.BAD_REQUEST);
             }
 
             if (!requestedScopes.isEmpty() && requestedScopesModel.isEmpty()) {
                 throw new CorsErrorResponseException(request.getCors(), "invalid_scope", "One of the given scopes " + permission.getScopes() + " is invalid", Status.BAD_REQUEST);
             }
 
             if (!requestedResources.isEmpty()) {
                 for (Resource resource : requestedResources) {
                     if (limit != null && limit.get() <= 0) {
                         break;
                     }
                     ResourcePermission perm = permissionsToEvaluate.get(resource.getId());
 
                     if (perm == null) {
                         perm = Permissions.createResourcePermissions(resource, requestedScopesModel, authorization, request);
                         permissionsToEvaluate.put(resource.getId(), perm);
                         if (limit != null) {
                             limit.decrementAndGet();
                         }
                     } else {
                         for (Scope scope : requestedScopesModel) {
                             perm.addScope(scope);
                         }
                     }
                 }
             } else {
                 AtomicBoolean processed = new AtomicBoolean();
 
                 resourceStore.findByScope(requestedScopesModel.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource -> {
                     if (limit != null && limit.get() <= 0) {
                         return;
                     }
 
                     ResourcePermission perm = permissionsToEvaluate.get(resource.getId());
 
                     if (perm == null) {
                         perm = Permissions.createResourcePermissions(resource, requestedScopesModel, authorization, request);
                         permissionsToEvaluate.put(resource.getId(), perm);
                         if (limit != null) {
                             limit.decrementAndGet();
                         }
                     } else {
                         for (Scope scope : requestedScopesModel) {
                             perm.addScope(scope);
                         }
                     }
 
                     processed.compareAndSet(false, true);
                 });
 
                 if (!processed.get()) {
                     for (Scope scope : requestedScopesModel) {
                         if (limit != null && limit.getAndDecrement() <= 0) {
                             break;
                         }
                         permissionsToEvaluate.computeIfAbsent(scope.getId(), s -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer, request.getClaims()));
                     }
                 }
             }
         }
 
         AccessToken rpt = request.getRpt();
 
         if (rpt != null && rpt.isActive()) {
             AccessToken.Authorization authorizationData = rpt.getAuthorization();
 
             if (authorizationData != null) {
                 Collection<Permission> permissions = authorizationData.getPermissions();
 
                 if (permissions != null) {
                     for (Permission grantedPermission : permissions) {
                         if (limit != null && limit.get() <= 0) {
                             break;
                         }
 
                         Resource resource = resourceStore.findById(grantedPermission.getResourceId(), ticket.getAudience()[0]);
 
                         if (resource != null) {
                             ResourcePermission permission = permissionsToEvaluate.get(resource.getId());
 
                             if (permission == null) {
                                 permission = new ResourcePermission(resource, new ArrayList<>(), resourceServer, grantedPermission.getClaims());
                                 permissionsToEvaluate.put(resource.getId(), permission);
                                 if (limit != null) {
                                     limit.decrementAndGet();
                                 }
                             } else {
                                 if (grantedPermission.getClaims() != null) {
                                     for (Entry<String, Set<String>> entry : grantedPermission.getClaims().entrySet()) {
                                         Set<String> claims = permission.getClaims().get(entry.getKey());
 
                                         if (claims != null) {
                                             claims.addAll(entry.getValue());
                                         }
                                     }
                                 }
                             }
 
                             for (String scopeName : grantedPermission.getScopes()) {
                                 Scope scope = scopeStore.findByName(scopeName, resourceServer.getId());
 
                                 if (scope != null) {
                                     if (!permission.getScopes().contains(scope)) {
                                         permission.getScopes().add(scope);
                                     }
                                 }
                             }
                         }
                     }
                 }
             }
         }
 
         return permissionsToEvaluate.values();
     }

◆ createSuccessfulResponse()

Response org.keycloak.authorization.authorization.AuthorizationTokenService.createSuccessfulResponse	(	Object	response,
		KeycloakAuthorizationRequest	request
	)

inlineprivate

                                                                                                      {
         return Cors.add(request.getHttpRequest(), Response.status(Status.OK).type(MediaType.APPLICATION_JSON_TYPE).entity(response))
                 .allowedOrigins(request.getKeycloakSession().getContext().getUri(), request.getKeycloakSession().getContext().getClient())
                 .allowedMethods(HttpMethod.POST)
                 .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
     }

◆ evaluateAllPermissions()

Collection<Permission> org.keycloak.authorization.authorization.AuthorizationTokenService.evaluateAllPermissions	(	KeycloakAuthorizationRequest	request,
		ResourceServer	resourceServer,
		KeycloakEvaluationContext	evaluationContext,
		KeycloakIdentity	identity
	)

inlineprivate

                                                                                                                                                                                                        {
         AuthorizationProvider authorization = request.getAuthorization();
         return authorization.evaluators()
                 .from(Permissions.all(resourceServer, identity, authorization, request), evaluationContext)
                 .evaluate(resourceServer, request);
     }

◆ evaluatePermissions()

Collection<Permission> org.keycloak.authorization.authorization.AuthorizationTokenService.evaluatePermissions	(	KeycloakAuthorizationRequest	request,
		PermissionTicketToken	ticket,
		ResourceServer	resourceServer,
		KeycloakEvaluationContext	evaluationContext,
		KeycloakIdentity	identity
	)

inlineprivate

                                                                                                                                                                                                                                   {
         AuthorizationProvider authorization = request.getAuthorization();
         return authorization.evaluators()
                 .from(createPermissions(ticket, request, resourceServer, identity, authorization), evaluationContext)
                 .evaluate(resourceServer, request);
     }

◆ evaluateUserManagedPermissions()

Collection<Permission> org.keycloak.authorization.authorization.AuthorizationTokenService.evaluateUserManagedPermissions	(	KeycloakAuthorizationRequest	request,
		PermissionTicketToken	ticket,
		ResourceServer	resourceServer,
		KeycloakEvaluationContext	evaluationContext,
		KeycloakIdentity	identity
	)

inlineprivate

                                                                                                                                                                                                                                              {
         AuthorizationProvider authorization = request.getAuthorization();
         return authorization.evaluators()
                 .from(createPermissions(ticket, request, resourceServer, identity, authorization), evaluationContext)
                 .evaluate(new PermissionTicketAwareDecisionResultCollector(request, ticket, identity, resourceServer, authorization)).results();
     }

◆ getPermissionTicket()

PermissionTicketToken org.keycloak.authorization.authorization.AuthorizationTokenService.getPermissionTicket ( KeycloakAuthorizationRequest request )

inlineprivate

                                                                                             {
         // if there is a ticket is because it is a UMA flow and the ticket was sent by the client after obtaining it from the target resource server
         if (request.getTicket() != null) {
             return verifyPermissionTicket(request);
         }
 
         // if there is no ticket, we use the permissions the client is asking for.
         // This is a Keycloak extension to UMA flow where clients are capable of obtaining a RPT without a ticket
         PermissionTicketToken permissions = request.getPermissions();
 
         // an audience must be set by the client when doing this method of obtaining RPT, that is how we know the target resource server
         permissions.audience(request.getAudience());
 
         return permissions;
     }

◆ getResourceServer()

ResourceServer org.keycloak.authorization.authorization.AuthorizationTokenService.getResourceServer	(	PermissionTicketToken	ticket,
		KeycloakAuthorizationRequest	request
	)

inlineprivate

                                                                                                                  {
         AuthorizationProvider authorization = request.getAuthorization();
         StoreFactory storeFactory = authorization.getStoreFactory();
         ResourceServerStore resourceServerStore = storeFactory.getResourceServerStore();
         String[] audience = ticket.getAudience();
 
         if (audience == null || audience.length == 0) {
             throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.INVALID_REQUEST, "You must provide the audience", Status.BAD_REQUEST);
         }
 
         ClientModel clientModel = request.getRealm().getClientByClientId(audience[0]);
 
         if (clientModel == null) {
             throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.INVALID_REQUEST, "Unknown resource server id.", Status.BAD_REQUEST);
         }
 
         ResourceServer resourceServer = resourceServerStore.findById(clientModel.getId());
 
         if (resourceServer == null) {
             throw new CorsErrorResponseException(request.getCors(), OAuthErrorException.INVALID_REQUEST, "Client does not support permissions", Status.BAD_REQUEST);
         }
 
         return resourceServer;
     }

◆ instance()

static AuthorizationTokenService org.keycloak.authorization.authorization.AuthorizationTokenService.instance ( )

inlinestatic

                                                        {
         return INSTANCE;
     }

◆ isGranted()

boolean org.keycloak.authorization.authorization.AuthorizationTokenService.isGranted	(	PermissionTicketToken	ticket,
		AuthorizationRequest	request,
		Collection< Permission >	permissions
	)

inlineprivate

                                                                                                                               {
         List<Permission> requestedPermissions = ticket.getPermissions();
 
         // denies in case a rpt was provided along with the authorization request but any requested permission was not granted
         if (request.getRpt() != null && !requestedPermissions.isEmpty() && requestedPermissions.stream().anyMatch(permission -> !permissions.contains(permission))) {
             return false;
         }
 
         return !permissions.isEmpty();
     }

◆ isPublicClientRequestingEntitlementWithClaims()

boolean org.keycloak.authorization.authorization.AuthorizationTokenService.isPublicClientRequestingEntitlementWithClaims ( KeycloakAuthorizationRequest request )

inlineprivate

                                                                                                         {
         return request.getClaimToken() != null && request.getKeycloakSession().getContext().getClient().isPublicClient() && request.getTicket() == null;
     }

◆ isUpgraded()

boolean org.keycloak.authorization.authorization.AuthorizationTokenService.isUpgraded	(	AuthorizationRequest	request,
		Authorization	authorization
	)

inlineprivate

                                                                                           {
         AccessToken previousRpt = request.getRpt();
 
         if (previousRpt == null) {
             return false;
         }
 
         Authorization previousAuthorization = previousRpt.getAuthorization();
 
         if (previousAuthorization != null) {
             Collection<Permission> previousPermissions = previousAuthorization.getPermissions();
 
             if (previousPermissions != null) {
                 for (Permission previousPermission : previousPermissions) {
                     if (!authorization.getPermissions().contains(previousPermission)) {
                         return false;
                     }
                 }
             }
         }
 
         return true;
     }

◆ verifyPermissionTicket()

PermissionTicketToken org.keycloak.authorization.authorization.AuthorizationTokenService.verifyPermissionTicket ( KeycloakAuthorizationRequest request )

inlineprivate

                                                                                                {
         String ticketString = request.getTicket();
 
         PermissionTicketToken ticket = request.getKeycloakSession().tokens().decode(ticketString, PermissionTicketToken.class);
         if (ticket == null) {
             throw new CorsErrorResponseException(request.getCors(), "invalid_ticket", "Ticket verification failed", Status.FORBIDDEN);
         }
 
         if (!ticket.isActive()) {
             throw new CorsErrorResponseException(request.getCors(), "invalid_ticket", "Invalid permission ticket.", Status.FORBIDDEN);
         }
 
         return ticket;
     }

メンバ詳解

◆ CLAIM_TOKEN_FORMAT_ID_TOKEN

final String org.keycloak.authorization.authorization.AuthorizationTokenService.CLAIM_TOKEN_FORMAT_ID_TOKEN = "http://openid.net/specs/openid-connect-core-1_0.html#IDToken"

static

◆ INSTANCE

final AuthorizationTokenService org.keycloak.authorization.authorization.AuthorizationTokenService.INSTANCE = new AuthorizationTokenService()

staticprivate

◆ logger

final Logger org.keycloak.authorization.authorization.AuthorizationTokenService.logger = Logger.getLogger(AuthorizationTokenService.class)

staticprivate

◆ RESPONSE_MODE_DECISION

final String org.keycloak.authorization.authorization.AuthorizationTokenService.RESPONSE_MODE_DECISION = "decision"

staticprivate

◆ RESPONSE_MODE_DECISION_RESULT

final String org.keycloak.authorization.authorization.AuthorizationTokenService.RESPONSE_MODE_DECISION_RESULT = "result"

staticprivate

◆ RESPONSE_MODE_PERMISSIONS

final String org.keycloak.authorization.authorization.AuthorizationTokenService.RESPONSE_MODE_PERMISSIONS = "permissions"

staticprivate

◆ SUPPORTED_CLAIM_TOKEN_FORMATS

Map<String, BiFunction<AuthorizationRequest, AuthorizationProvider, KeycloakEvaluationContext> > org.keycloak.authorization.authorization.AuthorizationTokenService.SUPPORTED_CLAIM_TOKEN_FORMATS

staticprivate

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java

クラス

公開メンバ関数

静的公開メンバ関数

静的公開変数類

静的関数

非公開メンバ関数

静的非公開変数類

詳解

関数詳解

◆ [static initializer]()

◆ authorize()

◆ createAuthorizationResponse()

◆ createEvaluationContext()

◆ createPermissions()

◆ createSuccessfulResponse()

◆ evaluateAllPermissions()

◆ evaluatePermissions()

◆ evaluateUserManagedPermissions()

◆ getPermissionTicket()

◆ getResourceServer()

◆ instance()

◆ isGranted()

◆ isPublicClientRequestingEntitlementWithClaims()

◆ isUpgraded()

◆ verifyPermissionTicket()

メンバ詳解

◆ CLAIM_TOKEN_FORMAT_ID_TOKEN

◆ INSTANCE

◆ logger

◆ RESPONSE_MODE_DECISION

◆ RESPONSE_MODE_DECISION_RESULT

◆ RESPONSE_MODE_PERMISSIONS

◆ SUPPORTED_CLAIM_TOKEN_FORMATS