org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper の継承関係図

org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper 連携図

公開メンバ関数
List< ProviderConfigProperty >	getConfigProperties ()

String	getId ()

String	getDisplayType ()

String	getDisplayCategory ()

String	getHelpText ()

String	getProtocol ()

void	close ()

final ProtocolMapper	create (KeycloakSession session)

void	init (Config.Scope config)

void	postInit (KeycloakSessionFactory factory)

AccessToken	transformUserInfoToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

AccessToken	transformUserInfoToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

AccessToken	transformAccessToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

AccessToken	transformAccessToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

IDToken	transformIDToken (IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

IDToken	transformIDToken (IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

静的公開メンバ関数
static ProtocolMapperModel	create (String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken)

static ProtocolMapperModel	create (String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken, boolean multiValued)

static Stream< RoleModel >	getAllUserRolesStream (UserModel user)

静的公開変数類
static final String	PROVIDER_ID = "oidc-usermodel-client-role-mapper"

static final String	TOKEN_MAPPER_CATEGORY = "Token mapper"

限定公開メンバ関数
void	setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)

void	setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession)

静的限定公開メンバ関数
static void	setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, Predicate< RoleModel > restriction, String prefix)

静的関数
	[static initializer]

静的非公開メンバ関数
static Predicate< RoleModel >	getClientRoleFilter (String clientId, UserSessionModel userSession)

静的非公開変数類
static final List< ProviderConfigProperty >	CONFIG_PROPERTIES = new ArrayList<>()

詳解

Allows mapping of user client role mappings to an ID and Access Token claim.

著者: Thomas Darimont

関数詳解

◆ [static initializer]()

org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.[static initializer] ( )

inlinestaticpackage

◆ close()

void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.close ( )

inlineinherited

                         {
 
     }

◆ create() [1/3]

final ProtocolMapper org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.create ( KeycloakSession session )

inlineinherited

                                                                 {
         throw new RuntimeException("UNSUPPORTED METHOD");
     }

◆ create() [2/3]

static ProtocolMapperModel org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.create	(	String	clientId,
		String	clientRolePrefix,
		String	name,
		String	tokenClaimName,
		boolean	accessToken,
		boolean	idToken
	)

inlinestatic

                                                                                    {
         return create(clientId, clientRolePrefix, name, tokenClaimName, accessToken, idToken, false);
 
     }

◆ create() [3/3]

static ProtocolMapperModel org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.create	(	String	clientId,
		String	clientRolePrefix,
		String	name,
		String	tokenClaimName,
		boolean	accessToken,
		boolean	idToken,
		boolean	multiValued
	)

inlinestatic

                                                                                                         {
         ProtocolMapperModel mapper = OIDCAttributeMapperHelper.createClaimMapper(name, "foo",
                 tokenClaimName, "String",
                 accessToken, idToken,
                 PROVIDER_ID);
 
         mapper.getConfig().put(ProtocolMapperUtils.MULTIVALUED, String.valueOf(multiValued));
         mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId);
         mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix);
         return mapper;
     }

◆ getAllUserRolesStream()

static Stream<RoleModel> org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.getAllUserRolesStream ( UserModel user )

inlinestaticinherited

Returns a stream with roles that come from:

Direct assignment of the role to the user
Direct assignment of the role to any group of the user or any of its parent group
Composite roles are expanded recursively, the composite role itself is also contained in the returned stream

引数

user	User to enumerate the roles for

戻り値

                                                                           {
         return Stream.concat(
           user.getRoleMappings().stream(),
           user.getGroups().stream()
             .flatMap(g -> groupAndItsParentsStream(g))
             .flatMap(g -> g.getRoleMappings().stream()))
           .flatMap(RoleUtils::expandCompositeRolesStream);
     }

◆ getClientRoleFilter()

static Predicate<RoleModel> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getClientRoleFilter	(	String	clientId,
		UserSessionModel	userSession
	)

inlinestaticprivate

                                                                                                            {
         if (clientId == null) {
             return RoleModel::isClientRole;
         }
 
         RealmModel clientRealm = userSession.getRealm();
         ClientModel client = clientRealm.getClientByClientId(clientId.trim());
 
         if (client == null) {
             return RoleModel::isClientRole;
         }
 
         boolean fullScopeAllowed = client.isFullScopeAllowed();
         Set<RoleModel> clientRoleMappings = client.getRoles();
         if (fullScopeAllowed) {
             return clientRoleMappings::contains;
         }
 
         Set<RoleModel> scopeMappings = new HashSet<>();
 
         // Add scope mappings of current client + all clientScopes of this client (including optional scopes if scope parameter matches)
         String scopeParam = null;
         AuthenticatedClientSessionModel authClientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
         if (authClientSession != null) {
             scopeParam = authClientSession.getNote(OAuth2Constants.SCOPE);
         }
 
         Set<ClientScopeModel> clientScopes = TokenManager.getRequestedClientScopes(scopeParam, client);
         for (ClientScopeModel clientScope : clientScopes) {
             scopeMappings.addAll(clientScope.getScopeMappings());
         }
 
         return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role);
     }

◆ getConfigProperties()

List<ProviderConfigProperty> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getConfigProperties ( )

inline

                                                               {
         return CONFIG_PROPERTIES;
     }

◆ getDisplayCategory()

String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getDisplayCategory ( )

inline

                                        {
         return TOKEN_MAPPER_CATEGORY;
     }

◆ getDisplayType()

String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getDisplayType ( )

inline

                                    {
         return "User Client Role";
     }

◆ getHelpText()

String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getHelpText ( )

inline

                                 {
         return "Map a user client role to a token claim.";
     }

◆ getId()

String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getId ( )

inline

                           {
         return PROVIDER_ID;
     }

◆ getProtocol()

String org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.getProtocol ( )

inlineinherited

                                 {
         return OIDCLoginProtocol.LOGIN_PROTOCOL;
     }

◆ init()

void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.init ( Config.Scope config )

inlineinherited

55 {

56 }

◆ postInit()

void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.postInit ( KeycloakSessionFactory factory )

inlineinherited

                                                          {
 
     }

◆ setClaim() [1/3]

static void org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.setClaim	(	IDToken	token,
		ProtocolMapperModel	mappingModel,
		UserSessionModel	userSession,
		Predicate< RoleModel >	restriction,
		String	prefix
	)

inlinestaticprotectedinherited

Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. Then it recursively expands all composite roles, and restricts according to the given predicate

restriction

. If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into a claim.

引数

token
mappingModel
userSession
restriction
prefix

                                                        {
         String rolePrefix = prefix == null ? "" : prefix;
         UserModel user = userSession.getUser();
 
         // get a set of all realm roles assigned to the user or its group
         Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);
 
         boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
         if (! dontLimitScope) {
             Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
               .flatMap(cs -> cs.getClient().getScopeMappings().stream())
               .collect(Collectors.toSet());
 
             clientUserRoles = clientUserRoles.filter(clientRoles::contains);
         }
 
         List<String> realmRoleNames = clientUserRoles
           .map(m -> rolePrefix + m.getName())
           .collect(Collectors.toList());
 
         Object claimValue = realmRoleNames;
 
         boolean multiValued = "true".equals(mappingModel.getConfig().get(ProtocolMapperUtils.MULTIVALUED));
         if (!multiValued) {
             claimValue = realmRoleNames.toString();
         }
 
         OIDCAttributeMapperHelper.mapClaim(token, mappingModel, claimValue);
     }

◆ setClaim() [2/3]

void org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.setClaim	(	IDToken	token,
		ProtocolMapperModel	mappingModel,
		UserSessionModel	userSession
	)

inlineprotected

                                                                                                            {
         String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID);
         String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX);
 
         setClaim(token, mappingModel, userSession, getClientRoleFilter(clientId, userSession), rolePrefix);
     }

◆ setClaim() [3/3]

void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim	(	IDToken	token,
		ProtocolMapperModel	mappingModel,
		UserSessionModel	userSession,
		KeycloakSession	keycloakSession
	)

inlineprotectedinherited

Intended to be overridden in ProtocolMapper implementations to add claims to an token.

引数

token
mappingModel
userSession
keycloakSession

                                                                                                                                             {
         // we delegate to the old #setClaim(...) method for backwards compatibility
         setClaim(token, mappingModel, userSession);
     }

◆ transformAccessToken() [1/2]

AccessToken org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper.transformAccessToken	(	AccessToken	token,
		ProtocolMapperModel	mappingModel,
		KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inherited

org.keycloak.protocol.oidc.mappers.RoleNameMapper, org.keycloak.protocol.oidc.mappers.HardcodedRole, org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapperで実装されています。

◆ transformAccessToken() [2/2]

AccessToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken	(	AccessToken	token,
		ProtocolMapperModel	mappingModel,
		KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inlineinherited

                                                                                                                          {
 
         if (!OIDCAttributeMapperHelper.includeInAccessToken(mappingModel)){
             return token;
         }
 
         setClaim(token, mappingModel, userSession, session);
         return token;
     }

◆ transformIDToken() [1/2]

IDToken org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper.transformIDToken	(	IDToken	token,
		ProtocolMapperModel	mappingModel,
		KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inherited

org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapperで実装されています。

◆ transformIDToken() [2/2]

IDToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformIDToken	(	IDToken	token,
		ProtocolMapperModel	mappingModel,
		KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inlineinherited

                                                                                                                  {
 
         if (!OIDCAttributeMapperHelper.includeInIDToken(mappingModel)){
             return token;
         }
 
         setClaim(token, mappingModel, userSession, session);
         return token;
     }

◆ transformUserInfoToken() [1/2]

AccessToken org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper.transformUserInfoToken	(	AccessToken	token,
		ProtocolMapperModel	mappingModel,
		KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inherited

org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapperで実装されています。

◆ transformUserInfoToken() [2/2]

AccessToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformUserInfoToken	(	AccessToken	token,
		ProtocolMapperModel	mappingModel,
		KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inlineinherited

                                                                                                                            {
 
         if (!OIDCAttributeMapperHelper.includeInUserInfo(mappingModel)) {
             return token;
         }
 
         setClaim(token, mappingModel, userSession, session);
         return token;
     }

メンバ詳解

◆ CONFIG_PROPERTIES

final List<ProviderConfigProperty> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.CONFIG_PROPERTIES = new ArrayList<>()

staticprivate

◆ PROVIDER_ID

final String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.PROVIDER_ID = "oidc-usermodel-client-role-mapper"

static

◆ TOKEN_MAPPER_CATEGORY

final String org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.TOKEN_MAPPER_CATEGORY = "Token mapper"

staticinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserClientRoleMappingMapper.java

公開メンバ関数

静的公開メンバ関数

静的公開変数類

限定公開メンバ関数

静的限定公開メンバ関数

静的関数

静的非公開メンバ関数

静的非公開変数類

詳解

関数詳解

◆ [static initializer]()

◆ close()

◆ create() [1/3]

◆ create() [2/3]

◆ create() [3/3]

◆ getAllUserRolesStream()

◆ getClientRoleFilter()

◆ getConfigProperties()

◆ getDisplayCategory()

◆ getDisplayType()

◆ getHelpText()

◆ getId()

◆ getProtocol()

◆ init()

◆ postInit()

◆ setClaim() [1/3]

◆ setClaim() [2/3]

◆ setClaim() [3/3]

◆ transformAccessToken() [1/2]

◆ transformAccessToken() [2/2]

◆ transformIDToken() [1/2]

◆ transformIDToken() [2/2]

◆ transformUserInfoToken() [1/2]

◆ transformUserInfoToken() [2/2]

メンバ詳解

◆ CONFIG_PROPERTIES

◆ PROVIDER_ID

◆ TOKEN_MAPPER_CATEGORY