|
List< ProviderConfigProperty > | getConfigProperties () |
|
String | getId () |
|
String | getDisplayType () |
|
String | getDisplayCategory () |
|
String | getHelpText () |
|
String | getProtocol () |
|
void | close () |
|
final ProtocolMapper | create (KeycloakSession session) |
|
void | init (Config.Scope config) |
|
void | postInit (KeycloakSessionFactory factory) |
|
AccessToken | transformUserInfoToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
AccessToken | transformUserInfoToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
AccessToken | transformAccessToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
AccessToken | transformAccessToken (AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
IDToken | transformIDToken (IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
IDToken | transformIDToken (IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) |
|
|
static ProtocolMapperModel | create (String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken) |
|
static ProtocolMapperModel | create (String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken, boolean multiValued) |
|
static Stream< RoleModel > | getAllUserRolesStream (UserModel user) |
|
|
void | setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) |
|
void | setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession) |
|
|
static void | setClaim (IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, Predicate< RoleModel > restriction, String prefix) |
|
|
static Predicate< RoleModel > | getClientRoleFilter (String clientId, UserSessionModel userSession) |
|
Allows mapping of user client role mappings to an ID and Access Token claim.
- 著者
- Thomas Darimont
◆ [static initializer]()
org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.[static initializer] |
( |
| ) |
|
|
inlinestaticpackage |
◆ close()
void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.close |
( |
| ) |
|
|
inlineinherited |
◆ create() [1/3]
final ProtocolMapper org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.create |
( |
KeycloakSession |
session | ) |
|
|
inlineinherited |
51 throw new RuntimeException(
"UNSUPPORTED METHOD");
◆ create() [2/3]
static ProtocolMapperModel org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.create |
( |
String |
clientId, |
|
|
String |
clientRolePrefix, |
|
|
String |
name, |
|
|
String |
tokenClaimName, |
|
|
boolean |
accessToken, |
|
|
boolean |
idToken |
|
) |
| |
|
inlinestatic |
149 return create(clientId, clientRolePrefix, name, tokenClaimName, accessToken, idToken,
false);
static ProtocolMapperModel create(String clientId, String clientRolePrefix, String name, String tokenClaimName, boolean accessToken, boolean idToken)
Definition: UserClientRoleMappingMapper.java:145
◆ create() [3/3]
static ProtocolMapperModel org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.create |
( |
String |
clientId, |
|
|
String |
clientRolePrefix, |
|
|
String |
name, |
|
|
String |
tokenClaimName, |
|
|
boolean |
accessToken, |
|
|
boolean |
idToken, |
|
|
boolean |
multiValued |
|
) |
| |
|
inlinestatic |
157 ProtocolMapperModel mapper = OIDCAttributeMapperHelper.createClaimMapper(name,
"foo",
158 tokenClaimName,
"String",
159 accessToken, idToken,
162 mapper.getConfig().put(ProtocolMapperUtils.MULTIVALUED, String.valueOf(multiValued));
163 mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId);
164 mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix);
static final String PROVIDER_ID
Definition: UserClientRoleMappingMapper.java:46
◆ getAllUserRolesStream()
static Stream<RoleModel> org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.getAllUserRolesStream |
( |
UserModel |
user | ) |
|
|
inlinestaticinherited |
Returns a stream with roles that come from:
-
Direct assignment of the role to the user
-
Direct assignment of the role to any group of the user or any of its parent group
-
Composite roles are expanded recursively, the composite role itself is also contained in the returned stream
- 引数
-
user | User to enumerate the roles for |
- 戻り値
54 user.getRoleMappings().stream(),
55 user.getGroups().stream()
57 .flatMap(g -> g.getRoleMappings().stream()))
58 .flatMap(RoleUtils::expandCompositeRolesStream);
static Stream< GroupModel > groupAndItsParentsStream(GroupModel group)
Definition: AbstractUserRoleMappingMapper.java:66
◆ getClientRoleFilter()
static Predicate<RoleModel> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getClientRoleFilter |
( |
String |
clientId, |
|
|
UserSessionModel |
userSession |
|
) |
| |
|
inlinestaticprivate |
111 if (clientId == null) {
112 return RoleModel::isClientRole;
115 RealmModel clientRealm = userSession.getRealm();
116 ClientModel client = clientRealm.getClientByClientId(clientId.trim());
118 if (client == null) {
119 return RoleModel::isClientRole;
122 boolean fullScopeAllowed = client.isFullScopeAllowed();
123 Set<RoleModel> clientRoleMappings = client.getRoles();
124 if (fullScopeAllowed) {
125 return clientRoleMappings::contains;
128 Set<RoleModel> scopeMappings =
new HashSet<>();
131 String scopeParam = null;
132 AuthenticatedClientSessionModel authClientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
133 if (authClientSession != null) {
134 scopeParam = authClientSession.getNote(OAuth2Constants.SCOPE);
137 Set<ClientScopeModel> clientScopes = TokenManager.getRequestedClientScopes(scopeParam, client);
138 for (ClientScopeModel clientScope : clientScopes) {
139 scopeMappings.addAll(clientScope.getScopeMappings());
142 return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role);
◆ getConfigProperties()
List<ProviderConfigProperty> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getConfigProperties |
( |
| ) |
|
|
inline |
static final List< ProviderConfigProperty > CONFIG_PROPERTIES
Definition: UserClientRoleMappingMapper.java:48
◆ getDisplayCategory()
String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getDisplayCategory |
( |
| ) |
|
|
inline |
static final String TOKEN_MAPPER_CATEGORY
Definition: AbstractOIDCProtocolMapper.java:37
◆ getDisplayType()
String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getDisplayType |
( |
| ) |
|
|
inline |
89 return "User Client Role";
◆ getHelpText()
String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getHelpText |
( |
| ) |
|
|
inline |
99 return "Map a user client role to a token claim.";
◆ getId()
String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.getId |
( |
| ) |
|
|
inline |
static final String PROVIDER_ID
Definition: UserClientRoleMappingMapper.java:46
◆ getProtocol()
String org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.getProtocol |
( |
| ) |
|
|
inlineinherited |
41 return OIDCLoginProtocol.LOGIN_PROTOCOL;
◆ init()
void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.init |
( |
Config.Scope |
config | ) |
|
|
inlineinherited |
◆ postInit()
void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.postInit |
( |
KeycloakSessionFactory |
factory | ) |
|
|
inlineinherited |
◆ setClaim() [1/3]
static void org.keycloak.protocol.oidc.mappers.AbstractUserRoleMappingMapper.setClaim |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
UserSessionModel |
userSession, |
|
|
Predicate< RoleModel > |
restriction, |
|
|
String |
prefix |
|
) |
| |
|
inlinestaticprotectedinherited |
Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. Then it recursively expands all composite roles, and restricts according to the given predicate
. If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into a claim.
- 引数
-
token | |
mappingModel | |
userSession | |
restriction | |
prefix | |
90 String rolePrefix = prefix == null ?
"" : prefix;
91 UserModel user = userSession.getUser();
96 boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
97 if (! dontLimitScope) {
98 Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
99 .flatMap(cs -> cs.getClient().getScopeMappings().stream())
100 .collect(Collectors.toSet());
102 clientUserRoles = clientUserRoles.filter(clientRoles::contains);
105 List<String> realmRoleNames = clientUserRoles
106 .map(m -> rolePrefix + m.getName())
107 .collect(Collectors.toList());
109 Object claimValue = realmRoleNames;
111 boolean multiValued =
"true".equals(mappingModel.getConfig().get(ProtocolMapperUtils.MULTIVALUED));
113 claimValue = realmRoleNames.toString();
116 OIDCAttributeMapperHelper.mapClaim(token, mappingModel, claimValue);
static Stream< RoleModel > getAllUserRolesStream(UserModel user)
Definition: AbstractUserRoleMappingMapper.java:52
◆ setClaim() [2/3]
void org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.setClaim |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
UserSessionModel |
userSession |
|
) |
| |
|
inlineprotected |
104 String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID);
105 String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: UserClientRoleMappingMapper.java:103
static Predicate< RoleModel > getClientRoleFilter(String clientId, UserSessionModel userSession)
Definition: UserClientRoleMappingMapper.java:110
◆ setClaim() [3/3]
void org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
UserSessionModel |
userSession, |
|
|
KeycloakSession |
keycloakSession |
|
) |
| |
|
inlineprotectedinherited |
Intended to be overridden in ProtocolMapper implementations to add claims to an token.
- 引数
-
token | |
mappingModel | |
userSession | |
keycloakSession | |
117 setClaim(token, mappingModel, userSession);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105
◆ transformAccessToken() [1/2]
AccessToken org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper.transformAccessToken |
( |
AccessToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inherited |
◆ transformAccessToken() [2/2]
AccessToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken |
( |
AccessToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inlineinherited |
77 if (!OIDCAttributeMapperHelper.includeInAccessToken(mappingModel)){
81 setClaim(token, mappingModel, userSession, session);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105
◆ transformIDToken() [1/2]
IDToken org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper.transformIDToken |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inherited |
◆ transformIDToken() [2/2]
IDToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformIDToken |
( |
IDToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inlineinherited |
88 if (!OIDCAttributeMapperHelper.includeInIDToken(mappingModel)){
92 setClaim(token, mappingModel, userSession, session);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105
◆ transformUserInfoToken() [1/2]
AccessToken org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper.transformUserInfoToken |
( |
AccessToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inherited |
◆ transformUserInfoToken() [2/2]
AccessToken org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformUserInfoToken |
( |
AccessToken |
token, |
|
|
ProtocolMapperModel |
mappingModel, |
|
|
KeycloakSession |
session, |
|
|
UserSessionModel |
userSession, |
|
|
AuthenticatedClientSessionModel |
clientSession |
|
) |
| |
|
inlineinherited |
66 if (!OIDCAttributeMapperHelper.includeInUserInfo(mappingModel)) {
70 setClaim(token, mappingModel, userSession, session);
void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
Definition: AbstractOIDCProtocolMapper.java:105
◆ CONFIG_PROPERTIES
final List<ProviderConfigProperty> org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.CONFIG_PROPERTIES = new ArrayList<>() |
|
staticprivate |
◆ PROVIDER_ID
final String org.keycloak.protocol.oidc.mappers.UserClientRoleMappingMapper.PROVIDER_ID = "oidc-usermodel-client-role-mapper" |
|
static |
◆ TOKEN_MAPPER_CATEGORY
final String org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.TOKEN_MAPPER_CATEGORY = "Token mapper" |
|
staticinherited |
このクラス詳解は次のファイルから抽出されました: