Example 46 with ClientScopeModel
use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.
the class TokenManager method initToken.
protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionContext clientSessionCtx, UriInfo uriInfo) {
AccessToken token = new AccessToken();
token.id(KeycloakModelUtils.generateId());
token.type(TokenUtil.TOKEN_TYPE_BEARER);
token.subject(user.getId());
token.issuedNow();
token.issuedFor(client.getClientId());
AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
token.setNonce(clientSessionCtx.getAttribute(OIDCLoginProtocol.NONCE_PARAM, String.class));
token.setScope(clientSessionCtx.getScopeString());
token.setAcr(getAcr(clientSession));
String authTime = session.getNote(AuthenticationManager.AUTH_TIME);
if (authTime != null) {
token.setAuthTime(Integer.parseInt(authTime));
}
token.setSessionState(session.getId());
ClientScopeModel offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS);
boolean offlineTokenRequested = offlineAccessScope == null ? false : clientSessionCtx.getClientScopeIds().contains(offlineAccessScope.getId());
token.expiration(getTokenExpiration(realm, client, session, clientSession, offlineTokenRequested));
return token;
}
Also used :
AccessToken(org.keycloak.representations.AccessToken)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
ClientScopeModel(org.keycloak.models.ClientScopeModel)
Example 47 with ClientScopeModel
use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.
the class MigrateTo6_0_0 method migrateRealm.
protected void migrateRealm(KeycloakSession session, RealmModel realm, boolean jsn) {
MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class);
// create 'microprofile-jwt' optional client scope in the realm.
ClientScopeModel mpJWTScope = migrationProvider.addOIDCMicroprofileJWTClientScope(realm);
LOG.debugf("Added '%s' optional client scope", mpJWTScope.getName());
// assign 'microprofile-jwt' optional client scope to all the OIDC clients.
realm.getClientsStream().filter(MigrationUtils::isOIDCNonBearerOnlyClient).forEach(c -> c.addClientScope(mpJWTScope, false));
LOG.debugf("Client scope '%s' assigned to all the clients", mpJWTScope.getName());
}
Also used :
MigrationProvider(org.keycloak.migration.MigrationProvider)
ClientScopeModel(org.keycloak.models.ClientScopeModel)
Example 48 with ClientScopeModel
use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.
the class MigrateTo4_6_0 method migrateRealm.
protected void migrateRealm(KeycloakSession session, RealmModel realm, boolean json) {
MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class);
// Create "roles" and "web-origins" clientScopes
ClientScopeModel rolesScope = migrationProvider.addOIDCRolesClientScope(realm);
ClientScopeModel webOriginsScope = migrationProvider.addOIDCWebOriginsClientScope(realm);
LOG.debugf("Added '%s' and '%s' default client scopes", rolesScope.getName(), webOriginsScope.getName());
// Assign "roles" and "web-origins" clientScopes to all the OIDC clients
realm.getClientsStream().filter(MigrationUtils::isOIDCNonBearerOnlyClient).forEach(c -> {
c.addClientScope(rolesScope, true);
c.addClientScope(webOriginsScope, true);
});
LOG.debugf("Client scope '%s' assigned to all the clients", rolesScope.getName());
}
Also used :
MigrationProvider(org.keycloak.migration.MigrationProvider)
ClientScopeModel(org.keycloak.models.ClientScopeModel)
Example 49 with ClientScopeModel
use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.
the class DefaultClientScopes method createOfflineAccessClientScope.
// Asumption is that newRealm and offlineRole are not null AND offline_access clientScope doesn't yet exists in the realm. Caller of this method is supposed to ensure that.
public static void createOfflineAccessClientScope(RealmModel newRealm, RoleModel offlineRole) {
ClientScopeModel offlineAccessScope = newRealm.addClientScope(OAuth2Constants.OFFLINE_ACCESS);
offlineAccessScope.setDescription("OpenID Connect built-in scope: offline_access");
offlineAccessScope.setDisplayOnConsentScreen(true);
offlineAccessScope.setConsentScreenText(Constants.OFFLINE_ACCESS_SCOPE_CONSENT_TEXT);
offlineAccessScope.setProtocol("openid-connect");
offlineAccessScope.addScopeMapping(offlineRole);
// Optional scope. Needs to be requested by scope parameter
newRealm.addDefaultClientScope(offlineAccessScope, false);
}
Also used :
ClientScopeModel(org.keycloak.models.ClientScopeModel)
Example 50 with ClientScopeModel
use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.
the class UserConsentWithUserStorageModelTest method updateWithClientScopeRemovalTest.
@Test
@ModelTest
public void updateWithClientScopeRemovalTest(KeycloakSession session) {
KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession sessionScopeRemoval1) -> {
KeycloakSession currentSession = sessionScopeRemoval1;
RealmModel realm = currentSession.realms().getRealmByName("original");
ClientModel fooClient = realm.getClientByClientId("foo-client");
UserModel john = currentSession.users().getUserByUsername(realm, "john");
UserConsentModel johnConsent = currentSession.users().getConsentByClient(realm, john.getId(), fooClient.getId());
Assert.assertEquals(1, johnConsent.getGrantedClientScopes().size());
// Remove foo protocol mapper from johnConsent
ClientScopeModel fooScope = KeycloakModelUtils.getClientScopeByName(realm, "foo");
johnConsent.getGrantedClientScopes().remove(fooScope);
currentSession.users().updateConsent(realm, john.getId(), johnConsent);
});
KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession sessionScopeRemoval2) -> {
KeycloakSession currentSession = sessionScopeRemoval2;
RealmModel realm = currentSession.realms().getRealmByName("original");
ClientModel fooClient = realm.getClientByClientId("foo-client");
UserModel john = currentSession.users().getUserByUsername(realm, "john");
UserConsentModel johnConsent = currentSession.users().getConsentByClient(realm, john.getId(), fooClient.getId());
Assert.assertEquals(johnConsent.getGrantedClientScopes().size(), 0);
Assert.assertTrue("Created date should be less than last updated date", johnConsent.getCreatedDate() < johnConsent.getLastUpdatedDate());
});
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
UserModel(org.keycloak.models.UserModel)
ClientModel(org.keycloak.models.ClientModel)
KeycloakSession(org.keycloak.models.KeycloakSession)
ClientScopeModel(org.keycloak.models.ClientScopeModel)
UserConsentModel(org.keycloak.models.UserConsentModel)
ModelTest(org.keycloak.testsuite.arquillian.annotation.ModelTest)
ModelTest(org.keycloak.testsuite.arquillian.annotation.ModelTest)
Test(org.junit.Test)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Aggregations
ClientScopeModel (org.keycloak.models.ClientScopeModel)58
ClientModel (org.keycloak.models.ClientModel)22
RealmModel (org.keycloak.models.RealmModel)18
KeycloakSession (org.keycloak.models.KeycloakSession)17
UserConsentModel (org.keycloak.models.UserConsentModel)14
HashMap (java.util.HashMap)11
Map (java.util.Map)9
UserModel (org.keycloak.models.UserModel)9
HashSet (java.util.HashSet)8
Test (org.junit.Test)8
RoleModel (org.keycloak.models.RoleModel)8
MultivaluedHashMap (org.keycloak.common.util.MultivaluedHashMap)7
ArrayList (java.util.ArrayList)6
List (java.util.List)6
NotFoundException (javax.ws.rs.NotFoundException)6
ArtifactBindingUtils.computeArtifactBindingIdentifierString (org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString)6
ModelTest (org.keycloak.testsuite.arquillian.annotation.ModelTest)6
IOException (java.io.IOException)5
Path (javax.ws.rs.Path)5
NoCache (org.jboss.resteasy.annotations.cache.NoCache)5
