Examples with ClientScopeModel org.keycloak.models.ClientScopeModel used on opensource projects

Example 36 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class JpaUserFederatedStorageProvider method toConsentModel.

private UserConsentModel toConsentModel(RealmModel realm, FederatedUserConsentEntity entity) {
    if (entity == null) {
        return null;
    }
    StorageId clientStorageId = null;
    if (entity.getClientId() == null) {
        clientStorageId = new StorageId(entity.getClientStorageProvider(), entity.getExternalClientId());
    } else {
        clientStorageId = new StorageId(entity.getClientId());
    }
    ClientModel client = realm.getClientById(clientStorageId.getId());
    UserConsentModel model = new UserConsentModel(client);
    model.setCreatedDate(entity.getCreatedDate());
    model.setLastUpdatedDate(entity.getLastUpdatedDate());
    Collection<FederatedUserConsentClientScopeEntity> grantedClientScopeEntities = entity.getGrantedClientScopes();
    if (grantedClientScopeEntities != null) {
        for (FederatedUserConsentClientScopeEntity grantedClientScope : grantedClientScopeEntities) {
            ClientScopeModel grantedClientScopeModel = realm.getClientScopeById(grantedClientScope.getScopeId());
            if (grantedClientScopeModel == null) {
                grantedClientScopeModel = realm.getClientById(grantedClientScope.getScopeId());
            }
            if (grantedClientScopeModel != null) {
                model.addGrantedClientScope(grantedClientScopeModel);
            }
        }
    }
    return model;
}

Example 37 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class JpaUserProvider method updateGrantedConsentEntity.

// Update roles and protocolMappers to given consentEntity from the consentModel
private void updateGrantedConsentEntity(UserConsentEntity consentEntity, UserConsentModel consentModel) {
    Collection<UserConsentClientScopeEntity> grantedClientScopeEntities = consentEntity.getGrantedClientScopes();
    Collection<UserConsentClientScopeEntity> scopesToRemove = new HashSet<>(grantedClientScopeEntities);
    for (ClientScopeModel clientScope : consentModel.getGrantedClientScopes()) {
        UserConsentClientScopeEntity grantedClientScopeEntity = new UserConsentClientScopeEntity();
        grantedClientScopeEntity.setUserConsent(consentEntity);
        grantedClientScopeEntity.setScopeId(clientScope.getId());
        // Check if it's already there
        if (!grantedClientScopeEntities.contains(grantedClientScopeEntity)) {
            em.persist(grantedClientScopeEntity);
            em.flush();
            grantedClientScopeEntities.add(grantedClientScopeEntity);
        } else {
            scopesToRemove.remove(grantedClientScopeEntity);
        }
    }
    // Those client scopes were no longer on consentModel and will be removed
    for (UserConsentClientScopeEntity toRemove : scopesToRemove) {
        grantedClientScopeEntities.remove(toRemove);
        em.remove(toRemove);
    }
    consentEntity.setLastUpdatedDate(Time.currentTimeMillis());
    em.flush();
}

Example 38 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class LoginActionsService method processConsent.

/**
 * OAuth grant page.  You should not invoked this directly!
 *
 * @return
 */
@Path("consent")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response processConsent() {
    MultivaluedMap<String, String> formData = request.getDecodedFormParameters();
    event.event(EventType.LOGIN);
    String code = formData.getFirst(SESSION_CODE);
    String clientId = session.getContext().getUri().getQueryParameters().getFirst(Constants.CLIENT_ID);
    String tabId = session.getContext().getUri().getQueryParameters().getFirst(Constants.TAB_ID);
    SessionCodeChecks checks = checksForCode(null, code, null, clientId, tabId, REQUIRED_ACTION);
    if (!checks.verifyRequiredAction(AuthenticationSessionModel.Action.OAUTH_GRANT.name())) {
        return checks.getResponse();
    }
    AuthenticationSessionModel authSession = checks.getAuthenticationSession();
    initLoginEvent(authSession);
    UserModel user = authSession.getAuthenticatedUser();
    ClientModel client = authSession.getClient();
    if (formData.containsKey("cancel")) {
        LoginProtocol protocol = session.getProvider(LoginProtocol.class, authSession.getProtocol());
        protocol.setRealm(realm).setHttpHeaders(headers).setUriInfo(session.getContext().getUri()).setEventBuilder(event);
        Response response = protocol.sendError(authSession, Error.CONSENT_DENIED);
        event.error(Errors.REJECTED_BY_USER);
        return response;
    }
    UserConsentModel grantedConsent = session.users().getConsentByClient(realm, user.getId(), client.getId());
    if (grantedConsent == null) {
        grantedConsent = new UserConsentModel(client);
        session.users().addConsent(realm, user.getId(), grantedConsent);
    }
    // Update may not be required if all clientScopes were already granted (May happen for example with prompt=consent)
    boolean updateConsentRequired = false;
    for (String clientScopeId : authSession.getClientScopes()) {
        ClientScopeModel clientScope = KeycloakModelUtils.findClientScopeById(realm, client, clientScopeId);
        if (clientScope != null) {
            if (!grantedConsent.isClientScopeGranted(clientScope) && clientScope.isDisplayOnConsentScreen()) {
                grantedConsent.addGrantedClientScope(clientScope);
                updateConsentRequired = true;
            }
        } else {
            logger.warnf("Client scope or client with ID '%s' not found", clientScopeId);
        }
    }
    if (updateConsentRequired) {
        session.users().updateConsent(realm, user.getId(), grantedConsent);
    }
    event.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED);
    event.success();
    ClientSessionContext clientSessionCtx = AuthenticationProcessor.attachSession(authSession, null, session, realm, clientConnection, event);
    return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSessionCtx.getClientSession().getUserSession(), clientSessionCtx, request, session.getContext().getUri(), clientConnection, event, authSession);
}

Example 39 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class UserCacheSession method toConsentModel.

private UserConsentModel toConsentModel(RealmModel realm, CachedUserConsent cachedConsent) {
    ClientModel client = session.clients().getClientById(realm, cachedConsent.getClientDbId());
    if (client == null) {
        return null;
    }
    UserConsentModel consentModel = new UserConsentModel(client);
    consentModel.setCreatedDate(cachedConsent.getCreatedDate());
    consentModel.setLastUpdatedDate(cachedConsent.getLastUpdatedDate());
    for (String clientScopeId : cachedConsent.getClientScopeIds()) {
        ClientScopeModel clientScope = KeycloakModelUtils.findClientScopeById(realm, client, clientScopeId);
        if (clientScope != null) {
            consentModel.addGrantedClientScope(clientScope);
        }
    }
    return consentModel;
}

Example 40 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class ClientScopeAuthorizationRequestParser method getMatchingClientScope.

/**
 * Gets one of the requested OAuth scopes and obtains the list of all the optional client scope models for the current client and searches whether
 * there is a match.
 * Dynamic scopes are matching using the registered Regexp, while static scopes are matched by name.
 * It returns an Optional of a {@link IntermediaryScopeRepresentation} with either a static scope datra, a dynamic scope data or an empty Optional
 * if there was no match for the regexp.
 *
 * @param requestScope one of the requested OAuth scopes
 * @return see description
 */
private Optional<IntermediaryScopeRepresentation> getMatchingClientScope(String requestScope, Collection<ClientScopeModel> optionalScopes) {
    for (ClientScopeModel clientScopeModel : optionalScopes) {
        if (clientScopeModel.isDynamicScope()) {
            // The regexp has been stored without a capture group to simplify how it's shown to the user, need to transform it now
            // to capture the parameter value
            Pattern p = Pattern.compile(clientScopeModel.getDynamicScopeRegexp().replace("*", "(.*)"));
            Matcher m = p.matcher(requestScope);
            if (m.matches()) {
                return Optional.of(new IntermediaryScopeRepresentation(clientScopeModel, m.group(1), requestScope));
            }
        } else {
            if (requestScope.equalsIgnoreCase(clientScopeModel.getName())) {
                return Optional.of(new IntermediaryScopeRepresentation(clientScopeModel));
            }
        }
    }
    // Nothing matched, returning an empty Optional to avoid working with Nulls
    return Optional.empty();
}