Examples with ClientScopeModel org.keycloak.models.ClientScopeModel used on opensource projects

Example 41 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class UserStorageConsentTest method setupConsent.

public static void setupConsent(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName("demo");
    ClientModel product = session.clients().getClientByClientId(realm, "product-portal");
    product.setConsentRequired(true);
    ClientScopeModel clientScope = realm.addClientScope("clientScope");
    clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    System.err.println("client scope protocol mappers size: " + clientScope.getProtocolMappersStream().count());
    for (ProtocolMapperModel mapper : product.getProtocolMappersStream().collect(Collectors.toList())) {
        if (mapper.getProtocol().equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
            if (mapper.getName().equals(OIDCLoginProtocolFactory.USERNAME) || mapper.getName().equals(OIDCLoginProtocolFactory.EMAIL) || mapper.getName().equals(OIDCLoginProtocolFactory.GIVEN_NAME)) {
                ProtocolMapperModel copy = new ProtocolMapperModel();
                copy.setName(mapper.getName());
                copy.setProtocol(mapper.getProtocol());
                Map<String, String> config = new HashMap<>();
                config.putAll(mapper.getConfig());
                copy.setConfig(config);
                copy.setProtocolMapper(mapper.getProtocolMapper());
                clientScope.addProtocolMapper(copy);
            }
        }
        product.removeProtocolMapper(mapper);
    }
    product.addClientScope(clientScope, true);
}

Example 42 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class OIDCLoginProtocolFactory method addWebOriginsClientScope.

public static ClientScopeModel addWebOriginsClientScope(RealmModel newRealm) {
    ClientScopeModel originsScope = KeycloakModelUtils.getClientScopeByName(newRealm, WEB_ORIGINS_SCOPE);
    if (originsScope == null) {
        originsScope = newRealm.addClientScope(WEB_ORIGINS_SCOPE);
        originsScope.setDescription("OpenID Connect scope for add allowed web origins to the access token");
        // No requesting consent from user for this. It is rather the permission of client
        originsScope.setDisplayOnConsentScreen(false);
        originsScope.setConsentScreenText("");
        originsScope.setIncludeInTokenScope(false);
        originsScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
        originsScope.addProtocolMapper(builtins.get(ALLOWED_WEB_ORIGINS));
        // 'web-origins' will be default client scope
        newRealm.addDefaultClientScope(originsScope, true);
    } else {
        logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", WEB_ORIGINS_SCOPE, newRealm.getName());
    }
    return originsScope;
}

Example 43 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class OIDCLoginProtocolFactory method addRolesClientScope.

public static ClientScopeModel addRolesClientScope(RealmModel newRealm) {
    ClientScopeModel rolesScope = KeycloakModelUtils.getClientScopeByName(newRealm, ROLES_SCOPE);
    if (rolesScope == null) {
        rolesScope = newRealm.addClientScope(ROLES_SCOPE);
        rolesScope.setDescription("OpenID Connect scope for add user roles to the access token");
        rolesScope.setDisplayOnConsentScreen(true);
        rolesScope.setConsentScreenText(ROLES_SCOPE_CONSENT_TEXT);
        rolesScope.setIncludeInTokenScope(false);
        rolesScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
        rolesScope.addProtocolMapper(builtins.get(REALM_ROLES));
        rolesScope.addProtocolMapper(builtins.get(CLIENT_ROLES));
        rolesScope.addProtocolMapper(builtins.get(AUDIENCE_RESOLVE));
        // 'roles' will be default client scope
        newRealm.addDefaultClientScope(rolesScope, true);
    } else {
        logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", ROLES_SCOPE, newRealm.getName());
    }
    return rolesScope;
}

Example 44 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class OIDCLoginProtocolFactory method addMicroprofileJWTClientScope.

/**
 * Adds the {@code microprofile-jwt} optional client scope to the specified realm. If a {@code microprofile-jwt} client scope
 * already exists in the realm then the existing scope is returned. Otherwise, a new scope is created and returned.
 *
 * @param newRealm the realm to which the {@code microprofile-jwt} scope is to be added.
 * @return a reference to the {@code microprofile-jwt} client scope that was either created or already exists in the realm.
 */
public static ClientScopeModel addMicroprofileJWTClientScope(RealmModel newRealm) {
    ClientScopeModel microprofileScope = KeycloakModelUtils.getClientScopeByName(newRealm, MICROPROFILE_JWT_SCOPE);
    if (microprofileScope == null) {
        microprofileScope = newRealm.addClientScope(MICROPROFILE_JWT_SCOPE);
        microprofileScope.setDescription("Microprofile - JWT built-in scope");
        microprofileScope.setDisplayOnConsentScreen(false);
        microprofileScope.setIncludeInTokenScope(true);
        microprofileScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
        microprofileScope.addProtocolMapper(builtins.get(UPN));
        microprofileScope.addProtocolMapper(builtins.get(GROUPS));
        newRealm.addDefaultClientScope(microprofileScope, false);
    } else {
        logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", MICROPROFILE_JWT_SCOPE, newRealm.getName());
    }
    return microprofileScope;
}

Example 45 with ClientScopeModel

use of org.keycloak.models.ClientScopeModel in project keycloak by keycloak.

the class TokenManager method attachAuthenticationSession.

public static ClientSessionContext attachAuthenticationSession(KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession) {
    ClientModel client = authSession.getClient();
    AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
    if (clientSession == null) {
        clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession);
    }
    clientSession.setRedirectUri(authSession.getRedirectUri());
    clientSession.setProtocol(authSession.getProtocol());
    Set<String> clientScopeIds;
    if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
        clientScopeIds = AuthorizationContextUtil.getClientScopesStreamFromAuthorizationRequestContextWithClient(session, authSession.getClientNote(OAuth2Constants.SCOPE)).map(ClientScopeModel::getId).collect(Collectors.toSet());
    } else {
        clientScopeIds = authSession.getClientScopes();
    }
    Map<String, String> transferredNotes = authSession.getClientNotes();
    for (Map.Entry<String, String> entry : transferredNotes.entrySet()) {
        clientSession.setNote(entry.getKey(), entry.getValue());
    }
    Map<String, String> transferredUserSessionNotes = authSession.getUserSessionNotes();
    for (Map.Entry<String, String> entry : transferredUserSessionNotes.entrySet()) {
        userSession.setNote(entry.getKey(), entry.getValue());
    }
    clientSession.setNote(Constants.LEVEL_OF_AUTHENTICATION, String.valueOf(AuthenticatorUtil.getCurrentLevelOfAuthentication(authSession)));
    clientSession.setTimestamp(Time.currentTime());
    // Remove authentication session now
    new AuthenticationSessionManager(session).removeAuthenticationSession(userSession.getRealm(), authSession, true);
    ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndClientScopeIds(clientSession, clientScopeIds, session);
    return clientSessionCtx;
}