Examples with DefaultClientScopes - org.keycloak.models.utils.DefaultClientScopes

Example 1 with DefaultClientScopes

use of org.keycloak.models.utils.DefaultClientScopes in project keycloak by keycloak.

the class MigrateTo4_0_0 method migrateRealm.

protected void migrateRealm(KeycloakSession session, RealmModel realm, boolean json) {
    // Upgrade names of clientScopes to not contain space
    realm.getClientScopesStream().filter(clientScope -> clientScope.getName().contains(" ")).forEach(clientScope -> {
        LOG.debugf("Replacing spaces with underscores in the name of client scope '%s' of realm '%s'", clientScope.getName(), realm.getName());
        String replacedName = clientScope.getName().replaceAll(" ", "_");
        clientScope.setName(replacedName);
    });
    if (!json) {
        // Add default client scopes. But don't add them to existing clients. For JSON, they were already added
        LOG.debugf("Adding defaultClientScopes for realm '%s'", realm.getName());
        DefaultClientScopes.createDefaultClientScopes(session, realm, false);
    }
    // Upgrade configuration of "allowed-client-templates" client registration policy
    realm.getComponentsStream(realm.getId(), "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy").filter(component -> Objects.equals(component.getProviderId(), "allowed-client-templates")).forEach(component -> {
        List<String> configVal = component.getConfig().remove("allowed-client-templates");
        if (configVal != null) {
            component.getConfig().put("allowed-client-scopes", configVal);
        }
        component.put("allow-default-scopes", true);
        realm.updateComponent(component);
    });
    // If client has scope for offline_access role (either directly or through fullScopeAllowed), then add offline_access client
    // scope as optional scope to the client. If it's indirectly (no fullScopeAllowed), then remove role from the scoped roles
    RoleModel offlineAccessRole = realm.getRole(OAuth2Constants.OFFLINE_ACCESS);
    ClientScopeModel offlineAccessScope;
    if (offlineAccessRole == null) {
        LOG.infof("Role 'offline_access' not available in realm '%s'. Skip migration of offline_access client scope.", realm.getName());
    } else {
        offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS);
        if (offlineAccessScope == null) {
            LOG.infof("Client scope 'offline_access' not available in realm '%s'. Skip migration of offline_access client scope.", realm.getName());
        } else {
            realm.getClientsStream().filter(MigrationUtils::isOIDCNonBearerOnlyClient).filter(c -> c.hasScope(offlineAccessRole)).filter(c -> !c.getClientScopes(false).containsKey(OAuth2Constants.OFFLINE_ACCESS)).peek(c -> {
                LOG.debugf("Adding client scope 'offline_access' as optional scope to client '%s' in realm '%s'.", c.getClientId(), realm.getName());
                c.addClientScope(offlineAccessScope, false);
            }).filter(c -> !c.isFullScopeAllowed()).forEach(c -> {
                LOG.debugf("Removing role scope mapping for role 'offline_access' from client '%s' in realm '%s'.", c.getClientId(), realm.getName());
                c.deleteScopeMapping(offlineAccessRole);
            });
        }
    }
    // Clients with consentRequired, which don't have any client scopes will be added itself to require consent, so that consent screen is shown when users authenticate
    realm.getClientsStream().filter(ClientModel::isConsentRequired).filter(c -> c.getClientScopes(true).isEmpty()).forEach(c -> {
        LOG.debugf("Adding client '%s' of realm '%s' to display itself on consent screen", c.getClientId(), realm.getName());
        c.setDisplayOnConsentScreen(true);
        String consentText = c.getName() == null ? c.getClientId() : c.getName();
        c.setConsentScreenText(consentText);
    });
}

Also used : ClientModel(org.keycloak.models.ClientModel) ClientScopeModel(org.keycloak.models.ClientScopeModel) RealmModel(org.keycloak.models.RealmModel) KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils) Logger(org.jboss.logging.Logger) KeycloakSession(org.keycloak.models.KeycloakSession) RoleModel(org.keycloak.models.RoleModel) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) Objects(java.util.Objects) List(java.util.List) DefaultClientScopes(org.keycloak.models.utils.DefaultClientScopes) ModelVersion(org.keycloak.migration.ModelVersion) OAuth2Constants(org.keycloak.OAuth2Constants) ClientModel(org.keycloak.models.ClientModel) RoleModel(org.keycloak.models.RoleModel) ClientScopeModel(org.keycloak.models.ClientScopeModel)

Aggregations

List (java.util.List)1 Objects (java.util.Objects)1 Logger (org.jboss.logging.Logger)1 OAuth2Constants (org.keycloak.OAuth2Constants)1 ModelVersion (org.keycloak.migration.ModelVersion)1 ClientModel (org.keycloak.models.ClientModel)1 ClientScopeModel (org.keycloak.models.ClientScopeModel)1 KeycloakSession (org.keycloak.models.KeycloakSession)1 RealmModel (org.keycloak.models.RealmModel)1 RoleModel (org.keycloak.models.RoleModel)1 DefaultClientScopes (org.keycloak.models.utils.DefaultClientScopes)1 KeycloakModelUtils (org.keycloak.models.utils.KeycloakModelUtils)1 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)1