Examples with SubjectType org.keycloak.protocol.oidc.utils.SubjectType used on opensource projects

Example 1 with SubjectType

use of org.keycloak.protocol.oidc.utils.SubjectType in project keycloak by keycloak.

the class DescriptionConverter method toExternalResponse.

public static OIDCClientRepresentation toExternalResponse(KeycloakSession session, ClientRepresentation client, URI uri) {
    OIDCClientRepresentation response = new OIDCClientRepresentation();
    response.setClientId(client.getClientId());
    if ("none".equals(client.getClientAuthenticatorType())) {
        response.setTokenEndpointAuthMethod("none");
    } else {
        ClientAuthenticatorFactory clientAuth = (ClientAuthenticatorFactory) session.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, client.getClientAuthenticatorType());
        Set<String> oidcClientAuthMethods = clientAuth.getProtocolAuthenticatorMethods(OIDCLoginProtocol.LOGIN_PROTOCOL);
        if (oidcClientAuthMethods != null && !oidcClientAuthMethods.isEmpty()) {
            response.setTokenEndpointAuthMethod(oidcClientAuthMethods.iterator().next());
        }
    }
    if (client.getClientAuthenticatorType().equals(ClientIdAndSecretAuthenticator.PROVIDER_ID)) {
        response.setClientSecret(client.getSecret());
        response.setClientSecretExpiresAt(0);
    }
    response.setClientName(client.getName());
    response.setClientUri(client.getBaseUrl());
    response.setRedirectUris(client.getRedirectUris());
    response.setRegistrationAccessToken(client.getRegistrationAccessToken());
    response.setRegistrationClientUri(uri.toString());
    response.setResponseTypes(getOIDCResponseTypes(client));
    response.setGrantTypes(getOIDCGrantTypes(client));
    List<String> scopes = client.getOptionalClientScopes();
    if (scopes != null)
        response.setScope(scopes.stream().collect(Collectors.joining(" ")));
    OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    if (config.isUserInfoSignatureRequired()) {
        response.setUserinfoSignedResponseAlg(config.getUserInfoSignedResponseAlg().toString());
    }
    if (config.getRequestObjectSignatureAlg() != null) {
        response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg().toString());
    }
    if (config.getRequestObjectEncryptionAlg() != null) {
        response.setRequestObjectEncryptionAlg(config.getRequestObjectEncryptionAlg());
    }
    if (config.getRequestObjectEncryptionEnc() != null) {
        response.setRequestObjectEncryptionEnc(config.getRequestObjectEncryptionEnc());
    }
    if (config.isUseJwksUrl()) {
        response.setJwksUri(config.getJwksUrl());
    }
    if (config.isUseJwksString()) {
        try {
            response.setJwks(JsonSerialization.readValue(config.getJwksString(), JSONWebKeySet.class));
        } catch (IOException e) {
            throw new ClientRegistrationException("Illegal jwks format");
        }
    }
    // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.5
    if (config.isUseMtlsHokToken()) {
        response.setTlsClientCertificateBoundAccessTokens(Boolean.TRUE);
    } else {
        response.setTlsClientCertificateBoundAccessTokens(Boolean.FALSE);
    }
    if (config.getTlsClientAuthSubjectDn() != null) {
        response.setTlsClientAuthSubjectDn(config.getTlsClientAuthSubjectDn());
    }
    if (config.getIdTokenSignedResponseAlg() != null) {
        response.setIdTokenSignedResponseAlg(config.getIdTokenSignedResponseAlg());
    }
    if (config.getIdTokenEncryptedResponseAlg() != null) {
        response.setIdTokenEncryptedResponseAlg(config.getIdTokenEncryptedResponseAlg());
    }
    if (config.getIdTokenEncryptedResponseEnc() != null) {
        response.setIdTokenEncryptedResponseEnc(config.getIdTokenEncryptedResponseEnc());
    }
    if (config.getAuthorizationSignedResponseAlg() != null) {
        response.setAuthorizationSignedResponseAlg(config.getAuthorizationSignedResponseAlg());
    }
    if (config.getAuthorizationEncryptedResponseAlg() != null) {
        response.setAuthorizationEncryptedResponseAlg(config.getAuthorizationEncryptedResponseAlg());
    }
    if (config.getAuthorizationEncryptedResponseEnc() != null) {
        response.setAuthorizationEncryptedResponseEnc(config.getAuthorizationEncryptedResponseEnc());
    }
    if (config.getRequestUris() != null) {
        response.setRequestUris(config.getRequestUris());
    }
    if (config.getTokenEndpointAuthSigningAlg() != null) {
        response.setTokenEndpointAuthSigningAlg(config.getTokenEndpointAuthSigningAlg());
    }
    response.setBackchannelLogoutUri(config.getBackchannelLogoutUrl());
    response.setBackchannelLogoutSessionRequired(config.isBackchannelLogoutSessionRequired());
    response.setBackchannelLogoutSessionRequired(config.getBackchannelLogoutRevokeOfflineTokens());
    if (client.getAttributes() != null) {
        String mode = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT);
        if (StringUtil.isNotBlank(mode)) {
            response.setBackchannelTokenDeliveryMode(mode);
        }
        String clientNotificationEndpoint = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT);
        if (StringUtil.isNotBlank(clientNotificationEndpoint)) {
            response.setBackchannelClientNotificationEndpoint(clientNotificationEndpoint);
        }
        String alg = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG);
        if (StringUtil.isNotBlank(alg)) {
            response.setBackchannelAuthenticationRequestSigningAlg(alg);
        }
        Boolean requirePushedAuthorizationRequests = Boolean.valueOf(client.getAttributes().get(ParConfig.REQUIRE_PUSHED_AUTHORIZATION_REQUESTS));
        response.setRequirePushedAuthorizationRequests(requirePushedAuthorizationRequests.booleanValue());
    }
    List<ProtocolMapperRepresentation> foundPairwiseMappers = PairwiseSubMapperUtils.getPairwiseSubMappers(client);
    SubjectType subjectType = foundPairwiseMappers.isEmpty() ? SubjectType.PUBLIC : SubjectType.PAIRWISE;
    response.setSubjectType(subjectType.toString().toLowerCase());
    if (subjectType.equals(SubjectType.PAIRWISE)) {
        // Get sectorIdentifier from 1st found
        String sectorIdentifierUri = PairwiseSubMapperHelper.getSectorIdentifierUri(foundPairwiseMappers.get(0));
        response.setSectorIdentifierUri(sectorIdentifierUri);
    }
    response.setFrontChannelLogoutUri(config.getFrontChannelLogoutUrl());
    List<String> defaultAcrValues = config.getAttributeMultivalued(Constants.DEFAULT_ACR_VALUES);
    if (!defaultAcrValues.isEmpty()) {
        response.setDefaultAcrValues(defaultAcrValues);
    }
    return response;
}

Example 2 with SubjectType

use of org.keycloak.protocol.oidc.utils.SubjectType in project keycloak by keycloak.

the class DefaultClientValidationProvider method validatePairwiseInOIDCClient.

private void validatePairwiseInOIDCClient(ClientValidationContext.OIDCContext context) {
    OIDCClientRepresentation oidcRep = context.getOIDCClient();
    SubjectType subjectType = SubjectType.parse(oidcRep.getSubjectType());
    String sectorIdentifierUri = oidcRep.getSectorIdentifierUri();
    // If sector_identifier_uri is in oidc config, then always validate it
    if (SubjectType.PAIRWISE == subjectType || (sectorIdentifierUri != null && !sectorIdentifierUri.isEmpty())) {
        validatePairwise(context, oidcRep.getSectorIdentifierUri());
    }
}