Package org.openremote.container.security.keycloak

Class KeycloakIdentityProvider

java.lang.Object
org.openremote.container.security.keycloak.KeycloakIdentityProvider
All Implemented Interfaces:
IdentityProvider
public abstract class KeycloakIdentityProvider extends Object implements IdentityProvider

  • Field Details

    • ADMIN_CLI_CLIENT_ID

      public static final String ADMIN_CLI_CLIENT_ID
      See Also:

    • DEFAULT_CLIENTS

      public static final List<String> DEFAULT_CLIENTS

    • OR_KEYCLOAK_HOST

      public static final String OR_KEYCLOAK_HOST
      See Also:

    • OR_KEYCLOAK_HOST_DEFAULT

      public static final String OR_KEYCLOAK_HOST_DEFAULT
      See Also:

    • OR_KEYCLOAK_PORT

      public static final String OR_KEYCLOAK_PORT
      See Also:

    • OR_KEYCLOAK_PORT_DEFAULT

      public static final int OR_KEYCLOAK_PORT_DEFAULT
      See Also:

    • OR_KEYCLOAK_PATH

      public static final String OR_KEYCLOAK_PATH
      See Also:

    • OR_KEYCLOAK_PATH_DEFAULT

      public static final String OR_KEYCLOAK_PATH_DEFAULT
      See Also:

    • KEYCLOAK_CONNECT_TIMEOUT

      public static final String KEYCLOAK_CONNECT_TIMEOUT
      See Also:

    • KEYCLOAK_CONNECT_TIMEOUT_DEFAULT

      public static final int KEYCLOAK_CONNECT_TIMEOUT_DEFAULT
      See Also:

    • KEYCLOAK_REQUEST_TIMEOUT

      public static final String KEYCLOAK_REQUEST_TIMEOUT
      See Also:

    • KEYCLOAK_REQUEST_TIMEOUT_DEFAULT

      public static final int KEYCLOAK_REQUEST_TIMEOUT_DEFAULT
      See Also:

    • KEYCLOAK_CLIENT_POOL_SIZE

      public static final String KEYCLOAK_CLIENT_POOL_SIZE
      See Also:

    • KEYCLOAK_CLIENT_POOL_SIZE_DEFAULT

      public static final int KEYCLOAK_CLIENT_POOL_SIZE_DEFAULT
      See Also:

    • OR_IDENTITY_SESSION_MAX_MINUTES

      public static final String OR_IDENTITY_SESSION_MAX_MINUTES
      See Also:

    • OR_IDENTITY_SESSION_MAX_MINUTES_DEFAULT

      public static final int OR_IDENTITY_SESSION_MAX_MINUTES_DEFAULT
      See Also:

    • OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES

      public static final String OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES
      See Also:

    • OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES_DEFAULT

      public static final int OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES_DEFAULT
      See Also:

    • keycloakServiceUri

      protected jakarta.ws.rs.core.UriBuilder keycloakServiceUri

    • sessionTimeoutSeconds

      protected int sessionTimeoutSeconds

    • sessionMaxSeconds

      protected int sessionMaxSeconds

    • sessionOfflineTimeoutSeconds

      protected int sessionOfflineTimeoutSeconds

    • notAuthenticatedKeycloakDeployment

      protected final org.keycloak.adapters.KeycloakDeployment notAuthenticatedKeycloakDeployment

    • httpClient

      protected org.jboss.resteasy.client.jaxrs.ResteasyClient httpClient

    • keycloakTarget

      protected org.jboss.resteasy.client.jaxrs.ResteasyWebTarget keycloakTarget

    • oAuthGrant

      protected org.openremote.model.auth.OAuthGrant oAuthGrant

    • realmsResourcePool

      protected ConcurrentLinkedQueue<org.keycloak.admin.client.resource.RealmsResource> realmsResourcePool

    • keycloakDeploymentCache

      protected com.google.common.cache.LoadingCache<KeycloakRealmClient,org.keycloak.adapters.KeycloakDeployment> keycloakDeploymentCache

    • keycloakConfigResolver

      protected org.keycloak.adapters.KeycloakConfigResolver keycloakConfigResolver

    • authProxyHandler

      protected io.undertow.server.HttpHandler authProxyHandler

  • Constructor Details

    • KeycloakIdentityProvider

      protected KeycloakIdentityProvider()
      The supplied OAuthGrant will be used to authenticate with keycloak so we can programmatically make changes. It must be credentials for the master realm for a user with `admin` role so that they can perform CRUD on realms, clients and users.

  • Method Details

    • getDefaultKeycloakGrant

      public org.openremote.model.auth.OAuthPasswordGrant getDefaultKeycloakGrant(org.openremote.model.Container container)

    • init

      public void init(org.openremote.model.Container container)
      Specified by:
      init in interface IdentityProvider

    • start

      public void start(org.openremote.model.Container container)
      Specified by:
      start in interface IdentityProvider

    • stop

      public void stop(org.openremote.model.Container container)
      Specified by:
      stop in interface IdentityProvider

    • secureDeployment

      public void secureDeployment(io.undertow.servlet.api.DeploymentInfo deploymentInfo)
      Specified by:
      secureDeployment in interface IdentityProvider

    • getKeycloak

      public KeycloakResource getKeycloak()

    • syncUsers

      protected void syncUsers(String componentId, String realm, String action)

    • getRealms

      public final <T> T getRealms(Function<org.keycloak.admin.client.resource.RealmsResource,T> consumer)

    • getKeycloakDeployment

      public org.keycloak.adapters.KeycloakDeployment getKeycloakDeployment(String realm, String clientId)

    • getTokenUri

      public URI getTokenUri(String realm)

    • getAccessTokenSupplier

      public Supplier<String> getAccessTokenSupplier(org.openremote.model.auth.OAuthGrant grant)
      Convenience method for generating access tokens from a given OAuth compliant server

    • setActiveCredentials

      public boolean setActiveCredentials(org.openremote.model.auth.OAuthGrant grant)
      Update the active credentials used to perform keycloak API actions; the token endpoint will be overwritten with this instances keycloak server URI and for the master realm.

    • getStoredCredentials

      protected abstract org.openremote.model.auth.OAuthGrant getStoredCredentials(org.openremote.model.Container container)
      Get any stored credentials for connecting to the Keycloak admin API
      Returns:
      credentials or null if none defined.

    • generateStoredCredentials

      protected abstract org.openremote.model.auth.OAuthGrant generateStoredCredentials(org.openremote.model.Container container)
      Generate and store credentials for connecting to the Keycloak admin API
      Returns:
      credentials or null if generation/storage failed.

    • createKeycloakDeploymentCache

      protected com.google.common.cache.LoadingCache<KeycloakRealmClient,org.keycloak.adapters.KeycloakDeployment> createKeycloakDeploymentCache()

    • enableAuthProxy

      protected void enableAuthProxy(WebService webService, String keycloakPath)

    • addClientRedirectUris

      protected abstract void addClientRedirectUris(String client, List<String> redirectUrls, boolean devMode)
      There must be _some_ valid redirect URIs for the application or authentication will not be possible.

    • getSecurityContext

      public static org.keycloak.KeycloakSecurityContext getSecurityContext(Subject subject)

    • getSubjectName

      public static String getSubjectName(Subject subject)

    • getSubjectName

      public static String getSubjectName(Principal principal)

    • getSubjectNameAndRealm

      public static String getSubjectNameAndRealm(Principal principal)

    • getSubjectNameAndRealm

      public static String getSubjectNameAndRealm(Subject subject)

    • getSubjectId

      public static String getSubjectId(Subject subject)

    • isSuperUser

      public static boolean isSuperUser(org.keycloak.KeycloakSecurityContext securityContext)