Java Code Examples for org.keycloak.models.ClientModel#equals()

The following examples show how to use org.keycloak.models.ClientModel#equals() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: InMemoryUserAdapter.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public Set<RoleModel> getClientRoleMappings(ClientModel app) {
    Set<RoleModel> result = new HashSet<>();
    Set<RoleModel> roles = getRoleMappings();

    for (RoleModel role : roles) {
        if (app.equals(role.getContainer())) {
            result.add(role);
        }
    }
    return result;
}
 
Example 2
Source File: RootAuthenticationSessionAdapter.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public AuthenticationSessionModel getAuthenticationSession(ClientModel client, String tabId) {
    if (client == null || tabId == null) {
        return null;
    }

    AuthenticationSessionModel authSession = getAuthenticationSessions().get(tabId);
    if (authSession != null && client.equals(authSession.getClient())) {
        session.getContext().setAuthenticationSession(authSession);
        return authSession;
    } else {
        return null;
    }
}
 
Example 3
Source File: TokenEndpoint.java    From keycloak with Apache License 2.0 4 votes vote down vote up
protected Response exchangeClientToClient(UserModel targetUser, UserSessionModel targetUserSession) {
    String requestedTokenType = formParams.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
    if (requestedTokenType == null) {
        requestedTokenType = OAuth2Constants.REFRESH_TOKEN_TYPE;
    } else if (!requestedTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE) &&
            !requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE) &&
            !requestedTokenType.equals(OAuth2Constants.SAML2_TOKEN_TYPE)) {
        event.detail(Details.REASON, "requested_token_type unsupported");
        event.error(Errors.INVALID_REQUEST);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);

    }
    ClientModel targetClient = client;
    String audience = formParams.getFirst(OAuth2Constants.AUDIENCE);
    if (audience != null) {
        targetClient = realm.getClientByClientId(audience);
        if (targetClient == null) {
            event.detail(Details.REASON, "audience not found");
            event.error(Errors.CLIENT_NOT_FOUND);
            throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_CLIENT, "Audience not found", Response.Status.BAD_REQUEST);

        }
    }

    if (targetClient.isConsentRequired()) {
        event.detail(Details.REASON, "audience requires consent");
        event.error(Errors.CONSENT_DENIED);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_CLIENT, "Client requires user consent", Response.Status.BAD_REQUEST);
    }

    if (!targetClient.equals(client) && !AdminPermissions.management(session, realm).clients().canExchangeTo(client, targetClient)) {
        event.detail(Details.REASON, "client not allowed to exchange to audience");
        event.error(Errors.NOT_ALLOWED);
        throw new CorsErrorResponseException(cors, OAuthErrorException.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
    }

    String scope = formParams.getFirst(OAuth2Constants.SCOPE);

    switch (requestedTokenType) {
        case OAuth2Constants.ACCESS_TOKEN_TYPE:
        case OAuth2Constants.REFRESH_TOKEN_TYPE:
            return exchangeClientToOIDCClient(targetUser, targetUserSession, requestedTokenType, targetClient, audience, scope);
        case OAuth2Constants.SAML2_TOKEN_TYPE:
            return exchangeClientToSAML2Client(targetUser, targetUserSession, requestedTokenType, targetClient, audience, scope);
    }

    throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
}
 
Example 4
Source File: ClientPermissions.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Override
public boolean canExchangeTo(ClientModel authorizedClient, ClientModel to) {

    if (!authorizedClient.equals(to)) {
        ResourceServer server = resourceServer(to);
        if (server == null) {
            logger.debug("No resource server set up for target client");
            return false;
        }

        Resource resource =  authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
        if (resource == null) {
            logger.debug("No resource object set up for target client");
            return false;
        }

        Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
        if (policy == null) {
            logger.debug("No permission object set up for target client");
            return false;
        }

        Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
        // if no policies attached to permission then just do default behavior
        if (associatedPolicies == null || associatedPolicies.isEmpty()) {
            logger.debug("No policies set up for permission on target client");
            return false;
        }

        Scope scope = exchangeToScope(server);
        if (scope == null) {
            logger.debug(TOKEN_EXCHANGE + " not initialized");
            return false;
        }
        ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
        EvaluationContext context = new DefaultEvaluationContext(identity, session) {
            @Override
            public Map<String, Collection<String>> getBaseAttributes() {
                Map<String, Collection<String>> attributes = super.getBaseAttributes();
                attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
                return attributes;
            }

        };
        return root.evaluatePermission(resource, server, context, scope);
    }
    return true;
}
 
Example 5
Source File: IdentityProviderPermissions.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Override
public boolean canExchangeTo(ClientModel authorizedClient, IdentityProviderModel to) {

    if (!authorizedClient.equals(to)) {
        ResourceServer server = root.initializeRealmResourceServer();
        if (server == null) {
            logger.debug("No resource server set up for target idp");
            return false;
        }

        Resource resource =  authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
        if (resource == null) {
            logger.debug("No resource object set up for target idp");
            return false;
        }

        Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
        if (policy == null) {
            logger.debug("No permission object set up for target idp");
            return false;
        }

        Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
        // if no policies attached to permission then just do default behavior
        if (associatedPolicies == null || associatedPolicies.isEmpty()) {
            logger.debug("No policies set up for permission on target idp");
            return false;
        }

        Scope scope = exchangeToScope(server);
        if (scope == null) {
            logger.debug(TOKEN_EXCHANGE + " not initialized");
            return false;
        }
        ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
        EvaluationContext context = new DefaultEvaluationContext(identity, session) {
            @Override
            public Map<String, Collection<String>> getBaseAttributes() {
                Map<String, Collection<String>> attributes = super.getBaseAttributes();
                attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
                return attributes;
            }

        };
        return root.evaluatePermission(resource, server, context, scope);
    }
    return true;
}