/** * Store used profile JsonNode into user context for later use by this mapper. Profile data are dumped into special logger if enabled also to allow investigation of the structure. * * @param user context to store profile data into * @param profile to store into context * @param provider identification of social provider to be used in log dump * * @see #preprocessFederatedIdentity(KeycloakSession, RealmModel, IdentityProviderMapperModel, BrokeredIdentityContext) * @see BrokeredIdentityContext#getContextData() */ public static void storeUserProfileForMapper(BrokeredIdentityContext user, JsonNode profile, String provider) { user.getContextData().put(AbstractJsonUserAttributeMapper.CONTEXT_JSON_NODE, profile); if (LOGGER_DUMP_USER_PROFILE.isDebugEnabled()) LOGGER_DUMP_USER_PROFILE.debug("User Profile JSON Data for provider "+provider+": " + profile); }
public static Object getClaimValue(BrokeredIdentityContext context, String claim) { { // search access token JsonWebToken token = (JsonWebToken)context.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN); if (token != null) { Object value = getClaimValue(token, claim); if (value != null) return value; } } { // search ID Token JsonWebToken token = (JsonWebToken)context.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ID_TOKEN); if (token != null) { Object value = getClaimValue(token, claim); if (value != null) return value; } } return null; }
@Override protected void processAccessTokenResponse(BrokeredIdentityContext context, PublicKey idpKey, AccessTokenResponse response) { JsonWebToken access = validateToken(idpKey, response.getToken()); context.getContextData().put(VALIDATED_ACCESS_TOKEN, access); }
protected static String getJsonValue(IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String jsonField = mapperModel.getConfig().get(CONF_JSON_FIELD); if (jsonField == null || jsonField.trim().isEmpty()) { logger.warnf("JSON field path is not configured for mapper %s", mapperModel.getName()); return null; } jsonField = jsonField.trim(); if (jsonField.startsWith(JSON_PATH_DELIMITER) || jsonField.endsWith(JSON_PATH_DELIMITER) || jsonField.startsWith("[")) { logger.warnf("JSON field path is invalid %s", jsonField); return null; } JsonNode profileJsonNode = (JsonNode) context.getContextData().get(CONTEXT_JSON_NODE); String value = getJsonValue(profileJsonNode, jsonField); if (value == null) { logger.debugf("User profile JSON value '%s' is not available.", jsonField); } return value; }
@Override public void attachUserSession(UserSessionModel userSession, ClientSessionModel clientSession, BrokeredIdentityContext context) { AccessTokenResponse tokenResponse = (AccessTokenResponse)context.getContextData().get(FEDERATED_ACCESS_TOKEN_RESPONSE); userSession.setNote(FEDERATED_ACCESS_TOKEN, tokenResponse.getToken()); userSession.setNote(FEDERATED_ID_TOKEN, tokenResponse.getIdToken()); }
private RoleModel hasRole(RealmModel realm,IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { JsonWebToken token = (JsonWebToken)context.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN); //if (token == null) return; String roleName = mapperModel.getConfig().get(HardcodedRoleMapper.ROLE); String[] parseRole = KeycloakModelUtils.parseRole(mapperModel.getConfig().get(EXTERNAL_ROLE)); String externalRoleName = parseRole[1]; String claimName = null; if (parseRole[0] == null) { claimName = "realm_access.roles"; } else { claimName = "resource_access." + parseRole[0] + ".roles"; } Object claim = getClaimValue(token, claimName); if (valueEquals(externalRoleName, claim)) { RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName); return role; } return null; }
AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, userInfo, getConfig().getAlias()); identity.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, tokenResponse); identity.getContextData().put(VALIDATED_ID_TOKEN, idToken); processAccessTokenResponse(identity, key, tokenResponse);