Java Code Examples for org.keycloak.models.RealmModel#addClientScope()
The following examples show how to use
org.keycloak.models.RealmModel#addClientScope() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: OIDCLoginProtocolFactory.java From keycloak with Apache License 2.0 | 6 votes |
|
public static ClientScopeModel addRolesClientScope(RealmModel newRealm) {
ClientScopeModel rolesScope = KeycloakModelUtils.getClientScopeByName(newRealm, ROLES_SCOPE);
if (rolesScope == null) {
rolesScope = newRealm.addClientScope(ROLES_SCOPE);
rolesScope.setDescription("OpenID Connect scope for add user roles to the access token");
rolesScope.setDisplayOnConsentScreen(true);
rolesScope.setConsentScreenText(ROLES_SCOPE_CONSENT_TEXT);
rolesScope.setIncludeInTokenScope(false);
rolesScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
rolesScope.addProtocolMapper(builtins.get(REALM_ROLES));
rolesScope.addProtocolMapper(builtins.get(CLIENT_ROLES));
rolesScope.addProtocolMapper(builtins.get(AUDIENCE_RESOLVE));
// 'roles' will be default client scope
newRealm.addDefaultClientScope(rolesScope, true);
} else {
logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", ROLES_SCOPE, newRealm.getName());
}
return rolesScope;
}
Example 2
| Source File: OIDCLoginProtocolFactory.java From keycloak with Apache License 2.0 | 6 votes |
|
public static ClientScopeModel addWebOriginsClientScope(RealmModel newRealm) {
ClientScopeModel originsScope = KeycloakModelUtils.getClientScopeByName(newRealm, WEB_ORIGINS_SCOPE);
if (originsScope == null) {
originsScope = newRealm.addClientScope(WEB_ORIGINS_SCOPE);
originsScope.setDescription("OpenID Connect scope for add allowed web origins to the access token");
originsScope.setDisplayOnConsentScreen(false); // No requesting consent from user for this. It is rather the permission of client
originsScope.setConsentScreenText("");
originsScope.setIncludeInTokenScope(false);
originsScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
originsScope.addProtocolMapper(builtins.get(ALLOWED_WEB_ORIGINS));
// 'web-origins' will be default client scope
newRealm.addDefaultClientScope(originsScope, true);
} else {
logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", WEB_ORIGINS_SCOPE, newRealm.getName());
}
return originsScope;
}
Example 3
| Source File: OIDCLoginProtocolFactory.java From keycloak with Apache License 2.0 | 6 votes |
|
/**
* Adds the {@code microprofile-jwt} optional client scope to the specified realm. If a {@code microprofile-jwt} client scope
* already exists in the realm then the existing scope is returned. Otherwise, a new scope is created and returned.
*
* @param newRealm the realm to which the {@code microprofile-jwt} scope is to be added.
* @return a reference to the {@code microprofile-jwt} client scope that was either created or already exists in the realm.
*/
public static ClientScopeModel addMicroprofileJWTClientScope(RealmModel newRealm) {
ClientScopeModel microprofileScope = KeycloakModelUtils.getClientScopeByName(newRealm, MICROPROFILE_JWT_SCOPE);
if (microprofileScope == null) {
microprofileScope = newRealm.addClientScope(MICROPROFILE_JWT_SCOPE);
microprofileScope.setDescription("Microprofile - JWT built-in scope");
microprofileScope.setDisplayOnConsentScreen(false);
microprofileScope.setIncludeInTokenScope(true);
microprofileScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
microprofileScope.addProtocolMapper(builtins.get(UPN));
microprofileScope.addProtocolMapper(builtins.get(GROUPS));
newRealm.addDefaultClientScope(microprofileScope, false);
} else {
logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", MICROPROFILE_JWT_SCOPE, newRealm.getName());
}
return microprofileScope;
}
Example 4
| Source File: DefaultClientScopes.java From keycloak with Apache License 2.0 | 5 votes |
|
public static void createOfflineAccessClientScope(RealmModel newRealm, RoleModel offlineRole) {
ClientScopeModel offlineAccessScope = newRealm.addClientScope(OAuth2Constants.OFFLINE_ACCESS);
offlineAccessScope.setDescription("OpenID Connect built-in scope: offline_access");
offlineAccessScope.setDisplayOnConsentScreen(true);
offlineAccessScope.setConsentScreenText(Constants.OFFLINE_ACCESS_SCOPE_CONSENT_TEXT);
offlineAccessScope.setProtocol("openid-connect");
offlineAccessScope.addScopeMapping(offlineRole);
// Optional scope. Needs to be requested by scope parameter
newRealm.addDefaultClientScope(offlineAccessScope, false);
}
Example 5
| Source File: UserStorageConsentTest.java From keycloak with Apache License 2.0 | 5 votes |
|
public static void setupConsent(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName("demo");
ClientModel product = session.realms().getClientByClientId("product-portal", realm);
product.setConsentRequired(true);
ClientScopeModel clientScope = realm.addClientScope("clientScope");
clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
System.err.println("client scope protocol mappers size: " + clientScope.getProtocolMappers().size());
for (ProtocolMapperModel mapper : product.getProtocolMappers()) {
if (mapper.getProtocol().equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
if (mapper.getName().equals(OIDCLoginProtocolFactory.USERNAME)
|| mapper.getName().equals(OIDCLoginProtocolFactory.EMAIL)
|| mapper.getName().equals(OIDCLoginProtocolFactory.GIVEN_NAME)
) {
ProtocolMapperModel copy = new ProtocolMapperModel();
copy.setName(mapper.getName());
copy.setProtocol(mapper.getProtocol());
Map<String, String> config = new HashMap<>();
config.putAll(mapper.getConfig());
copy.setConfig(config);
copy.setProtocolMapper(mapper.getProtocolMapper());
clientScope.addProtocolMapper(copy);
}
}
product.removeProtocolMapper(mapper);
}
product.addClientScope(clientScope, true);
}
Example 6
| Source File: TestingResourceProvider.java From keycloak with Apache License 2.0 | 5 votes |
|
/**
* Generate new client scope for specified service client. The "Frontend" clients, who will use this client scope, will be able to
* send their access token to authenticate against specified service client
*
* @param clientId Client ID of service client (typically bearer-only client)
* @return ID of the newly generated clientScope
*/
@Path("generate-audience-client-scope")
@POST
@NoCache
public String generateAudienceClientScope(@QueryParam("realm") final String realmName, final @QueryParam("clientId") String clientId) {
try {
RealmModel realm = getRealmByName(realmName);
ClientModel serviceClient = realm.getClientByClientId(clientId);
if (serviceClient == null) {
throw new NotFoundException("Referenced service client doesn't exists");
}
ClientScopeModel clientScopeModel = realm.addClientScope(clientId);
clientScopeModel.setProtocol(serviceClient.getProtocol()==null ? OIDCLoginProtocol.LOGIN_PROTOCOL : serviceClient.getProtocol());
clientScopeModel.setDisplayOnConsentScreen(true);
clientScopeModel.setConsentScreenText(clientId);
clientScopeModel.setIncludeInTokenScope(true);
// Add audience protocol mapper
ProtocolMapperModel audienceMapper = AudienceProtocolMapper.createClaimMapper("Audience for " + clientId, clientId, null,true, false);
clientScopeModel.addProtocolMapper(audienceMapper);
return clientScopeModel.getId();
} catch (ModelDuplicateException e) {
throw new BadRequestException("Client Scope " + clientId + " already exists");
}
}
Example 7
| Source File: SamlProtocolFactory.java From keycloak with Apache License 2.0 | 5 votes |
|
@Override
protected void createDefaultClientScopesImpl(RealmModel newRealm) {
ClientScopeModel roleListScope = newRealm.addClientScope(SCOPE_ROLE_LIST);
roleListScope.setDescription("SAML role list");
roleListScope.setDisplayOnConsentScreen(true);
roleListScope.setConsentScreenText(ROLE_LIST_CONSENT_TEXT);
roleListScope.setProtocol(getId());
roleListScope.addProtocolMapper(builtins.get("role list"));
newRealm.addDefaultClientScope(roleListScope, true);
}
Example 8
| Source File: OIDCLoginProtocolFactory.java From keycloak with Apache License 2.0 | 4 votes |
|
@Override
protected void createDefaultClientScopesImpl(RealmModel newRealm) {
//name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
ClientScopeModel profileScope = newRealm.addClientScope(OAuth2Constants.SCOPE_PROFILE);
profileScope.setDescription("OpenID Connect built-in scope: profile");
profileScope.setDisplayOnConsentScreen(true);
profileScope.setConsentScreenText(PROFILE_SCOPE_CONSENT_TEXT);
profileScope.setIncludeInTokenScope(true);
profileScope.setProtocol(getId());
profileScope.addProtocolMapper(builtins.get(FULL_NAME));
profileScope.addProtocolMapper(builtins.get(FAMILY_NAME));
profileScope.addProtocolMapper(builtins.get(GIVEN_NAME));
profileScope.addProtocolMapper(builtins.get(MIDDLE_NAME));
profileScope.addProtocolMapper(builtins.get(NICKNAME));
profileScope.addProtocolMapper(builtins.get(USERNAME));
profileScope.addProtocolMapper(builtins.get(PROFILE_CLAIM));
profileScope.addProtocolMapper(builtins.get(PICTURE));
profileScope.addProtocolMapper(builtins.get(WEBSITE));
profileScope.addProtocolMapper(builtins.get(GENDER));
profileScope.addProtocolMapper(builtins.get(BIRTHDATE));
profileScope.addProtocolMapper(builtins.get(ZONEINFO));
profileScope.addProtocolMapper(builtins.get(LOCALE));
profileScope.addProtocolMapper(builtins.get(UPDATED_AT));
ClientScopeModel emailScope = newRealm.addClientScope(OAuth2Constants.SCOPE_EMAIL);
emailScope.setDescription("OpenID Connect built-in scope: email");
emailScope.setDisplayOnConsentScreen(true);
emailScope.setConsentScreenText(EMAIL_SCOPE_CONSENT_TEXT);
emailScope.setIncludeInTokenScope(true);
emailScope.setProtocol(getId());
emailScope.addProtocolMapper(builtins.get(EMAIL));
emailScope.addProtocolMapper(builtins.get(EMAIL_VERIFIED));
ClientScopeModel addressScope = newRealm.addClientScope(OAuth2Constants.SCOPE_ADDRESS);
addressScope.setDescription("OpenID Connect built-in scope: address");
addressScope.setDisplayOnConsentScreen(true);
addressScope.setConsentScreenText(ADDRESS_SCOPE_CONSENT_TEXT);
addressScope.setIncludeInTokenScope(true);
addressScope.setProtocol(getId());
addressScope.addProtocolMapper(builtins.get(ADDRESS));
ClientScopeModel phoneScope = newRealm.addClientScope(OAuth2Constants.SCOPE_PHONE);
phoneScope.setDescription("OpenID Connect built-in scope: phone");
phoneScope.setDisplayOnConsentScreen(true);
phoneScope.setConsentScreenText(PHONE_SCOPE_CONSENT_TEXT);
phoneScope.setIncludeInTokenScope(true);
phoneScope.setProtocol(getId());
phoneScope.addProtocolMapper(builtins.get(PHONE_NUMBER));
phoneScope.addProtocolMapper(builtins.get(PHONE_NUMBER_VERIFIED));
// 'profile' and 'email' will be default scopes for now. 'address' and 'phone' will be optional scopes
newRealm.addDefaultClientScope(profileScope, true);
newRealm.addDefaultClientScope(emailScope, true);
newRealm.addDefaultClientScope(addressScope, false);
newRealm.addDefaultClientScope(phoneScope, false);
RoleModel offlineRole = newRealm.getRole(OAuth2Constants.OFFLINE_ACCESS);
if (offlineRole != null) {
ClientScopeModel offlineAccessScope = KeycloakModelUtils.getClientScopeByName(newRealm, OAuth2Constants.OFFLINE_ACCESS);
if (offlineAccessScope == null) {
DefaultClientScopes.createOfflineAccessClientScope(newRealm, offlineRole);
}
}
addRolesClientScope(newRealm);
addWebOriginsClientScope(newRealm);
addMicroprofileJWTClientScope(newRealm);
}
