Package org.openremote.manager.security

Class ManagerKeycloakIdentityProvider

java.lang.Object
org.openremote.container.security.keycloak.KeycloakIdentityProvider
org.openremote.manager.security.ManagerKeycloakIdentityProvider
All Implemented Interfaces:
org.openremote.container.security.IdentityProvider, ManagerIdentityProvider
public class ManagerKeycloakIdentityProvider extends org.openremote.container.security.keycloak.KeycloakIdentityProvider implements ManagerIdentityProvider
All keycloak interaction is done through the admin-cli client; security is implemented downstream of here; anything in the same process as this service has privileged access to keycloak.

  • Field Details

    • REALM_KEYCLOAK_THEME_SUFFIX

      public static final String REALM_KEYCLOAK_THEME_SUFFIX
      See Also:

    • DEFAULT_REALM_KEYCLOAK_THEME

      public static final String DEFAULT_REALM_KEYCLOAK_THEME
      See Also:

    • DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT

      public static final String DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT
      See Also:

    • OR_KEYCLOAK_GRANT_FILE

      public static final String OR_KEYCLOAK_GRANT_FILE
      See Also:

    • OR_KEYCLOAK_GRANT_FILE_DEFAULT

      public static final String OR_KEYCLOAK_GRANT_FILE_DEFAULT
      See Also:

    • OR_KEYCLOAK_PUBLIC_URI

      public static final String OR_KEYCLOAK_PUBLIC_URI
      See Also:

    • OR_KEYCLOAK_PUBLIC_URI_DEFAULT

      public static final String OR_KEYCLOAK_PUBLIC_URI_DEFAULT
      See Also:

    • OR_KEYCLOAK_ENABLE_DIRECT_ACCESS_GRANT

      public static final String OR_KEYCLOAK_ENABLE_DIRECT_ACCESS_GRANT
      See Also:

    • BUILT_IN_REALM_ROLES

      public static final List<String> BUILT_IN_REALM_ROLES

    • persistenceService

      protected org.openremote.container.persistence.PersistenceService persistenceService

    • assetStorageService

      protected AssetStorageService assetStorageService

    • timerService

      protected org.openremote.container.timer.TimerService timerService

    • messageBrokerService

      protected org.openremote.container.message.MessageBrokerService messageBrokerService

    • clientEventService

      protected ClientEventService clientEventService

    • consoleAppService

      protected ConsoleAppService consoleAppService

    • keycloakAdminPassword

      protected String keycloakAdminPassword

    • container

      protected org.openremote.model.Container container

    • frontendURI

      protected String frontendURI

    • validRedirectUris

      protected List<String> validRedirectUris

    • realmCache

      protected Map<String,org.openremote.model.security.Realm> realmCache

  • Constructor Details

    • ManagerKeycloakIdentityProvider

      public ManagerKeycloakIdentityProvider()

  • Method Details

    • init

      public void init(org.openremote.model.Container container)
      Specified by:
      init in interface org.openremote.container.security.IdentityProvider
      Overrides:
      init in class org.openremote.container.security.keycloak.KeycloakIdentityProvider

    • start

      public void start(org.openremote.model.Container container)
      Specified by:
      start in interface org.openremote.container.security.IdentityProvider
      Overrides:
      start in class org.openremote.container.security.keycloak.KeycloakIdentityProvider

    • getStoredCredentials

      protected org.openremote.model.auth.OAuthGrant getStoredCredentials(org.openremote.model.Container container)
      Specified by:
      getStoredCredentials in class org.openremote.container.security.keycloak.KeycloakIdentityProvider

    • generateStoredCredentials

      protected org.openremote.model.auth.OAuthGrant generateStoredCredentials(org.openremote.model.Container container)
      Specified by:
      generateStoredCredentials in class org.openremote.container.security.keycloak.KeycloakIdentityProvider

    • addClientRedirectUris

      protected void addClientRedirectUris(String client, List<String> redirectUrls, boolean devMode)
      Specified by:
      addClientRedirectUris in class org.openremote.container.security.keycloak.KeycloakIdentityProvider

    • withClientResource

      protected <T> T withClientResource(String realm, String client, org.keycloak.admin.client.resource.RealmsResource realmsResource, BiFunction<org.keycloak.representations.idm.ClientRepresentation,org.keycloak.admin.client.resource.ClientResource,T> clientResourceConsumer, Supplier<T> notFoundProvider)

    • queryUsers

      public org.openremote.model.security.User[] queryUsers(org.openremote.model.query.UserQuery userQuery)
      Specified by:
      queryUsers in interface ManagerIdentityProvider

    • getUser

      public org.openremote.model.security.User getUser(String userId)
      Specified by:
      getUser in interface ManagerIdentityProvider

    • getUserByUsername

      public org.openremote.model.security.User getUserByUsername(String realm, String username)
      Specified by:
      getUserByUsername in interface ManagerIdentityProvider

    • createUpdateUser

      public org.openremote.model.security.User createUpdateUser(String realm, org.openremote.model.security.User user, String passwordSecret, boolean allowUpdate) throws jakarta.ws.rs.WebApplicationException
      Specified by:
      createUpdateUser in interface ManagerIdentityProvider
      Throws:
      jakarta.ws.rs.WebApplicationException

    • deleteUser

      public void deleteUser(String realm, String userId)
      Specified by:
      deleteUser in interface ManagerIdentityProvider

    • resetPassword

      public void resetPassword(String realm, String userId, org.openremote.model.security.Credential credential)
      Specified by:
      resetPassword in interface ManagerIdentityProvider

    • resetSecret

      public String resetSecret(String realm, String userId, String secret)
      Specified by:
      resetSecret in interface ManagerIdentityProvider

    • getClientRoles

      public org.openremote.model.security.Role[] getClientRoles(String realm, String client)
      Specified by:
      getClientRoles in interface ManagerIdentityProvider

    • updateClientRoles

      public void updateClientRoles(String realm, String clientId, org.openremote.model.security.Role[] roles)
      Specified by:
      updateClientRoles in interface ManagerIdentityProvider

    • saveClientRole

      protected org.keycloak.representations.idm.RoleRepresentation saveClientRole(org.keycloak.admin.client.resource.RealmResource realmResource, org.keycloak.admin.client.resource.ClientResource clientResource, org.openremote.model.security.Role role, org.keycloak.representations.idm.RoleRepresentation representation)

    • getUserClientRoles

      public String[] getUserClientRoles(String realm, String userId, String client)
      Specified by:
      getUserClientRoles in interface ManagerIdentityProvider

    • getUserRealmRoles

      public String[] getUserRealmRoles(String realm, String userId)
      Specified by:
      getUserRealmRoles in interface ManagerIdentityProvider

    • updateUserClientRoles

      public void updateUserClientRoles(@NotNull @NotNull String realm, @NotNull @NotNull String userId, @NotNull @NotNull String client, String... roles)
      Specified by:
      updateUserClientRoles in interface ManagerIdentityProvider

    • updateUserRealmRoles

      public void updateUserRealmRoles(String realm, String userId, String... roles)
      Specified by:
      updateUserRealmRoles in interface ManagerIdentityProvider

    • isMasterRealmAdmin

      public boolean isMasterRealmAdmin(String userId)
      Specified by:
      isMasterRealmAdmin in interface ManagerIdentityProvider

    • getRealms

      public org.openremote.model.security.Realm[] getRealms()
      Specified by:
      getRealms in interface ManagerIdentityProvider

    • getRealm

      public org.openremote.model.security.Realm getRealm(String name)
      Specified by:
      getRealm in interface ManagerIdentityProvider

    • updateRealm

      public void updateRealm(org.openremote.model.security.Realm realm)
      Specified by:
      updateRealm in interface ManagerIdentityProvider

    • createRealm

      public org.openremote.model.security.Realm createRealm(org.openremote.model.security.Realm realm)
      Specified by:
      createRealm in interface ManagerIdentityProvider

    • deleteRealm

      public void deleteRealm(String realmName)
      Specified by:
      deleteRealm in interface ManagerIdentityProvider

    • generateOpenRemoteClientRepresentation

      public org.keycloak.representations.idm.ClientRepresentation generateOpenRemoteClientRepresentation()

    • getClient

      public org.keycloak.representations.idm.ClientRepresentation getClient(String realm, String client)

    • getClients

      public org.keycloak.representations.idm.ClientRepresentation[] getClients(String realm)

    • createUpdateClient

      public org.keycloak.representations.idm.ClientRepresentation createUpdateClient(String realm, org.keycloak.representations.idm.ClientRepresentation client)

    • deleteClient

      public void deleteClient(String realm, String clientId)

    • isRealmActiveAndAccessible

      public boolean isRealmActiveAndAccessible(org.openremote.container.security.AuthContext authContext, org.openremote.model.security.Realm realm)
      Specified by:
      isRealmActiveAndAccessible in interface ManagerIdentityProvider
      Returns:
      true if the user is the superuser (admin) or if the user is authenticated in the same realm as the realm and the realm is active.

    • isRealmActiveAndAccessible

      public boolean isRealmActiveAndAccessible(org.openremote.container.security.AuthContext authContext, String realm)
      Specified by:
      isRealmActiveAndAccessible in interface ManagerIdentityProvider
      Returns:
      true if the user is the superuser (admin) or if the user is authenticated in the same realm and the realm is active.

    • realmExists

      public boolean realmExists(String realm)
      Specified by:
      realmExists in interface ManagerIdentityProvider

    • isRestrictedUser

      public boolean isRestrictedUser(org.openremote.container.security.AuthContext authContext)
      Specified by:
      isRestrictedUser in interface ManagerIdentityProvider

    • isUserInRealm

      public boolean isUserInRealm(String userId, String realm)
      Specified by:
      isUserInRealm in interface ManagerIdentityProvider

    • canSubscribeWith

      public boolean canSubscribeWith(org.openremote.container.security.AuthContext auth, org.openremote.model.event.shared.RealmFilter<?> filter, org.openremote.model.security.ClientRole... requiredRoles)
      Description copied from interface: ManagerIdentityProvider
      Superusers can subscribe to all events, regular users must be in the same realm as the filter and any required roles must match. If the authenticated party is a restricted user, this returns false.
      Specified by:
      canSubscribeWith in interface ManagerIdentityProvider
      Returns:
      true if the authenticated party can subscribe to events with the given filter.

    • getFrontendURI

      public String getFrontendURI()
      Description copied from interface: ManagerIdentityProvider
      Returns the frontend URL to be used for frontend apps to authenticate
      Specified by:
      getFrontendURI in interface ManagerIdentityProvider

    • configureRealm

      protected void configureRealm(org.keycloak.representations.idm.RealmRepresentation realmRepresentation)

    • addDefaultRoles

      protected void addDefaultRoles(org.keycloak.admin.client.resource.RolesResource rolesResource)

    • addLDAPConfiguration

      public String addLDAPConfiguration(String realm, org.keycloak.representations.idm.ComponentRepresentation componentRepresentation)

    • addLDAPMapper

      public String addLDAPMapper(String realm, org.keycloak.representations.idm.ComponentRepresentation componentRepresentation)

    • isBuiltInRealmRole

      public static boolean isBuiltInRealmRole(String realmRole)

    • toString

      public String toString()
      Overrides:
      toString in class Object