Package eu.europeana.apikey.keycloak

Class KeycloakManager

  • @Service
public class KeycloakManager
extends Object
    Class for working with Keycloak and it's Rest Admin API.
    Note that there are 2 client id's used by keycloak:
    1. ClientId which is the same as an apikey (string)
    2. id which is an internal id (hash) of the client. This is called "id of client (not clientId)" in the keycloak * documentation and saved as keycloakId in an apikey object.
    In other words: apiKey.getId().equals(keycloakClient.getClientId()); apiKey.getKeycloakId.equals(keycloakClient.getId());

    • Method Detail

      • init

        @PostConstruct
public void init()

      • clean

        @PreDestroy
public void clean()

      • createClient

        public ApiKeySecret createClient​(KeycloakSecurityContext securityContext,
                                 ApiKeyRequest requestClient)
                          throws ApiKeyException
        Create a new client in Keycloak. An ApiKeyDetails object created by a user is used to gather all the client registration data. Keycloak security context will be used to authorize Keycloak requests with access token. When a client is successfully created in Keycloak the generated secret is retrieved from Keycloak and stored in ApiKey object that will be used to store the entry in apikey database.
        Parameters:
        securityContext - security context with access token
        requestClient - object containing registration data from the original request
        Returns:
        new ApiKey object with all necessary fields, including the Keycloak ID aka "privateKey"
        Throws:
        ApiKeyException - when there is a failure

      • recreateClient

        public String recreateClient​(KeycloakSecurityContext securityContext,
                             String apiKey,
                             ApiKeyRequest requestClient)
                      throws ApiKeyException
        Used for creating a new keycloak client based on an already existing apikey (missing client synchronization)
        Parameters:
        securityContext - security context with access token
        apiKey - apikey of the client that needs to be recreated
        requestClient - object containing registration data from the original apikey
        Returns:
        String containing the new keycloakId of the newly created client in Keycloak
        Throws:
        ApiKeyException

      • updateClient

        public void updateClient​(KeycloakSecurityContext securityContext,
                         ApiKeyRequest apiKeyUpdate,
                         String apiKey)
                  throws ApiKeyException
        Create a new client in Keycloak. ApiKeyDetails object is used to populate all the needed client registration data. Keycloak security context will be used to authorize Keycloak requests with access token. When a client is successfully created in Keycloak the generated secret is retrieved from Keycloak and stored in ApiKey object that will be used to store the entry in apikey database.
        Parameters:
        securityContext - security context with access token
        apiKeyUpdate - containing updated registration data from the original request
        apiKey - the id of the client that should be updated
        Throws:
        ApiKeyException - when there is a failure

      • deleteClient

        public void deleteClient​(KeycloakSecurityContext securityContext,
                         String apiKey)
                  throws ApiKeyException
        Deletes a client from Keycloak
        Parameters:
        securityContext - security context with access token
        apiKey - the id of the client that is to be deleted
        Throws:
        ApiKeyException - when trouble strikes

      • isOwner

        public boolean isOwner​(String apiKey,
                       KeycloakAuthenticationToken keycloakAuthenticationToken)
        Checks whether the client for which the token was issued is the owner of the apikey
        Parameters:
        apiKey - api key to check
        keycloakAuthenticationToken - token issued for the caller of the request
        Returns:
        true when authorized, false otherwise

      • isManagerClientAuthorized

        public boolean isManagerClientAuthorized​(KeycloakAuthenticationToken keycloakAuthenticationToken)
        Checks whether the token was issued for a manager client
        Parameters:
        keycloakAuthenticationToken - token issued for the caller of the request
        Returns:
        true when authorized, false otherwise

      • enableClient

        public void enableClient​(String clientId,
                         KeycloakSecurityContext securityContext)
                  throws ApiKeyException
        Enables the client in Keycloak, but only if it was disabled
        Parameters:
        clientId - client identifier
        securityContext - security context with access token
        Throws:
        ApiKeyException - when client not found in Keycloak or update failed

      • disableClient

        public void disableClient​(String clientId,
                          KeycloakSecurityContext securityContext)
                   throws ApiKeyException
        Disables the client in Keycloak, but only if it is enabled
        Parameters:
        clientId - client identifier
        securityContext - security context with access token
        Throws:
        ApiKeyException - when client not found in Keycloak or update failed