Package eu.europeana.apikey.keycloak

Class KeycloakClientManager

java.lang.Object
eu.europeana.apikey.keycloak.KeycloakClientManager
@Service public class KeycloakClientManager extends Object
Class for working with Keycloak and it's Rest Admin API.

Note that there are 2 client id's used by keycloak:

  1. ClientId which is the same as an apikey (string)
  2. id which is an internal id (hash) of the client. This is called "id of client (not clientId)" in the keycloak * documentation and saved as keycloakId in an apikey object.
In other words: apiKey.getId().equals(keycloakClient.getClientId()); apiKey.getKeycloakId.equals(keycloakClient.getId());

  • Constructor Details

    • KeycloakClientManager

      public KeycloakClientManager(KeycloakProperties kcProperties)
      Instantiates a new Keycloak client manager.
      Parameters:
      kcProperties - the kc properties

  • Method Details

    • init

      @PostConstruct public void init()
      Init.

    • clean

      @PreDestroy public void clean()
      Clean.

    • authenticateClient

      public KeycloakPrincipal<KeycloakSecurityContext> authenticateClient(String clientId, String clientSecret)
      Authenticate the client that executed the request. Authentication is done following the client credentials grant type. Access token and refresh token are stored in the returned KeycloakSecurityContext together with the configured admin client that can be used to refresh tokens.
      Parameters:
      clientId - client-id of the client executing the request
      clientSecret - client secret used to authenticate the client in Keycloak
      Returns:
      security context with configured admin client together with access and refresh tokens

    • createClient

      public org.keycloak.representations.idm.ClientRepresentation createClient(KeycloakSecurityContext securityContext, ApiKey key) throws eu.europeana.api.commons.error.EuropeanaApiException
      Creates a new Keycloak client linked to the provided Apikey. This method is used:

      - when creating a combined Apikey and Client; - and when adding a Client to an existing Apikey. The required data are supplied by the ApiKey object.

      When a client is successfully created in Keycloak, the Client secret (aka Secret Key) is retrieved from Keycloak with the getClientSecret() method and passed back to the Controller, so that it can be sent to the user. The Client ID is stored as KeycloakID in the database record of the linked Apikey.

      Parameters:
      securityContext - security context with access token
      key - Apikey to link the Client to be created to, and to copy some data from that are added to the Keycloak Client
      Returns:
      ClientRepresentation representing the newly created client in Keycloak, including Secret (Key)
      Throws:
      eu.europeana.api.commons.error.EuropeanaApiException - the europeana api exception

    • updateClient

      public void updateClient(KeycloakSecurityContext securityContext, ApiKeyRequest apiKeyUpdate, String apiKey) throws eu.europeana.api.commons.error.EuropeanaApiException
      Updates the client representation with the new values supplied with the update request.
      Parameters:
      securityContext - security context with access token
      apiKeyUpdate - registration data to be updated
      apiKey - passed separately because the ApiKeyRequest does not contain it
      Throws:
      eu.europeana.api.commons.error.EuropeanaApiException - the europeana api exception

    • deleteClient

      public void deleteClient(KeycloakSecurityContext securityContext, String apiKey) throws eu.europeana.api.commons.error.EuropeanaApiException
      Deletes a client from Keycloak
      Parameters:
      securityContext - security context with access token
      apiKey - the id of the client that is to be deleted
      Throws:
      eu.europeana.api.commons.error.EuropeanaApiException - when trouble strikes

    • enableClient

      public void enableClient(String clientId, KeycloakSecurityContext securityContext) throws eu.europeana.api.commons.error.EuropeanaApiException
      Enables the client in Keycloak, but only if it was disabled
      Parameters:
      clientId - client identifier
      securityContext - security context with access token
      Throws:
      eu.europeana.api.commons.error.EuropeanaApiException - when client not found in Keycloak or update failed

    • disableClient

      public void disableClient(String clientId, KeycloakSecurityContext securityContext) throws eu.europeana.api.commons.error.EuropeanaApiException
      Disables the client in Keycloak, but only if it is enabled
      Parameters:
      clientId - client identifier
      securityContext - security context with access token
      Throws:
      eu.europeana.api.commons.error.EuropeanaApiException - when client not found in Keycloak or update failed

    • getAuthorities

      public Collection<org.springframework.security.core.GrantedAuthority> getAuthorities(org.keycloak.representations.AccessToken token)
      Get resource authorities from the access token
      Parameters:
      token - access token object
      Returns:
      collection of granted authorities to authorize resource access

    • checkifClientExists

      public String checkifClientExists(String apiKey, KeycloakSecurityContext kcSecurityContext) throws eu.europeana.api.commons.error.EuropeanaApiException
      Check whether the client with a given clientId (apiKey) exists in Keycloak, and if so, return its id
      Parameters:
      apiKey - Apikey, matches client.clientId
      kcSecurityContext - security context
      Returns:
      String with client.Id value if client is found, null if not found
      Throws:
      eu.europeana.api.commons.error.EuropeanaApiException - when an error occured retrieving the client info from Keycloak

    • isOwner

      public boolean isOwner(String apiKey, KeycloakAuthenticationToken keycloakAuthenticationToken)
      Checks whether the client for which the token was issued is the owner of the apikey
      Parameters:
      apiKey - api key to check
      keycloakAuthenticationToken - token issued for the caller of the request
      Returns:
      true when authorized, false otherwise

    • isManagerClientAuthorized

      public boolean isManagerClientAuthorized(KeycloakAuthenticationToken keycloakAuthenticationToken)
      Checks whether the token was issued for a manager client
      Parameters:
      keycloakAuthenticationToken - token issued for the caller of the request
      Returns:
      true when authorized, false otherwise