tessl/maven-org-keycloak--keycloak-adapter-core
Core functionality for Keycloak OIDC/OAuth2 client adapters enabling Java applications to integrate with Keycloak identity and access management services
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-keycloak--keycloak-adapter-core@25.0.0index.mddocs/
Keycloak Adapter Core
Keycloak Adapter Core provides the core functionality for Keycloak OIDC/OAuth2 client adapters, enabling Java applications to integrate with Keycloak identity and access management services. It includes essential components for authentication flow handling, token management, security context management, and bearer token validation.
Package Information
- Package Name: keycloak-adapter-core
- Package Type: Maven
- Group ID: org.keycloak
- Language: Java
- Installation:
<dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-adapter-core</artifactId> <version>25.0.3</version> </dependency>
Core Imports
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;Basic Usage
import org.keycloak.adapters.*;
import java.io.InputStream;
// Build deployment configuration from JSON
InputStream configStream = getClass().getResourceAsStream("/keycloak.json");
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(configStream);
// Create deployment context for single-tenant
AdapterDeploymentContext deploymentContext = new AdapterDeploymentContext(deployment);
// For multi-tenant scenarios with resolver
KeycloakConfigResolver resolver = facade -> {
// Custom resolution logic based on request
return resolveDeploymentForTenant(facade);
};
AdapterDeploymentContext multiTenantContext = new AdapterDeploymentContext(resolver);
// Bearer token authentication
BearerTokenRequestAuthenticator bearerAuth = new BearerTokenRequestAuthenticator(deployment);
AuthOutcome outcome = bearerAuth.authenticate(httpFacade);
if (outcome == AuthOutcome.AUTHENTICATED) {
AccessToken token = bearerAuth.getToken();
String principal = AdapterUtils.getPrincipalName(deployment, token);
}Architecture
Keycloak Adapter Core is built around several key components:
- Deployment Management:
KeycloakDeploymentandKeycloakDeploymentBuilderfor configuration management - Context Management:
AdapterDeploymentContextfor single/multi-tenant deployment resolution - Authentication: Various authenticator classes for different authentication flows
- Token Management:
RefreshableKeycloakSecurityContextfor token lifecycle and refresh - Storage Abstraction:
AdapterTokenStoreinterface for token persistence strategies - HTTP Client:
HttpClientBuilderfor secure HTTP communication with Keycloak server - Key Rotation: Public key locators for token verification with key rotation support
Capabilities
Core Adapter Management
Essential deployment configuration and context management for Keycloak integration. Handles single-tenant and multi-tenant scenarios with comprehensive configuration options.
public class KeycloakDeployment {
public boolean isConfigured();
public String getResourceName();
public String getRealm();
public String getAuthServerBaseUrl();
public boolean isBearerOnly();
public boolean isPublicClient();
public HttpClient getClient();
}
public class KeycloakDeploymentBuilder {
public static KeycloakDeployment build(InputStream is);
public static KeycloakDeployment build(AdapterConfig adapterConfig);
}
public class AdapterDeploymentContext {
public AdapterDeploymentContext(KeycloakDeployment deployment);
public AdapterDeploymentContext(KeycloakConfigResolver configResolver);
public KeycloakDeployment resolveDeployment(HttpFacade facade);
}Authentication and Security Context
Authentication flow handling with support for bearer tokens, basic authentication, and OAuth flows. Provides security context management with token refresh capabilities.
public abstract class RequestAuthenticator {
public AuthChallenge getChallenge();
public AuthOutcome authenticate();
}
public class BearerTokenRequestAuthenticator {
public BearerTokenRequestAuthenticator(KeycloakDeployment deployment);
public AuthOutcome authenticate(HttpFacade exchange);
public AccessToken getToken();
public String getTokenString();
}
public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext {
public AccessToken getToken();
public String getTokenString();
public boolean refreshExpiredToken(boolean checkActive);
public void logout(KeycloakDeployment deployment);
}Token Storage and Management
Token storage abstraction and utilities for managing token lifecycle, including cookie-based storage and token refresh operations.
public interface AdapterTokenStore {
void checkCurrentToken();
boolean isCached(RequestAuthenticator authenticator);
void saveAccountInfo(OidcKeycloakAccount account);
void logout();
void refreshCallback(RefreshableKeycloakSecurityContext securityContext);
}
public class CookieTokenStore {
public static void setTokenCookie(KeycloakDeployment deployment, HttpFacade facade, RefreshableKeycloakSecurityContext session);
public static KeycloakPrincipal<RefreshableKeycloakSecurityContext> getPrincipalFromCookie(KeycloakDeployment deployment, HttpFacade facade, AdapterTokenStore tokenStore);
public static void removeCookie(KeycloakDeployment deployment, HttpFacade facade);
}HTTP Client and Server Operations
HTTP client builder with SSL configuration and server request utilities for token operations, logout, and node registration.
public class HttpClientBuilder {
public HttpClientBuilder socketTimeout(long timeout, TimeUnit unit);
public HttpClientBuilder sslContext(SSLContext sslContext);
public HttpClientBuilder trustStore(KeyStore truststore);
public HttpClient build();
}
public class ServerRequest {
public static void invokeLogout(KeycloakDeployment deployment, String refreshToken) throws IOException, HttpFailure;
public static AccessTokenResponse invokeRefresh(KeycloakDeployment deployment, String refreshToken) throws IOException, HttpFailure;
public static void invokeRegisterNode(KeycloakDeployment deployment, String host) throws HttpFailure, IOException;
}Key Rotation and Token Verification
Public key location and token verification utilities supporting key rotation for secure token validation.
public interface PublicKeyLocator {
PublicKey getPublicKey(String kid, KeycloakDeployment deployment);
void reset(KeycloakDeployment deployment);
}
public class AdapterTokenVerifier {
public static AccessToken verifyToken(String tokenString, KeycloakDeployment deployment) throws VerificationException;
public static VerifiedTokens verifyTokens(String accessTokenString, String idTokenString, KeycloakDeployment deployment) throws VerificationException;
}JAAS Integration
JAAS (Java Authentication and Authorization Service) integration for enterprise Java applications with login modules and principal management.
public abstract class AbstractKeycloakLoginModule implements LoginModule {
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options);
public boolean login() throws LoginException;
public boolean commit() throws LoginException;
public boolean logout() throws LoginException;
}
public class RolePrincipal implements Principal {
public RolePrincipal(String roleName);
public String getName();
}Policy Enforcement Point (PEP)
Policy Enforcement Point integration for authorization policy evaluation with Keycloak's authorization services.
public class HttpAuthzRequest implements AuthzRequest {
public HttpAuthzRequest(OIDCHttpFacade oidcFacade);
public String getMethod();
public String getURI();
public List<String> getHeaders(String name);
public String getRemoteAddr();
}
public class HttpAuthzResponse implements AuthzResponse {
public HttpAuthzResponse(OIDCHttpFacade oidcFacade);
public void sendError(int statusCode);
public void setHeader(String name, String value);
}Utility Operations
Utility functions for common adapter operations including principal name resolution, role extraction, HTTP requests, and credential management.
public class AdapterUtils {
public static String generateId();
public static Set<String> getRolesFromSecurityContext(RefreshableKeycloakSecurityContext session);
public static String getPrincipalName(KeycloakDeployment deployment, AccessToken token);
public static KeycloakPrincipal<RefreshableKeycloakSecurityContext> createPrincipal(KeycloakDeployment deployment, RefreshableKeycloakSecurityContext securityContext);
public static void setClientCredentials(KeycloakDeployment deployment, Map<String, String> headers, Map<String, String> params);
}
public class HttpAdapterUtils {
public static <T> T sendJsonHttpRequest(KeycloakDeployment deployment, HttpRequestBase httpRequest, Class<T> clazz) throws HttpClientAdapterException;
}Common Types
public enum AuthOutcome {
AUTHENTICATED, NOT_ATTEMPTED, FAILED
}
public interface AuthChallenge {
boolean challenge(HttpFacade exchange);
int getResponseCode();
String getError();
String getErrorDescription();
}
public class OIDCAuthenticationError {
public enum Reason {
NO_BEARER_TOKEN, INVALID_STATE_COOKIE, OAUTH_ERROR,
SSL_REQUIRED, CODE_TO_TOKEN_FAILURE, INVALID_TOKEN,
STALE_TOKEN, NO_AUTHORIZATION_HEADER
}
public OIDCAuthenticationError(Reason reason, String description);
public Reason getReason();
public String getDescription();
}
public class HttpClientAdapterException extends Exception {
public HttpClientAdapterException(String message);
public HttpClientAdapterException(String message, Throwable t);
}
public interface CorsHeaders {
String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
String ORIGIN = "Origin";
String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
String ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
}