CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-org-keycloak--keycloak-common

Common library and dependencies shared with server and all adapters for the Keycloak identity and access management system

Pending
Overview
Eval results
Files

constants-configuration.mddocs/

Constants and Configuration

This document covers the constants and configuration classes in the org.keycloak.common.constants package that provide predefined values for protocols, authentication mechanisms, and service configurations.

Generic Constants

The GenericConstants class provides general-purpose constants used throughout Keycloak.

public class GenericConstants {
    /**
     * Protocol prefix for classpath resources
     */
    public static final String PROTOCOL_CLASSPATH = "classpath:";
}

Usage Examples

// Use classpath protocol
String configPath = GenericConstants.PROTOCOL_CLASSPATH + "keycloak.conf";

// Check for classpath resources
if (resourceUrl.startsWith(GenericConstants.PROTOCOL_CLASSPATH)) {
    // Handle classpath resource loading
}

Kerberos Constants

The KerberosConstants class provides constants for Kerberos/SPNEGO authentication configuration and processing.

Protocol and OID Constants

public class KerberosConstants {
    // HTTP authentication constants
    public static final String NEGOTIATE = "Negotiate";
    
    // SPNEGO and Kerberos OIDs
    public static final Oid SPNEGO_OID; // 1.3.6.1.5.5.2
    public static final Oid KRB5_OID;   // 1.2.840.113554.1.2.2  
    public static final Oid KRB5_NAME_OID; // 1.2.840.113554.1.2.2.1
}

Configuration Constants

public class KerberosConstants {
    // Main configuration properties
    public static final String ALLOW_KERBEROS_AUTHENTICATION = "allowKerberosAuthentication";
    public static final String KERBEROS_REALM = "kerberosRealm";
    public static final String SERVER_PRINCIPAL = "serverPrincipal";
    public static final String KEYTAB = "keyTab";
    public static final String DEBUG = "debug";
    
    // User attribute configuration
    public static final String KERBEROS_PRINCIPAL_ATTRIBUTE = "krbPrincipalAttribute";
    
    // Authentication mode configuration
    public static final String ALLOW_PASSWORD_AUTHENTICATION = "allowPasswordAuthentication";
    public static final String UPDATE_PROFILE_FIRST_LOGIN = "updateProfileFirstLogin";
    public static final String USE_KERBEROS_FOR_PASSWORD_AUTHENTICATION = "useKerberosForPasswordAuthentication";
}

Internal Processing Constants

public class KerberosConstants {
    // Internal SPNEGO processing
    public static final String RESPONSE_TOKEN = "SpnegoResponseToken";
    public static final String GSS_DELEGATION_CREDENTIAL = "gss_delegation_credential";
    public static final String GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME = "gss delegation credential";
    public static final String AUTHENTICATED_SPNEGO_CONTEXT = "authenticatedSpnegoContext";
    public static final String KERBEROS_PRINCIPAL = "KERBEROS_PRINCIPAL";
}

Usage Examples

// Configure Kerberos authentication
Properties config = new Properties();
config.setProperty(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
config.setProperty(KerberosConstants.KERBEROS_REALM, "EXAMPLE.COM");
config.setProperty(KerberosConstants.SERVER_PRINCIPAL, "HTTP/server.example.com");
config.setProperty(KerberosConstants.KEYTAB, "/etc/krb5.keytab");

// Check for SPNEGO authentication
String authHeader = request.getHeader("Authorization");
if (authHeader != null && authHeader.startsWith(KerberosConstants.NEGOTIATE)) {
    // Process SPNEGO authentication
}

// Handle Kerberos delegation credentials
Object credential = context.getAttribute(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
if (credential != null) {
    // Use delegated credential
}

// Set Kerberos principal in session
session.setAttribute(KerberosConstants.KERBEROS_PRINCIPAL, principalName);

Service Account Constants

The ServiceAccountConstants interface provides constants for service account functionality and protocol mapping.

Core Service Account Constants

public interface ServiceAccountConstants {
    // Authentication and scope constants
    String CLIENT_AUTH = "client_auth";
    String SERVICE_ACCOUNT_SCOPE = "service_account";
    
    // Service account user naming
    String SERVICE_ACCOUNT_USER_PREFIX = "service-account-";
    
    // Client identification
    String CLIENT_ID = "client_id";
}

Protocol Mapper Constants

public interface ServiceAccountConstants {
    // Protocol mapper names
    String CLIENT_ID_PROTOCOL_MAPPER = "Client ID";
    String CLIENT_HOST_PROTOCOL_MAPPER = "Client Host";
    String CLIENT_ADDRESS_PROTOCOL_MAPPER = "Client IP Address";
    
    // Session note keys
    String CLIENT_ID_SESSION_NOTE = "clientId";
    
    // Client connection attributes
    String CLIENT_HOST = "clientHost";
    String CLIENT_ADDRESS = "clientAddress";
}

Usage Examples

// Generate service account username
String clientId = "my-service";
String serviceAccountUsername = ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + clientId;
// Result: "service-account-my-service"

// Check for service account authentication
String grantType = request.getParameter("grant_type");
if (ServiceAccountConstants.CLIENT_AUTH.equals(grantType)) {
    // Handle service account authentication
}

// Configure service account scope
Set<String> scopes = new HashSet<>();
scopes.add(ServiceAccountConstants.SERVICE_ACCOUNT_SCOPE);

// Set client connection information in session notes
Map<String, String> sessionNotes = new HashMap<>();
sessionNotes.put(ServiceAccountConstants.CLIENT_ID_SESSION_NOTE, clientId);
sessionNotes.put(ServiceAccountConstants.CLIENT_HOST, clientHost);
sessionNotes.put(ServiceAccountConstants.CLIENT_ADDRESS, clientAddress);

// Create protocol mapper configuration
Map<String, String> mapperConfig = new HashMap<>();
mapperConfig.put("mapper.name", ServiceAccountConstants.CLIENT_ID_PROTOCOL_MAPPER);
mapperConfig.put("claim.name", ServiceAccountConstants.CLIENT_ID);

// Check for service account user
if (username.startsWith(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX)) {
    String clientId = username.substring(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX.length());
    // Extract original client ID from service account username
}

Configuration Patterns

Kerberos Configuration Pattern

public class KerberosConfig {
    private final Properties config;
    
    public KerberosConfig(Properties properties) {
        this.config = properties;
    }
    
    public boolean isKerberosEnabled() {
        return Boolean.parseBoolean(
            config.getProperty(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "false")
        );
    }
    
    public String getKerberosRealm() {
        return config.getProperty(KerberosConstants.KERBEROS_REALM);
    }
    
    public String getServerPrincipal() {
        return config.getProperty(KerberosConstants.SERVER_PRINCIPAL);
    }
    
    public String getKeytab() {
        return config.getProperty(KerberosConstants.KEYTAB);
    }
    
    public boolean isDebugEnabled() {
        return Boolean.parseBoolean(
            config.getProperty(KerberosConstants.DEBUG, "false")
        );
    }
}

Service Account Utilities

public class ServiceAccountUtils {
    
    public static String generateServiceAccountUsername(String clientId) {
        return ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + clientId;
    }
    
    public static String extractClientIdFromServiceAccount(String username) {
        if (username.startsWith(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX)) {
            return username.substring(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX.length());
        }
        return null;
    }
    
    public static boolean isServiceAccountUser(String username) {
        return username != null && username.startsWith(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX);
    }
    
    public static Map<String, String> createClientSessionNotes(String clientId, String host, String address) {
        Map<String, String> notes = new HashMap<>();
        notes.put(ServiceAccountConstants.CLIENT_ID_SESSION_NOTE, clientId);
        if (host != null) {
            notes.put(ServiceAccountConstants.CLIENT_HOST, host);
        }
        if (address != null) {
            notes.put(ServiceAccountConstants.CLIENT_ADDRESS, address);
        }
        return notes;
    }
}

Protocol Processing Examples

// SPNEGO token processing
public class SpnegoProcessor {
    
    public boolean isSpnegoRequest(HttpServletRequest request) {
        String authHeader = request.getHeader("Authorization");
        return authHeader != null && authHeader.startsWith(KerberosConstants.NEGOTIATE);
    }
    
    public void storeSpnegoResponse(HttpSession session, String responseToken) {
        session.setAttribute(KerberosConstants.RESPONSE_TOKEN, responseToken);
    }
    
    public void storeAuthenticatedContext(HttpSession session, Object context) {
        session.setAttribute(KerberosConstants.AUTHENTICATED_SPNEGO_CONTEXT, context);
    }
}

// Service account token validation
public class ServiceAccountValidator {
    
    public boolean hasServiceAccountScope(Set<String> scopes) {
        return scopes.contains(ServiceAccountConstants.SERVICE_ACCOUNT_SCOPE);
    }
    
    public boolean isClientAuthGrant(String grantType) {
        return ServiceAccountConstants.CLIENT_AUTH.equals(grantType);
    }
}

Install with Tessl CLI

npx tessl i tessl/maven-org-keycloak--keycloak-common

docs

constants-configuration.md

core-functionality.md

crypto-utilities.md

enums-types.md

index.md

profile-management.md

reflection-utilities.md

utility-functions.md

tile.json