tessl/maven-org-keycloak--keycloak-server-spi
Service Provider Interface (SPI) contracts and abstractions for the Keycloak identity and access management server enabling extensibility through custom providers
—
Pending
core-models.mddocs/
Core Models
The core model interfaces represent the primary entities in Keycloak: realms, users, clients, roles, and groups. These interfaces define the contract for accessing and manipulating these entities through various provider implementations.
Realm Model
RealmModel
Represents a Keycloak realm and extends role container functionality.
public interface RealmModel extends RoleContainerModel {
Comparator<RealmModel> COMPARE_BY_NAME = Comparator.comparing(RealmModel::getName);
// Basic realm properties
String getId();
String getName();
void setName(String name);
String getDisplayName();
void setDisplayName(String displayName);
String getDisplayNameHtml();
void setDisplayNameHtml(String displayNameHtml);
boolean isEnabled();
void setEnabled(boolean enabled);
// SSL configuration
SslRequired getSslRequired();
void setSslRequired(SslRequired sslRequired);
// Registration and login settings
boolean isRegistrationAllowed();
void setRegistrationAllowed(boolean registrationAllowed);
boolean isRegistrationEmailAsUsername();
void setRegistrationEmailAsUsername(boolean registrationEmailAsUsername);
boolean isRememberMe();
void setRememberMe(boolean rememberMe);
boolean isVerifyEmail();
void setVerifyEmail(boolean verifyEmail);
boolean isLoginWithEmailAllowed();
void setLoginWithEmailAllowed(boolean loginWithEmailAllowed);
boolean isDuplicateEmailsAllowed();
void setDuplicateEmailsAllowed(boolean duplicateEmailsAllowed);
boolean isResetPasswordAllowed();
void setResetPasswordAllowed(boolean resetPasswordAllowed);
// User profile and attributes
boolean isEditUsernameAllowed();
void setEditUsernameAllowed(boolean editUsernameAllowed);
boolean isUserManagedAccessAllowed();
void setUserManagedAccessAllowed(boolean userManagedAccessAllowed);
// Session timeouts
int getSsoSessionIdleTimeout();
void setSsoSessionIdleTimeout(int seconds);
int getSsoSessionMaxLifespan();
void setSsoSessionMaxLifespan(int seconds);
int getSsoSessionIdleTimeoutRememberMe();
void setSsoSessionIdleTimeoutRememberMe(int seconds);
int getSsoSessionMaxLifespanRememberMe();
void setSsoSessionMaxLifespanRememberMe(int seconds);
int getOfflineSessionIdleTimeout();
void setOfflineSessionIdleTimeout(int seconds);
int getOfflineSessionMaxLifespanEnabled();
void setOfflineSessionMaxLifespanEnabled(boolean offlineSessionMaxLifespanEnabled);
int getOfflineSessionMaxLifespan();
void setOfflineSessionMaxLifespan(int seconds);
int getClientSessionIdleTimeout();
void setClientSessionIdleTimeout(int seconds);
int getClientSessionMaxLifespan();
void setClientSessionMaxLifespan(int seconds);
int getClientOfflineSessionIdleTimeout();
void setClientOfflineSessionIdleTimeout(int seconds);
int getClientOfflineSessionMaxLifespan();
void setClientOfflineSessionMaxLifespan(int seconds);
// Access token timeouts
int getAccessTokenLifespan();
void setAccessTokenLifespan(int seconds);
int getAccessTokenLifespanForImplicitFlow();
void setAccessTokenLifespanForImplicitFlow(int seconds);
int getAccessCodeLifespan();
void setAccessCodeLifespan(int seconds);
int getAccessCodeLifespanUserAction();
void setAccessCodeLifespanUserAction(int seconds);
int getAccessCodeLifespanLogin();
void setAccessCodeLifespanLogin(int seconds);
int getActionTokenGeneratedByAdminLifespan();
void setActionTokenGeneratedByAdminLifespan(int seconds);
int getActionTokenGeneratedByUserLifespan();
void setActionTokenGeneratedByUserLifespan(int seconds);
// Client and authentication settings
Map<String, String> getBrowserSecurityHeaders();
void setBrowserSecurityHeaders(Map<String, String> headers);
void setBrowserSecurityHeader(String name, String value);
Map<String, String> getSmtpConfig();
void setSmtpConfig(Map<String, String> smtpConfig);
// OTP Policy
OTPPolicy getOTPPolicy();
void setOTPPolicy(OTPPolicy policy);
// WebAuthn Policy
WebAuthnPolicy getWebAuthnPolicy();
void setWebAuthnPolicy(WebAuthnPolicy policy);
WebAuthnPolicy getWebAuthnPolicyPasswordless();
void setWebAuthnPolicyPasswordless(WebAuthnPolicy policy);
// Client management
Stream<ClientModel> getClientsStream();
Stream<ClientModel> getClientsStream(Integer firstResult, Integer maxResults);
Long getClientsCount();
Stream<ClientModel> getAlwaysDisplayInConsoleClientsStream();
ClientModel addClient(String name);
ClientModel addClient(String id, String clientId);
boolean removeClient(String id);
ClientModel getClientById(String id);
ClientModel getClientByClientId(String clientId);
// Group management
void moveGroup(GroupModel group, GroupModel toParent);
Stream<GroupModel> getGroupsStream();
Stream<GroupModel> getTopLevelGroupsStream();
Stream<GroupModel> getTopLevelGroupsStream(String search);
Stream<GroupModel> getTopLevelGroupsStream(String search, Integer firstResult, Integer maxResults);
boolean removeGroup(GroupModel group);
GroupModel createGroup(String id, String name, GroupModel toParent);
GroupModel createGroup(String name);
GroupModel createGroup(String id, String name);
GroupModel getGroupById(String id);
Stream<GroupModel> searchForGroupByNameStream(String search, Integer firstResult, Integer maxResults);
Long getGroupsCount(Boolean onlyTopGroups);
Long getGroupsCountByNameContaining(String search);
// Identity providers
Stream<IdentityProviderModel> getIdentityProvidersStream();
IdentityProviderModel getIdentityProviderByAlias(String alias);
void addIdentityProvider(IdentityProviderModel identityProvider);
void removeIdentityProviderByAlias(String alias);
void updateIdentityProvider(IdentityProviderModel identityProvider);
Stream<IdentityProviderMapperModel> getIdentityProviderMappersStream();
Stream<IdentityProviderMapperModel> getIdentityProviderMappersByAliasStream(String brokerAlias);
IdentityProviderMapperModel addIdentityProviderMapper(IdentityProviderMapperModel model);
void removeIdentityProviderMapper(IdentityProviderMapperModel mapping);
void updateIdentityProviderMapper(IdentityProviderMapperModel mapping);
IdentityProviderMapperModel getIdentityProviderMapperById(String id);
IdentityProviderMapperModel getIdentityProviderMapperByName(String brokerAlias, String name);
// Authentication flows
Stream<AuthenticationFlowModel> getAuthenticationFlowsStream();
AuthenticationFlowModel getFlowByAlias(String alias);
AuthenticationFlowModel addAuthenticationFlow(AuthenticationFlowModel model);
AuthenticationFlowModel getAuthenticationFlowById(String id);
void removeAuthenticationFlow(AuthenticationFlowModel model);
void updateAuthenticationFlow(AuthenticationFlowModel model);
Stream<AuthenticationExecutionModel> getAuthenticationExecutionsStream(String flowId);
AuthenticationExecutionModel getAuthenticationExecutionById(String id);
AuthenticationExecutionModel getAuthenticationExecutionByFlowId(String flowId);
AuthenticationExecutionModel addAuthenticatorExecution(AuthenticationExecutionModel model);
void updateAuthenticatorExecution(AuthenticationExecutionModel model);
void removeAuthenticatorExecution(AuthenticationExecutionModel model);
Stream<AuthenticatorConfigModel> getAuthenticatorConfigsStream();
AuthenticatorConfigModel addAuthenticatorConfig(AuthenticatorConfigModel model);
void updateAuthenticatorConfig(AuthenticatorConfigModel model);
void removeAuthenticatorConfig(AuthenticatorConfigModel model);
AuthenticatorConfigModel getAuthenticatorConfigById(String id);
AuthenticatorConfigModel getAuthenticatorConfigByAlias(String alias);
// Required actions
Stream<RequiredActionProviderModel> getRequiredActionProvidersStream();
RequiredActionProviderModel addRequiredActionProvider(RequiredActionProviderModel model);
void updateRequiredActionProvider(RequiredActionProviderModel model);
void removeRequiredActionProvider(RequiredActionProviderModel model);
RequiredActionProviderModel getRequiredActionProviderById(String id);
RequiredActionProviderModel getRequiredActionProviderByAlias(String alias);
// Component management
String getId();
void addComponent(ComponentModel component);
void updateComponent(ComponentModel component);
void removeComponent(ComponentModel component);
void removeComponents(String parentId);
Stream<ComponentModel> getComponentsStream(String parentId, String providerType);
Stream<ComponentModel> getComponentsStream(String parentId);
Stream<ComponentModel> getComponentsStream();
ComponentModel getComponent(String id);
// Client scopes
Stream<ClientScopeModel> getClientScopesStream();
ClientScopeModel addClientScope(String name);
ClientScopeModel addClientScope(String id, String name);
boolean removeClientScope(String id);
ClientScopeModel getClientScopeById(String id);
void addDefaultClientScope(ClientScopeModel clientScope, boolean defaultScope);
void removeDefaultClientScope(ClientScopeModel clientScope);
Stream<ClientScopeModel> getDefaultClientScopesStream(boolean defaultScope);
// Attributes
void setSingleAttribute(String name, String value);
void setAttribute(String name, List<String> values);
void removeAttribute(String name);
String getFirstAttribute(String name);
Stream<String> getAttributeStream(String name);
Map<String, List<String>> getAttributes();
// Localization
boolean isInternationalizationEnabled();
void setInternationalizationEnabled(boolean enabled);
Set<String> getSupportedLocales();
void setSupportedLocales(Set<String> locales);
String getDefaultLocale();
void setDefaultLocale(String locale);
// Events configuration
Set<String> getEventsListeners();
void setEventsListeners(Set<String> listeners);
boolean isEventsEnabled();
void setEventsEnabled(boolean enabled);
long getEventsExpiration();
void setEventsExpiration(long expiration);
Set<String> getEnabledEventTypes();
void setEnabledEventTypes(Set<String> enabledEventTypes);
boolean isAdminEventsEnabled();
void setAdminEventsEnabled(boolean enabled);
boolean isAdminEventsDetailsEnabled();
void setAdminEventsDetailsEnabled(boolean enabled);
// Master realm admin client
ClientModel getMasterAdminClient();
void setMasterAdminClient(ClientModel client);
// Login theme
String getLoginTheme();
void setLoginTheme(String name);
String getAccountTheme();
void setAccountTheme(String name);
String getAdminTheme();
void setAdminTheme(String name);
String getEmailTheme();
void setEmailTheme(String name);
// Password policy
PasswordPolicy getPasswordPolicy();
void setPasswordPolicy(PasswordPolicy policy);
// OAuth2 Device Flow
OAuth2DeviceConfig getOAuth2DeviceConfig();
// CIBA Config
CibaConfig getCibaPolicy();
// PAR Config
ParConfig getParPolicy();
// Default signature algorithm
String getDefaultSignatureAlgorithm();
void setDefaultSignatureAlgorithm(String defaultSignatureAlgorithm);
// Browser flow
AuthenticationFlowModel getBrowserFlow();
void setBrowserFlow(AuthenticationFlowModel flow);
// Registration flow
AuthenticationFlowModel getRegistrationFlow();
void setRegistrationFlow(AuthenticationFlowModel flow);
// Direct grant flow
AuthenticationFlowModel getDirectGrantFlow();
void setDirectGrantFlow(AuthenticationFlowModel flow);
// Reset credentials flow
AuthenticationFlowModel getResetCredentialsFlow();
void setResetCredentialsFlow(AuthenticationFlowModel flow);
// Client authentication flow
AuthenticationFlowModel getClientAuthenticationFlow();
void setClientAuthenticationFlow(AuthenticationFlowModel flow);
// Docker authentication flow
AuthenticationFlowModel getDockerAuthenticationFlow();
void setDockerAuthenticationFlow(AuthenticationFlowModel flow);
}User Model
UserModel
Represents a user in Keycloak.
public interface UserModel extends RoleMapperModel {
// Standard user attributes
String USERNAME = "username";
String FIRST_NAME = "firstName";
String LAST_NAME = "lastName";
String EMAIL = "email";
String EMAIL_VERIFIED = "emailVerified";
String LOCALE = "locale";
String ENABLED = "enabled";
String DISABLED_REASON = "disabledReason";
// Query parameters
String IDP_ALIAS = "keycloak.session.realm.users.query.idp_alias";
String IDP_USER_ID = "keycloak.session.realm.users.query.idp_user_id";
String INCLUDE_SERVICE_ACCOUNT = "keycloak.session.realm.users.query.include_service_account";
String GROUPS = "keycloak.session.realm.users.query.groups";
String SEARCH = "keycloak.session.realm.users.query.search";
String EXACT = "keycloak.session.realm.users.query.exact";
Comparator<UserModel> COMPARE_BY_USERNAME = Comparator.comparing(UserModel::getUsername, String.CASE_INSENSITIVE_ORDER);
// Basic user properties
String getId();
String getUsername();
void setUsername(String username);
Long getCreatedTimestamp();
void setCreatedTimestamp(Long timestamp);
boolean isEnabled();
void setEnabled(boolean enabled);
// Name properties
String getFirstName();
void setFirstName(String firstName);
String getLastName();
void setLastName(String lastName);
// Email properties
String getEmail();
void setEmail(String email);
boolean isEmailVerified();
void setEmailVerified(boolean verified);
// Attributes
void setSingleAttribute(String name, String value);
void setAttribute(String name, List<String> values);
void removeAttribute(String name);
String getFirstAttribute(String name);
Stream<String> getAttributeStream(String name);
Map<String, List<String>> getAttributes();
List<String> getAttribute(String name);
// Required actions
Stream<String> getRequiredActionsStream();
void addRequiredAction(String action);
void removeRequiredAction(String action);
void addRequiredAction(RequiredAction action);
void removeRequiredAction(RequiredAction action);
// Federated identity
Stream<FederatedIdentityModel> getFederatedIdentitiesStream();
void addFederatedIdentity(FederatedIdentityModel socialLink);
boolean removeFederatedIdentity(String socialProvider);
FederatedIdentityModel getFederatedIdentity(String socialProvider);
// Service account client
String getServiceAccountClientLink();
void setServiceAccountClientLink(String clientInternalId);
// Credential manager
SubjectCredentialManager credentialManager();
// Groups
Stream<GroupModel> getGroupsStream();
Stream<GroupModel> getGroupsStream(String search, Integer firstResult, Integer maxResults);
Long getGroupsCount();
Long getGroupsCountByNameContaining(String search);
void joinGroup(GroupModel group);
void leaveGroup(GroupModel group);
boolean isMemberOf(GroupModel group);
// Consents
void addConsent(UserConsentModel consent);
UserConsentModel getConsentByClient(String clientInternalId);
Stream<UserConsentModel> getConsentsStream();
void updateConsent(UserConsentModel consent);
boolean revokeConsentForClient(String clientInternalId);
// User profile decorator
default UserModel getDelegateForUpdate() {
return this;
}
}Client Model
ClientModel
Represents an OAuth2/OIDC client.
public interface ClientModel extends ProtocolMapperContainerModel, ScopeContainerModel, RoleContainerModel {
// Client types
String OAUTH = "oauth";
String SAML = "saml";
String OIDC = "openid-connect";
// Basic client properties
String getId();
String getClientId();
void setClientId(String clientId);
String getName();
void setName(String name);
String getDescription();
void setDescription(String description);
boolean isEnabled();
void setEnabled(boolean enabled);
boolean isAlwaysDisplayInConsole();
void setAlwaysDisplayInConsole(boolean alwaysDisplayInConsole);
// Client authentication
String getClientAuthenticatorType();
void setClientAuthenticatorType(String clientAuthenticatorType);
String getSecret();
void setSecret(String secret);
String getRegistrationToken();
void setRegistrationToken(String registrationToken);
// Protocol
String getProtocol();
void setProtocol(String protocol);
// URLs
String getBaseUrl();
void setBaseUrl(String url);
String getRootUrl();
void setRootUrl(String url);
String getManagementUrl();
void setManagementUrl(String url);
String getOrigin();
void setOrigin(String origin);
Set<String> getRedirectUris();
void setRedirectUris(Set<String> redirectUris);
void addRedirectUri(String redirectUri);
void removeRedirectUri(String redirectUri);
Set<String> getWebOrigins();
void setWebOrigins(Set<String> webOrigins);
void addWebOrigin(String webOrigin);
void removeWebOrigin(String webOrigin);
// Client type settings
boolean isPublicClient();
void setPublicClient(boolean flag);
boolean isFrontchannelLogout();
void setFrontchannelLogout(boolean flag);
boolean isFullScopeAllowed();
void setFullScopeAllowed(boolean value);
boolean isBearerOnly();
void setBearerOnly(boolean only);
boolean isConsentRequired();
void setConsentRequired(boolean consentRequired);
boolean isStandardFlowEnabled();
void setStandardFlowEnabled(boolean standardFlowEnabled);
boolean isImplicitFlowEnabled();
void setImplicitFlowEnabled(boolean implicitFlowEnabled);
boolean isDirectAccessGrantsEnabled();
void setDirectAccessGrantsEnabled(boolean directAccessGrantsEnabled);
boolean isServiceAccountsEnabled();
void setServiceAccountsEnabled(boolean serviceAccountsEnabled);
// Advanced settings
int getNodeReRegistrationTimeout();
void setNodeReRegistrationTimeout(int timeout);
int getNotBefore();
void setNotBefore(int notBefore);
// Attributes
void setSingleAttribute(String name, String value);
void setAttribute(String name, List<String> values);
void removeAttribute(String name);
String getFirstAttribute(String name);
Stream<String> getAttributeStream(String name);
Map<String, List<String>> getAttributes();
// Authentication flow overrides
String getAuthenticationFlowBindingOverride(String binding);
Map<String, String> getAuthenticationFlowBindingOverrides();
void removeAuthenticationFlowBindingOverride(String binding);
void setAuthenticationFlowBindingOverride(String binding, String flowId);
// Client scopes
Stream<ClientScopeModel> getClientScopes(boolean defaultScope);
void addClientScope(ClientScopeModel clientScope, boolean defaultScope);
void addClientScopes(Set<ClientScopeModel> clientScopes, boolean defaultScope);
void removeClientScope(ClientScopeModel clientScope);
// Service account user
UserModel getServiceAccountUser();
// Client template (legacy)
String getClientTemplate();
void setClientTemplate(String clientTemplate);
boolean useTemplateConfig();
void setUseTemplateConfig(boolean useTemplateConfig);
boolean useTemplateScope();
void setUseTemplateScope(boolean useTemplateScope);
boolean useTemplateMappers();
void setUseTemplateMappers(boolean useTemplateMappers);
}Role Model
RoleModel
Represents a role in Keycloak.
public interface RoleModel {
String getId();
String getName();
void setName(String name);
String getDescription();
void setDescription(String description);
boolean isComposite();
void addCompositeRole(RoleModel role);
void removeCompositeRole(RoleModel role);
Stream<RoleModel> getCompositesStream();
Stream<RoleModel> getCompositesStream(String search, Integer first, Integer max);
boolean isClientRole();
String getContainerId();
RoleContainerModel getContainer();
boolean hasRole(RoleModel role);
// Attributes
void setSingleAttribute(String name, String value);
void setAttribute(String name, List<String> values);
void removeAttribute(String name);
String getFirstAttribute(String name);
Stream<String> getAttributeStream(String name);
Map<String, List<String>> getAttributes();
}Group Model
GroupModel
Represents a user group.
public interface GroupModel extends RoleMapperModel {
String getId();
String getName();
void setName(String name);
// Parent-child relationships
GroupModel getParent();
String getParentId();
Stream<GroupModel> getSubGroupsStream();
Stream<GroupModel> getSubGroupsStream(String search, Integer firstResult, Integer maxResults);
void setParent(GroupModel group);
void addChild(GroupModel subGroup);
void removeChild(GroupModel subGroup);
// Attributes
void setSingleAttribute(String name, String value);
void setAttribute(String name, List<String> values);
void removeAttribute(String name);
String getFirstAttribute(String name);
Stream<String> getAttributeStream(String name);
Map<String, List<String>> getAttributes();
}Usage Examples
Working with Realms
// Get realm by name
RealmModel realm = session.realms().getRealmByName("myrealm");
// Create new realm
RealmModel newRealm = session.realms().createRealm("newrealm");
newRealm.setDisplayName("My New Realm");
newRealm.setEnabled(true);
newRealm.setSslRequired(SslRequired.EXTERNAL);
// Configure realm settings
newRealm.setRegistrationAllowed(true);
newRealm.setResetPasswordAllowed(true);
newRealm.setLoginWithEmailAllowed(true);
newRealm.setSsoSessionIdleTimeout(1800); // 30 minutes
// Set attributes
newRealm.setSingleAttribute("customAttribute", "value");Working with Users
// Get user by username
UserModel user = session.users().getUserByUsername(realm, "john");
// Create new user
UserModel newUser = session.users().addUser(realm, "jane");
newUser.setFirstName("Jane");
newUser.setLastName("Doe");
newUser.setEmail("jane@example.com");
newUser.setEnabled(true);
// Set user attributes
newUser.setSingleAttribute("department", "Engineering");
newUser.setAttribute("skills", Arrays.asList("Java", "JavaScript", "Python"));
// Add required actions
newUser.addRequiredAction(RequiredAction.UPDATE_PASSWORD);
newUser.addRequiredAction(RequiredAction.VERIFY_EMAIL);
// Group membership
GroupModel developers = realm.getGroupById("developers-group-id");
newUser.joinGroup(developers);Working with Clients
// Create OIDC client
ClientModel client = realm.addClient("my-app");
client.setName("My Application");
client.setProtocol("openid-connect");
client.setClientId("my-app");
client.setSecret("client-secret");
// Configure client settings
client.setPublicClient(false);
client.setStandardFlowEnabled(true);
client.setDirectAccessGrantsEnabled(true);
client.setServiceAccountsEnabled(true);
// Set redirect URIs
client.addRedirectUri("https://myapp.com/callback");
client.addRedirectUri("http://localhost:8080/callback");
// Set web origins
client.addWebOrigin("https://myapp.com");
client.addWebOrigin("http://localhost:8080");
// Custom attributes
client.setSingleAttribute("app.version", "1.0.0");Working with Roles
// Create realm role
RoleModel adminRole = realm.addRole("admin");
adminRole.setDescription("Administrator role");
// Create client role
ClientModel myApp = realm.getClientByClientId("my-app");
RoleModel appUserRole = myApp.addRole("user");
appUserRole.setDescription("Application user role");
// Create composite role
RoleModel superAdminRole = realm.addRole("super-admin");
superAdminRole.addCompositeRole(adminRole);
superAdminRole.addCompositeRole(appUserRole);
// Grant role to user
UserModel user = session.users().getUserByUsername(realm, "john");
user.grantRole(adminRole);Working with Groups
// Create top-level group
GroupModel engineering = realm.createGroup("engineering");
engineering.setSingleAttribute("department", "Engineering");
// Create subgroup
GroupModel backend = realm.createGroup("backend-team");
backend.setParent(engineering);
// Add user to group
UserModel developer = session.users().getUserByUsername(realm, "alice");
developer.joinGroup(backend);
// Grant role to group
RoleModel developerRole = realm.addRole("developer");
backend.grantRole(developerRole);Install with Tessl CLI
npx tessl i tessl/maven-org-keycloak--keycloak-server-spi