OID4VCTargetRoleMapper.java
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.protocol.oid4vc.issuance.mappers;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.jboss.logging.Logger;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.oid4vc.OID4VCLoginProtocolFactory;
import org.keycloak.protocol.oid4vc.model.Role;
import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
import org.keycloak.provider.ProviderConfigProperty;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
/**
* Adds the users roles to the credential subject
*
* @author <a href="https://github.com/wistefan">Stefan Wiedemann</a>
*/
public class OID4VCTargetRoleMapper extends OID4VCMapper {
private static final Logger LOGGER = Logger.getLogger(OID4VCTargetRoleMapper.class);
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
public static final String MAPPER_ID = "oid4vc-target-role-mapper";
public static final String SUBJECT_PROPERTY_CONFIG_KEY = "subjectProperty";
public static final String CLIENT_CONFIG_KEY = "clientId";
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = new ArrayList<>();
static {
ProviderConfigProperty subjectPropertyNameConfig = new ProviderConfigProperty();
subjectPropertyNameConfig.setName(SUBJECT_PROPERTY_CONFIG_KEY);
subjectPropertyNameConfig.setLabel("Roles Property Name");
subjectPropertyNameConfig.setHelpText("Property to add the roles to in the credential subject.");
subjectPropertyNameConfig.setDefaultValue("roles");
subjectPropertyNameConfig.setType(ProviderConfigProperty.STRING_TYPE);
CONFIG_PROPERTIES.add(subjectPropertyNameConfig);
}
@Override
protected List<ProviderConfigProperty> getIndividualConfigProperties() {
return CONFIG_PROPERTIES;
}
@Override
public String getDisplayType() {
return "Target-Role Mapper";
}
@Override
public String getHelpText() {
return "Map the assigned role to the credential subject, providing the client id as the target.";
}
public static ProtocolMapperModel create(String clientId, String name) {
var mapperModel = new ProtocolMapperModel();
mapperModel.setName(name);
Map<String, String> configMap = new HashMap<>();
configMap.put(SUBJECT_PROPERTY_CONFIG_KEY, "roles");
configMap.put(CLIENT_CONFIG_KEY, clientId);
mapperModel.setConfig(configMap);
mapperModel.setProtocol(OID4VCLoginProtocolFactory.PROTOCOL_ID);
mapperModel.setProtocolMapper(MAPPER_ID);
return mapperModel;
}
@Override
public ProtocolMapper create(KeycloakSession session) {
return new OID4VCTargetRoleMapper();
}
@Override
public String getId() {
return MAPPER_ID;
}
@Override
public void setClaimsForCredential(VerifiableCredential verifiableCredential,
UserSessionModel userSessionModel) {
// nothing to do for the mapper.
}
@Override
public void setClaimsForSubject(Map<String, Object> claims,
UserSessionModel userSessionModel) {
String client = mapperModel.getConfig().get(CLIENT_CONFIG_KEY);
String propertyName = mapperModel.getConfig().get(SUBJECT_PROPERTY_CONFIG_KEY);
ClientModel clientModel = userSessionModel.getRealm().getClientByClientId(client);
if (clientModel == null || !clientModel.getProtocol().equals(OID4VCLoginProtocolFactory.PROTOCOL_ID)) {
return;
}
ClientRoleModel clientRoleModel = new ClientRoleModel(clientModel.getClientId(),
userSessionModel.getUser().getClientRoleMappingsStream(clientModel).toList());
Role rolesClaim = toRolesClaim(clientRoleModel);
if (rolesClaim.getNames().isEmpty()) {
return;
}
var modelMap = OBJECT_MAPPER.convertValue(toRolesClaim(clientRoleModel), Map.class);
if (claims.containsKey(propertyName)) {
if (claims.get(propertyName) instanceof Set rolesProperty) {
rolesProperty.add(modelMap);
claims.put(propertyName, rolesProperty);
} else {
LOGGER.warnf("Incompatible types for property %s. The mapper will not set the roles for client %s",
propertyName, client);
}
} else {
// needs to be mutable
Set roles = new HashSet();
roles.add(modelMap);
claims.put(propertyName, roles);
}
}
private Role toRolesClaim(ClientRoleModel crm) {
Set<String> roleNames = crm
.getRoleModels()
.stream()
.map(RoleModel::getName)
.collect(Collectors.toSet());
return new Role(roleNames, crm.getClientId());
}
private static class ClientRoleModel {
private final String clientId;
private final List<RoleModel> roleModels;
public ClientRoleModel(String clientId, List<RoleModel> roleModels) {
this.clientId = clientId;
this.roleModels = roleModels;
}
public String getClientId() {
return clientId;
}
public List<RoleModel> getRoleModels() {
return roleModels;
}
}
}