ServiceAccountAttributes.java

package org.keycloak.userprofile;

import java.util.List;
import java.util.Map;

import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;

/**
 * <p>A specific {@link Attributes} implementation to handle service accounts.
 *
 * <p>Service accounts are not regular users, and it should be possible to manage unmanaged attributes but only when
 * operating through the {@link UserProfileContext#USER_API}. Otherwise, administrators will be forced to enable unmanaged
 * attributes by setting a {@link org.keycloak.representations.userprofile.config.UPConfig.UnmanagedAttributePolicy} or
 * end up defining managed attributes that are specific for service accounts in the user profile configuration, which is
 * mainly targeted for regular users.
 *
 *
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
public class ServiceAccountAttributes extends DefaultAttributes {

    public ServiceAccountAttributes(UserProfileContext context, Map<String, ?> attributes, UserModel user,
                                    UserProfileMetadata profileMetadata, KeycloakSession session) {
        super(context, attributes, user, profileMetadata, session);
    }

    @Override
    public boolean isReadOnly(String name) {
        if (UserModel.USERNAME.equals(name)) {
            return true;
        }

        return !UserProfileContext.USER_API.equals(context);
    }

    @Override
    protected AttributeMetadata createUnmanagedAttributeMetadata(String name) {
        return new AttributeMetadata(name, Integer.MAX_VALUE) {
            @Override
            public boolean canView(AttributeContext context) {
                return UserProfileContext.USER_API.equals(context.getContext());
            }

            @Override
            public boolean canEdit(AttributeContext context) {
                return UserProfileContext.USER_API.equals(context.getContext());
            }
        };
    }

    @Override
    protected boolean isAllowUnmanagedAttribute() {
        return UserProfileContext.USER_API.equals(context);
    }

    @Override
    protected void setUserName(Map<String, List<String>> newAttributes, List<String> values) {
        // can not update username for service accounts
    }
}