Revert dynamic grant type resolution

server-spi-private/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantManager.java

@@ -1,110 +0,0 @@
-/*
- * Copyright 2024 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.keycloak.protocol.oidc.grants;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-
-import org.keycloak.OAuth2Constants;
-import org.keycloak.common.util.MultivaluedHashMap;
-import org.keycloak.events.EventType;
-
-/**
- * A class to register and resolve OAuth 2.0 Grant Type implementations
- *
- * @author <a href="mailto:demetrio@carretti.pro">Dmitry Telegin</a>
- */
-public class OAuth2GrantManager {
-
-    private static final MultivaluedHashMap<String, OAuth2GrantType> GRANT_TYPE_MAP = new MultivaluedHashMap<>();
-    private static final Map<String, EventType> EVENT_TYPE_MAP = new HashMap<>();
-
-    static {
-            EVENT_TYPE_MAP.put(OAuth2Constants.AUTHORIZATION_CODE, EventType.CODE_TO_TOKEN);
-            EVENT_TYPE_MAP.put(OAuth2Constants.REFRESH_TOKEN, EventType.REFRESH_TOKEN);
-            EVENT_TYPE_MAP.put(OAuth2Constants.PASSWORD, EventType.LOGIN);
-            EVENT_TYPE_MAP.put(OAuth2Constants.CLIENT_CREDENTIALS, EventType.CLIENT_LOGIN);
-            EVENT_TYPE_MAP.put(OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE, EventType.TOKEN_EXCHANGE);
-            EVENT_TYPE_MAP.put(OAuth2Constants.UMA_GRANT_TYPE, EventType.PERMISSION_TOKEN);
-            EVENT_TYPE_MAP.put(OAuth2Constants.CIBA_GRANT_TYPE, EventType.AUTHREQID_TO_TOKEN);
-            EVENT_TYPE_MAP.put(OAuth2Constants.DEVICE_CODE_GRANT_TYPE, EventType.OAUTH2_DEVICE_CODE_TO_TOKEN);
-    }
-
-    /**
-     * Register OAuth 2.0 grant type
-     * @param grant grant type to register
-     */
-    public static void register(OAuth2GrantType grant) {
-        GRANT_TYPE_MAP.add(grant.getGrantType(), grant);
-    }
-
-    /**
-     * Resolve grant type implementation from grant type and request context
-     * @param grantType grant type
-     * @param context grant request context
-     * @return grant type implementation
-     */
-    public static Optional<OAuth2GrantType> resolve(String grantType, OAuth2GrantType.Context context) {
-        return resolve(resolve(grantType), context);
-    }
-
-    /**
-     * Return registered implementations for the given grant type
-     * @param grantType grant type
-     * @return list of implementations
-     */
-    public static List<OAuth2GrantType> resolve(String grantType) {
-        return GRANT_TYPE_MAP.get(grantType);
-    }
-
-    /**
-     * Select the "best" grant type implementation from a list of candidates, using supports() and then priority
-     * @param grants a list of candidate implementations
-     * @param context grant request context
-     * @return grant type implementation
-     */
-    public static Optional<OAuth2GrantType> resolve(List<OAuth2GrantType> grants, OAuth2GrantType.Context context) {
-        Optional<OAuth2GrantType> grant;
-
-        switch (grants.size()) {
-            case 0:
-                grant = Optional.empty();
-                break;
-            case 1:
-                grant = Optional.of(grants.get(0));
-                break;
-            default:
-                grant = grants.stream().filter(g -> g.supports(context)).sorted((g1, g2) -> g2.order() - g1.order()).findFirst();
-                break;
-        }
-
-        return grant.map(g -> g.create(context.getSession()));
-    }
-
-    /**
-     * Map well-known OAuth 2.0 grant types to Keycloak event types
-     * @param grantType
-     * @return
-     */
-    public static EventType grantToEvent(String grantType) {
-        return EVENT_TYPE_MAP.getOrDefault(grantType, EventType.OAUTH2_EXTENSION_GRANT);
-    }
-
-}

server-spi-private/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantType.java

@@ -26,6 +26,7 @@ import java.util.Map;
 
 import org.keycloak.common.ClientConnection;
 import org.keycloak.events.EventBuilder;
+import org.keycloak.events.EventType;
 import org.keycloak.http.HttpRequest;
 import org.keycloak.http.HttpResponse;
 import org.keycloak.models.ClientModel;
@@ -44,12 +45,11 @@ import org.keycloak.services.cors.Cors;
 public interface OAuth2GrantType extends Provider, ProviderFactory<OAuth2GrantType> {
 
     /**
-     * Returns the name of the OAuth 2.0 grant type implemented by this provider.
+     * Returns the event type associated with this OAuth 2.0 grant type.
-     * This value will be matched against the "grant_type" token request parameter.
      *
-     * @return grant type name
+     * @return event type
      */
-    String getGrantType();
+    EventType getEventType();
 
     /**
      * Checks if the grant implementation supports the request.

services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java

@@ -32,7 +32,6 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.TokenManager;
-import org.keycloak.protocol.oidc.grants.OAuth2GrantManager;
 import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
 import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
 import org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder;
@@ -92,7 +91,6 @@ public class TokenEndpoint {
     private final EventBuilder event;
 
     private String grantType;
-    private List<OAuth2GrantType> grants;
     private OAuth2GrantType grant;
     private OAuth2GrantType.Context context;
 
@@ -140,7 +138,6 @@ public class TokenEndpoint {
 
         context = new OAuth2GrantType.Context(session, clientConfig, clientAuthAttributes, formParams, event, cors, tokenManager, dPoP);
 
-        resolveGrantType();
         grant.setContext(context);
         return grant.process();
     }
@@ -190,19 +187,15 @@ public class TokenEndpoint {
             throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Missing form parameter: " + OIDCLoginProtocol.GRANT_TYPE_PARAM, Response.Status.BAD_REQUEST);
         }
 
-        grants = OAuth2GrantManager.resolve(grantType);
+        grant = session.getProvider(OAuth2GrantType.class, grantType);
-        if (grants.isEmpty()) {
+        if (grant == null) {
             throw newUnsupportedGrantTypeException();
         }
 
-        event.event(OAuth2GrantManager.grantToEvent(grantType));
+        event.event(grant.getEventType());
         event.detail(Details.GRANT_TYPE, grantType);
     }
 
-    private void resolveGrantType() {
-        grant = OAuth2GrantManager.resolve(grants, context).orElseThrow(() -> newUnsupportedGrantTypeException());
-    }
-
     private CorsErrorResponseException newUnsupportedGrantTypeException() {
         return new CorsErrorResponseException(cors, OAuthErrorException.UNSUPPORTED_GRANT_TYPE,
                 "Unsupported " + OIDCLoginProtocol.GRANT_TYPE_PARAM, Status.BAD_REQUEST);

services/src/main/java/org/keycloak/protocol/oidc/grants/AuthorizationCodeGrantType.java

@@ -29,6 +29,7 @@ import org.keycloak.OAuthErrorException;
 import org.keycloak.common.Profile;
 import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.events.Errors;
+import org.keycloak.events.EventType;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.ClientScopeModel;
 import org.keycloak.models.ClientSessionContext;
@@ -56,7 +57,6 @@ import org.keycloak.services.util.DefaultClientSessionContext;
 public class AuthorizationCodeGrantType extends OAuth2GrantTypeBase {
 
     private static final Logger logger = Logger.getLogger(AuthorizationCodeGrantType.class);
-    private static final String PROVIDER_ID = "authorization_code";
 
     @Override
     public Response process() {
@@ -198,12 +198,12 @@ public class AuthorizationCodeGrantType extends OAuth2GrantTypeBase {
     }
 
     @Override
-    public String getId() {
+    public EventType getEventType() {
-        return PROVIDER_ID;
+        return EventType.CODE_TO_TOKEN;
     }
 
     @Override
-    public String getGrantType() {
+    public String getId() {
         return OAuth2Constants.AUTHORIZATION_CODE;
     }
 

services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java

@@ -27,6 +27,7 @@ import org.keycloak.OAuthErrorException;
 import org.keycloak.common.constants.ServiceAccountConstants;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
+import org.keycloak.events.EventType;
 import org.keycloak.models.ClientSessionContext;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.UserModel;
@@ -56,7 +57,6 @@ import org.keycloak.util.TokenUtil;
  */
 public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
 
-    private static final String PROVIDER_ID = "client_credentials";
     private static final Logger logger = Logger.getLogger(ClientCredentialsGrantType.class);
 
     @Override
@@ -180,12 +180,12 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
     }
 
     @Override
-    public String getId() {
+    public EventType getEventType() {
-        return PROVIDER_ID;
+        return EventType.CLIENT_LOGIN;
     }
 
     @Override
-    public String getGrantType() {
+    public String getId() {
         return OAuth2Constants.CLIENT_CREDENTIALS;
     }
 

services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java

@@ -273,7 +273,6 @@ public abstract class OAuth2GrantTypeBase implements OAuth2GrantType {
 
     @Override
     public void postInit(KeycloakSessionFactory factory) {
-        OAuth2GrantManager.register(this);
     }
 
     @Override

services/src/main/java/org/keycloak/protocol/oidc/grants/PermissionGrantType.java

@@ -29,6 +29,7 @@ import org.keycloak.authorization.authorization.AuthorizationTokenService;
 import org.keycloak.authorization.util.Tokens;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
+import org.keycloak.events.EventType;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.models.ClientModel;
@@ -47,8 +48,6 @@ import org.keycloak.services.managers.AppAuthManager;
  */
 public class PermissionGrantType extends OAuth2GrantTypeBase {
 
-    private static final String PROVIDER_ID = "uma_ticket";
-
     @Override
     public Response process() {
         event.detail(Details.AUTH_METHOD, "oauth_credentials");
@@ -114,8 +113,7 @@ public class PermissionGrantType extends OAuth2GrantTypeBase {
             } else {
                 // Clients need to authenticate in order to obtain a RPT from the server.
                 // In order to support cases where the client is obtaining permissions on its on behalf, we issue a temporary access token
-                Context clientCredentialsContext = new Context(context);
+                OAuth2GrantType clientCredentialsGrant = session.getProvider(OAuth2GrantType.class, OAuth2Constants.CLIENT_CREDENTIALS);
-                OAuth2GrantType clientCredentialsGrant = OAuth2GrantManager.resolve(OAuth2Constants.CLIENT_CREDENTIALS, clientCredentialsContext).get();
                 clientCredentialsGrant.setContext(context);
                 accessTokenString = AccessTokenResponse.class.cast(clientCredentialsGrant.process().getEntity()).getToken();
             }
@@ -187,19 +185,19 @@ public class PermissionGrantType extends OAuth2GrantTypeBase {
         return authorizationResponse;
     }
 
-    @Override
-    public String getGrantType() {
-        return OAuth2Constants.UMA_GRANT_TYPE;
-    }
-
     @Override
     public OAuth2GrantType create(KeycloakSession session) {
         return new PermissionGrantType();
     }
 
+    @Override
+    public EventType getEventType() {
+        return EventType.PERMISSION_TOKEN;
+    }
+
     @Override
     public String getId() {
-        return PROVIDER_ID;
+        return OAuth2Constants.UMA_GRANT_TYPE;
     }
 
 }

services/src/main/java/org/keycloak/protocol/oidc/grants/RefreshTokenGrantType.java

@@ -26,6 +26,7 @@ import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.common.Profile;
 import org.keycloak.events.Errors;
+import org.keycloak.events.EventType;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.UserSessionModel;
@@ -45,7 +46,6 @@ import org.keycloak.services.util.MtlsHoKTokenUtil;
  */
 public class RefreshTokenGrantType extends OAuth2GrantTypeBase {
 
-    private static final String PROVIDER_ID = "refresh_token";
     private static final Logger logger = Logger.getLogger(RefreshTokenGrantType.class);
 
     @Override
@@ -105,19 +105,19 @@ public class RefreshTokenGrantType extends OAuth2GrantTypeBase {
         return cors.builder(Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).build();
     }
 
-    @Override
-    public String getGrantType() {
-        return OAuth2Constants.REFRESH_TOKEN;
-    }
-
     @Override
     public OAuth2GrantType create(KeycloakSession session) {
         return new RefreshTokenGrantType();
     }
 
+    @Override
+    public EventType getEventType() {
+        return EventType.REFRESH_TOKEN;
+    }
+
     @Override
     public String getId() {
-        return PROVIDER_ID;
+        return OAuth2Constants.REFRESH_TOKEN;
     }
 
 }

services/src/main/java/org/keycloak/protocol/oidc/grants/ResourceOwnerPasswordCredentialsGrantType.java

@@ -27,6 +27,7 @@ import org.keycloak.OAuthErrorException;
 import org.keycloak.authentication.AuthenticationProcessor;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
+import org.keycloak.events.EventType;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.AuthenticationFlowModel;
 import org.keycloak.models.ClientSessionContext;
@@ -56,7 +57,6 @@ import org.keycloak.util.TokenUtil;
  */
 public class ResourceOwnerPasswordCredentialsGrantType extends OAuth2GrantTypeBase {
 
-    private static final String PROVIDER_ID = "password";
     private static final Logger logger = Logger.getLogger(ResourceOwnerPasswordCredentialsGrantType.class);
 
     @Override
@@ -154,19 +154,19 @@ public class ResourceOwnerPasswordCredentialsGrantType extends OAuth2GrantTypeBa
         return cors.builder(Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).build();
     }
 
-    @Override
-    public String getGrantType() {
-        return OAuth2Constants.PASSWORD;
-    }
-
     @Override
     public OAuth2GrantType create(KeycloakSession session) {
         return new ResourceOwnerPasswordCredentialsGrantType();
     }
 
+    @Override
+    public EventType getEventType() {
+        return EventType.LOGIN;
+    }
+
     @Override
     public String getId() {
-        return PROVIDER_ID;
+        return OAuth2Constants.PASSWORD;
     }
 
 }

services/src/main/java/org/keycloak/protocol/oidc/grants/TokenExchangeGrantType.java

@@ -23,11 +23,11 @@ import jakarta.ws.rs.core.Response;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.common.Profile;
 import org.keycloak.events.Details;
+import org.keycloak.events.EventType;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.protocol.oidc.TokenExchangeContext;
 import org.keycloak.protocol.oidc.TokenExchangeProvider;
 import org.keycloak.provider.EnvironmentDependentProviderFactory;
-import org.keycloak.utils.ProfileHelper;
 
 /**
  * OAuth 2.0 Authorization Code Grant
@@ -37,8 +37,6 @@ import org.keycloak.utils.ProfileHelper;
  */
 public class TokenExchangeGrantType extends OAuth2GrantTypeBase implements EnvironmentDependentProviderFactory {
 
-    private static final String PROVIDER_ID = "token_exchange";
-
     @Override
     public Response process() {
         event.detail(Details.AUTH_METHOD, "token_exchange");
@@ -66,11 +64,6 @@ public class TokenExchangeGrantType extends OAuth2GrantTypeBase implements Envir
                 .exchange(exchange);
     }
 
-    @Override
-    public String getGrantType() {
-        return OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE;
-    }
-
     @Override
     public OAuth2GrantType create(KeycloakSession session) {
         return new TokenExchangeGrantType();
@@ -81,9 +74,14 @@ public class TokenExchangeGrantType extends OAuth2GrantTypeBase implements Envir
         return Profile.isFeatureEnabled(Profile.Feature.TOKEN_EXCHANGE);
     }
 
+    @Override
+    public EventType getEventType() {
+        return EventType.TOKEN_EXCHANGE;
+    }
+
     @Override
     public String getId() {
-        return PROVIDER_ID;
+        return OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE;
     }
 
 }

services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/CibaGrantType.java

@@ -31,6 +31,7 @@ import org.keycloak.common.Profile;
 import org.keycloak.common.util.Time;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
+import org.keycloak.events.EventType;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.ClientScopeModel;
 import org.keycloak.models.ClientSessionContext;
@@ -70,7 +71,6 @@ import org.keycloak.sessions.RootAuthenticationSessionModel;
  */
 public class CibaGrantType extends OAuth2GrantTypeBase implements EnvironmentDependentProviderFactory {
 
-    private static final String PROVIDER_ID = "ciba";
     private static final Logger logger = Logger.getLogger(CibaGrantType.class);
 
     public static final String IS_CONSENT_REQUIRED = "is_consent_required";
@@ -290,11 +290,6 @@ public class CibaGrantType extends OAuth2GrantTypeBase implements EnvironmentDep
         logger.debugf("CIBA Grant :: authentication channel %s clientId = %s, authResultId = %s", message, request.getIssuedFor(), request.getAuthResultId());
     }
 
-    @Override
-    public String getGrantType() {
-        return OAuth2Constants.CIBA_GRANT_TYPE;
-    }
-
     @Override
     public OAuth2GrantType create(KeycloakSession session) {
         return new CibaGrantType();
@@ -305,9 +300,14 @@ public class CibaGrantType extends OAuth2GrantTypeBase implements EnvironmentDep
         return Profile.isFeatureEnabled(Profile.Feature.CIBA);
     }
 
+    @Override
+    public EventType getEventType() {
+        return EventType.AUTHREQID_TO_TOKEN;
+    }
+
     @Override
     public String getId() {
-        return PROVIDER_ID;
+        return OAuth2Constants.CIBA_GRANT_TYPE;
     }
 
 }

services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java

@@ -24,6 +24,7 @@ import org.keycloak.OAuthErrorException;
 import org.keycloak.common.Profile;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
+import org.keycloak.events.EventType;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.ClientModel;
@@ -52,7 +53,6 @@ import org.keycloak.protocol.oidc.utils.PkceUtils;
 import org.keycloak.services.CorsErrorResponseException;
 import org.keycloak.services.ErrorResponseException;
 import org.keycloak.services.clientpolicy.ClientPolicyException;
-import org.keycloak.services.cors.Cors;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.UserSessionCrossDCManager;
 import org.keycloak.services.resources.RealmsResource;
@@ -75,8 +75,6 @@ import java.util.Map;
  */
 public class DeviceGrantType extends OAuth2GrantTypeBase implements EnvironmentDependentProviderFactory {
 
-    private static final String PROVIDER_ID = "device_code";
-
     // OAuth 2.0 Device Authorization Grant
     public static final String OAUTH2_DEVICE_VERIFIED_USER_CODE = "OAUTH2_DEVICE_VERIFIED_USER_CODE";
     public static final String OAUTH2_DEVICE_USER_CODE = "device_user_code";
@@ -340,11 +338,6 @@ public class DeviceGrantType extends OAuth2GrantTypeBase implements EnvironmentD
         return createTokenResponse(user, userSession, clientSessionCtx, scopeParam, false, s -> {return new DeviceTokenResponseContext(deviceCodeModel, formParams, clientSession, s);});
     }
 
-    @Override
-    public String getGrantType() {
-        return OAuth2Constants.DEVICE_CODE_GRANT_TYPE;
-    }
-
     @Override
     public OAuth2GrantType create(KeycloakSession session) {
         return new DeviceGrantType();
@@ -355,9 +348,14 @@ public class DeviceGrantType extends OAuth2GrantTypeBase implements EnvironmentD
         return Profile.isFeatureEnabled(Profile.Feature.DEVICE_FLOW);
     }
 
+    @Override
+    public EventType getEventType() {
+        return EventType.OAUTH2_DEVICE_CODE_TO_TOKEN;
+    }
+
     @Override
     public String getId() {
-        return PROVIDER_ID;
+        return OAuth2Constants.DEVICE_CODE_GRANT_TYPE;
     }
 
 }