Package org.keycloak.protocol.oidc
Class TokenManager
- java.lang.Object
-
- org.keycloak.protocol.oidc.TokenManager
-
public class TokenManager extends Object
Stateless object that creates tokens and manages oauth access codes- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description class
TokenManager.AccessTokenResponseBuilder
static class
TokenManager.NotBeforeCheck
static class
TokenManager.TokenRevocationCheck
Check if access token was revoked with OAuth revocation endpointstatic class
TokenManager.TokenValidation
-
Constructor Summary
Constructors Constructor Description TokenManager()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static org.keycloak.models.ClientSessionContext
attachAuthenticationSession(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, org.keycloak.sessions.AuthenticationSessionModel authSession)
boolean
checkTokenValidForIntrospection(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.representations.AccessToken token, boolean updateTimestamps)
Checks if the token is valid.org.keycloak.representations.AccessToken
createClientAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.models.UserModel user, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
static void
dettachClientSession(org.keycloak.models.AuthenticatedClientSessionModel clientSession)
Map<String,Object>
generateUserInfoClaims(org.keycloak.representations.AccessToken userInfo, org.keycloak.models.UserModel userModel)
static Set<org.keycloak.models.RoleModel>
getAccess(org.keycloak.models.UserModel user, org.keycloak.models.ClientModel client, Stream<org.keycloak.models.ClientScopeModel> clientScopes)
static Stream<org.keycloak.models.ClientScopeModel>
getRequestedClientScopes(String scopeParam, org.keycloak.models.ClientModel client)
Return client itself + all default client scopes of client + optional client scopes requested by scope parameterStream<OIDCIdentityProvider>
getValidOIDCIdentityProvidersForBackchannelLogout(org.keycloak.models.RealmModel realm, org.keycloak.models.KeycloakSession session, String encodedLogoutToken, org.keycloak.representations.LogoutToken logoutToken)
protected org.keycloak.representations.AccessToken
initToken(org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.models.UserModel user, org.keycloak.models.UserSessionModel session, org.keycloak.models.ClientSessionContext clientSessionCtx, javax.ws.rs.core.UriInfo uriInfo)
static boolean
isValidScope(String scopes, org.keycloak.models.ClientModel client)
static boolean
isValidScope(String scopes, org.keycloak.rar.AuthorizationRequestContext authorizationRequestContext, org.keycloak.models.ClientModel client)
Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctlystatic org.keycloak.models.UserModel
lookupUserFromStatelessToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.representations.AccessToken token)
Lookup user from the "stateless" token.static Stream<String>
parseScopeParameter(String scopeParam)
TokenManager.AccessTokenResponseBuilder
refreshAccessToken(org.keycloak.models.KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.common.ClientConnection connection, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel authorizedClient, String encodedRefreshToken, org.keycloak.events.EventBuilder event, javax.ws.rs.core.HttpHeaders headers, org.keycloak.http.HttpRequest request)
TokenManager.AccessTokenResponseBuilder
responseBuilder(org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.events.EventBuilder event, org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
Optional<org.keycloak.representations.LogoutToken>
toLogoutToken(String encodedLogoutToken)
org.keycloak.representations.RefreshToken
toRefreshToken(org.keycloak.models.KeycloakSession session, String encodedRefreshToken)
org.keycloak.representations.AccessToken
transformAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
org.keycloak.representations.AccessTokenResponse
transformAccessTokenResponse(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessTokenResponse accessTokenResponse, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
void
transformIDToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.IDToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
org.keycloak.representations.AccessToken
transformUserInfoAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
Stream<OIDCIdentityProvider>
validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> oidcIdps, String encodedLogoutToken, org.keycloak.representations.LogoutToken logoutToken)
TokenManager.TokenValidation
validateToken(org.keycloak.models.KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.common.ClientConnection connection, org.keycloak.models.RealmModel realm, org.keycloak.representations.RefreshToken oldToken, javax.ws.rs.core.HttpHeaders headers)
static boolean
verifyConsentStillAvailable(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserModel user, org.keycloak.models.ClientModel client, Stream<org.keycloak.models.ClientScopeModel> requestedClientScopes)
org.keycloak.representations.IDToken
verifyIDToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String encodedIDToken)
org.keycloak.representations.IDToken
verifyIDTokenSignature(org.keycloak.models.KeycloakSession session, String encodedIDToken)
LogoutTokenValidationCode
verifyLogoutToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String encodedLogoutToken)
org.keycloak.representations.RefreshToken
verifyRefreshToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.http.HttpRequest request, String encodedRefreshToken, boolean checkExpiration)
-
-
-
Method Detail
-
validateToken
public TokenManager.TokenValidation validateToken(org.keycloak.models.KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.common.ClientConnection connection, org.keycloak.models.RealmModel realm, org.keycloak.representations.RefreshToken oldToken, javax.ws.rs.core.HttpHeaders headers) throws org.keycloak.OAuthErrorException
- Throws:
org.keycloak.OAuthErrorException
-
checkTokenValidForIntrospection
public boolean checkTokenValidForIntrospection(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.representations.AccessToken token, boolean updateTimestamps)
Checks if the token is valid. Optionally the session last refresh and client session timestamp are updated if the token was valid. This is used to keep the session alive when long lived tokens are used.- Parameters:
session
-realm
-token
-updateTimestamps
-- Returns:
-
lookupUserFromStatelessToken
public static org.keycloak.models.UserModel lookupUserFromStatelessToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.representations.AccessToken token)
Lookup user from the "stateless" token. Stateless token is the token without sessionState filled (token doesn't belong to any userSession)
-
refreshAccessToken
public TokenManager.AccessTokenResponseBuilder refreshAccessToken(org.keycloak.models.KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.common.ClientConnection connection, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel authorizedClient, String encodedRefreshToken, org.keycloak.events.EventBuilder event, javax.ws.rs.core.HttpHeaders headers, org.keycloak.http.HttpRequest request) throws org.keycloak.OAuthErrorException
- Throws:
org.keycloak.OAuthErrorException
-
verifyRefreshToken
public org.keycloak.representations.RefreshToken verifyRefreshToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.http.HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws org.keycloak.OAuthErrorException
- Throws:
org.keycloak.OAuthErrorException
-
toRefreshToken
public org.keycloak.representations.RefreshToken toRefreshToken(org.keycloak.models.KeycloakSession session, String encodedRefreshToken) throws org.keycloak.jose.jws.JWSInputException, org.keycloak.OAuthErrorException
- Throws:
org.keycloak.jose.jws.JWSInputException
org.keycloak.OAuthErrorException
-
verifyIDToken
public org.keycloak.representations.IDToken verifyIDToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String encodedIDToken) throws org.keycloak.OAuthErrorException
- Throws:
org.keycloak.OAuthErrorException
-
verifyIDTokenSignature
public org.keycloak.representations.IDToken verifyIDTokenSignature(org.keycloak.models.KeycloakSession session, String encodedIDToken) throws org.keycloak.OAuthErrorException
- Throws:
org.keycloak.OAuthErrorException
-
createClientAccessToken
public org.keycloak.representations.AccessToken createClientAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.models.UserModel user, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
attachAuthenticationSession
public static org.keycloak.models.ClientSessionContext attachAuthenticationSession(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, org.keycloak.sessions.AuthenticationSessionModel authSession)
-
dettachClientSession
public static void dettachClientSession(org.keycloak.models.AuthenticatedClientSessionModel clientSession)
-
getAccess
public static Set<org.keycloak.models.RoleModel> getAccess(org.keycloak.models.UserModel user, org.keycloak.models.ClientModel client, Stream<org.keycloak.models.ClientScopeModel> clientScopes)
-
getRequestedClientScopes
public static Stream<org.keycloak.models.ClientScopeModel> getRequestedClientScopes(String scopeParam, org.keycloak.models.ClientModel client)
Return client itself + all default client scopes of client + optional client scopes requested by scope parameter
-
isValidScope
public static boolean isValidScope(String scopes, org.keycloak.rar.AuthorizationRequestContext authorizationRequestContext, org.keycloak.models.ClientModel client)
Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctly- Parameters:
scopes
-authorizationRequestContext
-client
-- Returns:
-
isValidScope
public static boolean isValidScope(String scopes, org.keycloak.models.ClientModel client)
-
verifyConsentStillAvailable
public static boolean verifyConsentStillAvailable(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserModel user, org.keycloak.models.ClientModel client, Stream<org.keycloak.models.ClientScopeModel> requestedClientScopes)
-
transformAccessToken
public org.keycloak.representations.AccessToken transformAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
transformAccessTokenResponse
public org.keycloak.representations.AccessTokenResponse transformAccessTokenResponse(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessTokenResponse accessTokenResponse, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
transformUserInfoAccessToken
public org.keycloak.representations.AccessToken transformUserInfoAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
generateUserInfoClaims
public Map<String,Object> generateUserInfoClaims(org.keycloak.representations.AccessToken userInfo, org.keycloak.models.UserModel userModel)
-
transformIDToken
public void transformIDToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.IDToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
initToken
protected org.keycloak.representations.AccessToken initToken(org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.models.UserModel user, org.keycloak.models.UserSessionModel session, org.keycloak.models.ClientSessionContext clientSessionCtx, javax.ws.rs.core.UriInfo uriInfo)
-
responseBuilder
public TokenManager.AccessTokenResponseBuilder responseBuilder(org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.events.EventBuilder event, org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
verifyLogoutToken
public LogoutTokenValidationCode verifyLogoutToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String encodedLogoutToken)
-
toLogoutToken
public Optional<org.keycloak.representations.LogoutToken> toLogoutToken(String encodedLogoutToken)
-
getValidOIDCIdentityProvidersForBackchannelLogout
public Stream<OIDCIdentityProvider> getValidOIDCIdentityProvidersForBackchannelLogout(org.keycloak.models.RealmModel realm, org.keycloak.models.KeycloakSession session, String encodedLogoutToken, org.keycloak.representations.LogoutToken logoutToken)
-
validateLogoutTokenAgainstIdpProvider
public Stream<OIDCIdentityProvider> validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> oidcIdps, String encodedLogoutToken, org.keycloak.representations.LogoutToken logoutToken)
-
-