Package org.keycloak.protocol.oidc
Class TokenManager
- java.lang.Object
-
- org.keycloak.protocol.oidc.TokenManager
-
public class TokenManager extends Object
Stateless object that creates tokens and manages oauth access codes- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description classTokenManager.AccessTokenResponseBuilderstatic classTokenManager.NotBeforeCheckstatic classTokenManager.TokenRevocationCheckCheck if access token was revoked with OAuth revocation endpointstatic classTokenManager.TokenValidation
-
Constructor Summary
Constructors Constructor Description TokenManager()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static org.keycloak.models.ClientSessionContextattachAuthenticationSession(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, org.keycloak.sessions.AuthenticationSessionModel authSession)booleancheckTokenValidForIntrospection(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.representations.AccessToken token, boolean updateTimestamps)Checks if the token is valid.org.keycloak.representations.AccessTokencreateClientAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.models.UserModel user, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)static voiddettachClientSession(org.keycloak.models.AuthenticatedClientSessionModel clientSession)Map<String,Object>generateUserInfoClaims(org.keycloak.representations.AccessToken userInfo, org.keycloak.models.UserModel userModel)static Set<org.keycloak.models.RoleModel>getAccess(org.keycloak.models.UserModel user, org.keycloak.models.ClientModel client, Stream<org.keycloak.models.ClientScopeModel> clientScopes)static Stream<org.keycloak.models.ClientScopeModel>getRequestedClientScopes(String scopeParam, org.keycloak.models.ClientModel client)Return client itself + all default client scopes of client + optional client scopes requested by scope parameterStream<OIDCIdentityProvider>getValidOIDCIdentityProvidersForBackchannelLogout(org.keycloak.models.RealmModel realm, org.keycloak.models.KeycloakSession session, String encodedLogoutToken, org.keycloak.representations.LogoutToken logoutToken)protected org.keycloak.representations.AccessTokeninitToken(org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.models.UserModel user, org.keycloak.models.UserSessionModel session, org.keycloak.models.ClientSessionContext clientSessionCtx, javax.ws.rs.core.UriInfo uriInfo)static booleanisValidScope(String scopes, org.keycloak.models.ClientModel client)static booleanisValidScope(String scopes, org.keycloak.rar.AuthorizationRequestContext authorizationRequestContext, org.keycloak.models.ClientModel client)Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctlystatic org.keycloak.models.UserModellookupUserFromStatelessToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.representations.AccessToken token)Lookup user from the "stateless" token.static Stream<String>parseScopeParameter(String scopeParam)TokenManager.AccessTokenResponseBuilderrefreshAccessToken(org.keycloak.models.KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.common.ClientConnection connection, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel authorizedClient, String encodedRefreshToken, org.keycloak.events.EventBuilder event, javax.ws.rs.core.HttpHeaders headers, org.keycloak.http.HttpRequest request)TokenManager.AccessTokenResponseBuilderresponseBuilder(org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.events.EventBuilder event, org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)Optional<org.keycloak.representations.LogoutToken>toLogoutToken(String encodedLogoutToken)org.keycloak.representations.RefreshTokentoRefreshToken(org.keycloak.models.KeycloakSession session, String encodedRefreshToken)org.keycloak.representations.AccessTokentransformAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)org.keycloak.representations.AccessTokenResponsetransformAccessTokenResponse(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessTokenResponse accessTokenResponse, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)voidtransformIDToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.IDToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)org.keycloak.representations.AccessTokentransformUserInfoAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)Stream<OIDCIdentityProvider>validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> oidcIdps, String encodedLogoutToken, org.keycloak.representations.LogoutToken logoutToken)TokenManager.TokenValidationvalidateToken(org.keycloak.models.KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.common.ClientConnection connection, org.keycloak.models.RealmModel realm, org.keycloak.representations.RefreshToken oldToken, javax.ws.rs.core.HttpHeaders headers)static booleanverifyConsentStillAvailable(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserModel user, org.keycloak.models.ClientModel client, Stream<org.keycloak.models.ClientScopeModel> requestedClientScopes)org.keycloak.representations.IDTokenverifyIDToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String encodedIDToken)org.keycloak.representations.IDTokenverifyIDTokenSignature(org.keycloak.models.KeycloakSession session, String encodedIDToken)LogoutTokenValidationCodeverifyLogoutToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String encodedLogoutToken)org.keycloak.representations.RefreshTokenverifyRefreshToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.http.HttpRequest request, String encodedRefreshToken, boolean checkExpiration)
-
-
-
Method Detail
-
validateToken
public TokenManager.TokenValidation validateToken(org.keycloak.models.KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.common.ClientConnection connection, org.keycloak.models.RealmModel realm, org.keycloak.representations.RefreshToken oldToken, javax.ws.rs.core.HttpHeaders headers) throws org.keycloak.OAuthErrorException
- Throws:
org.keycloak.OAuthErrorException
-
checkTokenValidForIntrospection
public boolean checkTokenValidForIntrospection(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.representations.AccessToken token, boolean updateTimestamps)Checks if the token is valid. Optionally the session last refresh and client session timestamp are updated if the token was valid. This is used to keep the session alive when long lived tokens are used.- Parameters:
session-realm-token-updateTimestamps-- Returns:
-
lookupUserFromStatelessToken
public static org.keycloak.models.UserModel lookupUserFromStatelessToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.representations.AccessToken token)Lookup user from the "stateless" token. Stateless token is the token without sessionState filled (token doesn't belong to any userSession)
-
refreshAccessToken
public TokenManager.AccessTokenResponseBuilder refreshAccessToken(org.keycloak.models.KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.common.ClientConnection connection, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel authorizedClient, String encodedRefreshToken, org.keycloak.events.EventBuilder event, javax.ws.rs.core.HttpHeaders headers, org.keycloak.http.HttpRequest request) throws org.keycloak.OAuthErrorException
- Throws:
org.keycloak.OAuthErrorException
-
verifyRefreshToken
public org.keycloak.representations.RefreshToken verifyRefreshToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.http.HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws org.keycloak.OAuthErrorException- Throws:
org.keycloak.OAuthErrorException
-
toRefreshToken
public org.keycloak.representations.RefreshToken toRefreshToken(org.keycloak.models.KeycloakSession session, String encodedRefreshToken) throws org.keycloak.jose.jws.JWSInputException, org.keycloak.OAuthErrorException- Throws:
org.keycloak.jose.jws.JWSInputExceptionorg.keycloak.OAuthErrorException
-
verifyIDToken
public org.keycloak.representations.IDToken verifyIDToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String encodedIDToken) throws org.keycloak.OAuthErrorException- Throws:
org.keycloak.OAuthErrorException
-
verifyIDTokenSignature
public org.keycloak.representations.IDToken verifyIDTokenSignature(org.keycloak.models.KeycloakSession session, String encodedIDToken) throws org.keycloak.OAuthErrorException- Throws:
org.keycloak.OAuthErrorException
-
createClientAccessToken
public org.keycloak.representations.AccessToken createClientAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.models.UserModel user, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
attachAuthenticationSession
public static org.keycloak.models.ClientSessionContext attachAuthenticationSession(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, org.keycloak.sessions.AuthenticationSessionModel authSession)
-
dettachClientSession
public static void dettachClientSession(org.keycloak.models.AuthenticatedClientSessionModel clientSession)
-
getAccess
public static Set<org.keycloak.models.RoleModel> getAccess(org.keycloak.models.UserModel user, org.keycloak.models.ClientModel client, Stream<org.keycloak.models.ClientScopeModel> clientScopes)
-
getRequestedClientScopes
public static Stream<org.keycloak.models.ClientScopeModel> getRequestedClientScopes(String scopeParam, org.keycloak.models.ClientModel client)
Return client itself + all default client scopes of client + optional client scopes requested by scope parameter
-
isValidScope
public static boolean isValidScope(String scopes, org.keycloak.rar.AuthorizationRequestContext authorizationRequestContext, org.keycloak.models.ClientModel client)
Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctly- Parameters:
scopes-authorizationRequestContext-client-- Returns:
-
isValidScope
public static boolean isValidScope(String scopes, org.keycloak.models.ClientModel client)
-
verifyConsentStillAvailable
public static boolean verifyConsentStillAvailable(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserModel user, org.keycloak.models.ClientModel client, Stream<org.keycloak.models.ClientScopeModel> requestedClientScopes)
-
transformAccessToken
public org.keycloak.representations.AccessToken transformAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
transformAccessTokenResponse
public org.keycloak.representations.AccessTokenResponse transformAccessTokenResponse(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessTokenResponse accessTokenResponse, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
transformUserInfoAccessToken
public org.keycloak.representations.AccessToken transformUserInfoAccessToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.AccessToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
generateUserInfoClaims
public Map<String,Object> generateUserInfoClaims(org.keycloak.representations.AccessToken userInfo, org.keycloak.models.UserModel userModel)
-
transformIDToken
public void transformIDToken(org.keycloak.models.KeycloakSession session, org.keycloak.representations.IDToken token, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
initToken
protected org.keycloak.representations.AccessToken initToken(org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.models.UserModel user, org.keycloak.models.UserSessionModel session, org.keycloak.models.ClientSessionContext clientSessionCtx, javax.ws.rs.core.UriInfo uriInfo)
-
responseBuilder
public TokenManager.AccessTokenResponseBuilder responseBuilder(org.keycloak.models.RealmModel realm, org.keycloak.models.ClientModel client, org.keycloak.events.EventBuilder event, org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, org.keycloak.models.ClientSessionContext clientSessionCtx)
-
verifyLogoutToken
public LogoutTokenValidationCode verifyLogoutToken(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String encodedLogoutToken)
-
toLogoutToken
public Optional<org.keycloak.representations.LogoutToken> toLogoutToken(String encodedLogoutToken)
-
getValidOIDCIdentityProvidersForBackchannelLogout
public Stream<OIDCIdentityProvider> getValidOIDCIdentityProvidersForBackchannelLogout(org.keycloak.models.RealmModel realm, org.keycloak.models.KeycloakSession session, String encodedLogoutToken, org.keycloak.representations.LogoutToken logoutToken)
-
validateLogoutTokenAgainstIdpProvider
public Stream<OIDCIdentityProvider> validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> oidcIdps, String encodedLogoutToken, org.keycloak.representations.LogoutToken logoutToken)
-
-