Package org.keycloak.protocol.oidc
Class TokenManager
- java.lang.Object
-
- org.keycloak.protocol.oidc.TokenManager
-
public class TokenManager extends Object
Stateless object that creates tokens and manages oauth access codes- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description class
TokenManager.AccessTokenResponseBuilder
static class
TokenManager.NotBeforeCheck
static class
TokenManager.TokenRevocationCheck
Check if access token was revoked with OAuth revocation endpointstatic class
TokenManager.TokenValidation
-
Constructor Summary
Constructors Constructor Description TokenManager()
-
Method Summary
-
-
-
Method Detail
-
validateToken
public TokenManager.TokenValidation validateToken(KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, RefreshToken oldToken, javax.ws.rs.core.HttpHeaders headers) throws OAuthErrorException
- Throws:
OAuthErrorException
-
checkTokenValidForIntrospection
public boolean checkTokenValidForIntrospection(KeycloakSession session, RealmModel realm, AccessToken token, boolean updateTimestamps)
Checks if the token is valid. Optionally the session last refresh and client session timestamp are updated if the token was valid. This is used to keep the session alive when long lived tokens are used.- Parameters:
session
-realm
-token
-updateTimestamps
-- Returns:
-
lookupUserFromStatelessToken
public static UserModel lookupUserFromStatelessToken(KeycloakSession session, RealmModel realm, AccessToken token)
Lookup user from the "stateless" token. Stateless token is the token without sessionState filled (token doesn't belong to any userSession)
-
refreshAccessToken
public TokenManager.AccessTokenResponseBuilder refreshAccessToken(KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, javax.ws.rs.core.HttpHeaders headers, HttpRequest request) throws OAuthErrorException
- Throws:
OAuthErrorException
-
verifyRefreshToken
public RefreshToken verifyRefreshToken(KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException
- Throws:
OAuthErrorException
-
toRefreshToken
public RefreshToken toRefreshToken(KeycloakSession session, String encodedRefreshToken) throws JWSInputException, OAuthErrorException
- Throws:
JWSInputException
OAuthErrorException
-
verifyIDToken
public IDToken verifyIDToken(KeycloakSession session, RealmModel realm, String encodedIDToken) throws OAuthErrorException
- Throws:
OAuthErrorException
-
verifyIDTokenSignature
public IDToken verifyIDTokenSignature(KeycloakSession session, String encodedIDToken) throws OAuthErrorException
- Throws:
OAuthErrorException
-
createClientAccessToken
public AccessToken createClientAccessToken(KeycloakSession session, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
-
attachAuthenticationSession
public static ClientSessionContext attachAuthenticationSession(KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession)
-
dettachClientSession
public static void dettachClientSession(AuthenticatedClientSessionModel clientSession)
-
getAccess
public static Set<RoleModel> getAccess(UserModel user, ClientModel client, Stream<ClientScopeModel> clientScopes)
-
getRequestedClientScopes
public static Stream<ClientScopeModel> getRequestedClientScopes(String scopeParam, ClientModel client)
Return client itself + all default client scopes of client + optional client scopes requested by scope parameter
-
isValidScope
public static boolean isValidScope(String scopes, AuthorizationRequestContext authorizationRequestContext, ClientModel client)
Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctly- Parameters:
scopes
-authorizationRequestContext
-client
-- Returns:
-
isValidScope
public static boolean isValidScope(String scopes, ClientModel client)
-
verifyConsentStillAvailable
public static boolean verifyConsentStillAvailable(KeycloakSession session, UserModel user, ClientModel client, Stream<ClientScopeModel> requestedClientScopes)
-
transformAccessToken
public AccessToken transformAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
-
transformAccessTokenResponse
public AccessTokenResponse transformAccessTokenResponse(KeycloakSession session, AccessTokenResponse accessTokenResponse, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
-
transformUserInfoAccessToken
public AccessToken transformUserInfoAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
-
generateUserInfoClaims
public Map<String,Object> generateUserInfoClaims(AccessToken userInfo, UserModel userModel)
-
transformIDToken
public void transformIDToken(KeycloakSession session, IDToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
-
initToken
protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionContext clientSessionCtx, javax.ws.rs.core.UriInfo uriInfo)
-
responseBuilder
public TokenManager.AccessTokenResponseBuilder responseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
-
verifyLogoutToken
public LogoutTokenValidationCode verifyLogoutToken(KeycloakSession session, RealmModel realm, String encodedLogoutToken)
-
toLogoutToken
public Optional<LogoutToken> toLogoutToken(String encodedLogoutToken)
-
getValidOIDCIdentityProvidersForBackchannelLogout
public Stream<OIDCIdentityProvider> getValidOIDCIdentityProvidersForBackchannelLogout(RealmModel realm, KeycloakSession session, String encodedLogoutToken, LogoutToken logoutToken)
-
validateLogoutTokenAgainstIdpProvider
public Stream<OIDCIdentityProvider> validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> oidcIdps, String encodedLogoutToken, LogoutToken logoutToken)
-
-