Package org.keycloak.protocol.oidc
Class TokenManager
java.lang.Object
org.keycloak.protocol.oidc.TokenManager
Stateless object that creates tokens and manages oauth access codes
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
Nested Class Summary
Modifier and TypeClassDescriptionclass
static class
static class
Check if access token was revoked with OAuth revocation endpointstatic class
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic ClientSessionContext
attachAuthenticationSession
(KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession) boolean
checkTokenValidForIntrospection
(KeycloakSession session, RealmModel realm, AccessToken token, boolean updateTimestamps, EventBuilder eventBuilder) Checks if the token is valid.createClientAccessToken
(KeycloakSession session, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx) static void
dettachClientSession
(AuthenticatedClientSessionModel clientSession) generateUserInfoClaims
(AccessToken userInfo, UserModel userModel) getAccess
(UserModel user, ClientModel client, Stream<ClientScopeModel> clientScopes) static Stream<ClientScopeModel>
getRequestedClientScopes
(String scopeParam, ClientModel client) Return client itself + all default client scopes of client + optional client scopes requested by scope parametergetValidOIDCIdentityProvidersForBackchannelLogout
(RealmModel realm, KeycloakSession session, String encodedLogoutToken, LogoutToken logoutToken) protected AccessToken
initToken
(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionContext clientSessionCtx, jakarta.ws.rs.core.UriInfo uriInfo) static boolean
isValidScope
(String scopes, ClientModel client) static boolean
isValidScope
(String scopes, AuthorizationRequestContext authorizationRequestContext, ClientModel client) Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctlystatic UserModel
lookupUserFromStatelessToken
(KeycloakSession session, RealmModel realm, AccessToken token) Lookup user from the "stateless" token.parseScopeParameter
(String scopeParam) refreshAccessToken
(KeycloakSession session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, jakarta.ws.rs.core.HttpHeaders headers, HttpRequest request, String scopeParameter) responseBuilder
(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) toLogoutToken
(String encodedLogoutToken) toRefreshToken
(KeycloakSession session, String encodedRefreshToken) transformAccessToken
(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx) transformAccessTokenResponse
(KeycloakSession session, AccessTokenResponse accessTokenResponse, UserSessionModel userSession, ClientSessionContext clientSessionCtx) transformIDToken
(KeycloakSession session, IDToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx) transformIntrospectionAccessToken
(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx) transformUserInfoAccessToken
(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx) validateLogoutTokenAgainstIdpProvider
(Stream<OIDCIdentityProvider> oidcIdps, String encodedLogoutToken, LogoutToken logoutToken) validateToken
(KeycloakSession session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, RefreshToken oldToken, jakarta.ws.rs.core.HttpHeaders headers, String oldTokenScope) static boolean
verifyConsentStillAvailable
(KeycloakSession session, UserModel user, ClientModel client, Stream<ClientScopeModel> requestedClientScopes) verifyIDToken
(KeycloakSession session, RealmModel realm, String encodedIDToken) verifyIDTokenSignature
(KeycloakSession session, String encodedIDToken) verifyLogoutToken
(KeycloakSession session, RealmModel realm, String encodedLogoutToken) verifyRefreshToken
(KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration)
-
Constructor Details
-
TokenManager
public TokenManager()
-
-
Method Details
-
validateToken
public TokenManager.TokenValidation validateToken(KeycloakSession session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, RefreshToken oldToken, jakarta.ws.rs.core.HttpHeaders headers, String oldTokenScope) throws OAuthErrorException - Throws:
OAuthErrorException
-
checkTokenValidForIntrospection
public boolean checkTokenValidForIntrospection(KeycloakSession session, RealmModel realm, AccessToken token, boolean updateTimestamps, EventBuilder eventBuilder) Checks if the token is valid. Optionally the session last refresh and client session timestamp are updated if the token was valid. This is used to keep the session alive when long lived tokens are used.- Parameters:
session
-realm
-token
-updateTimestamps
-- Returns:
-
lookupUserFromStatelessToken
public static UserModel lookupUserFromStatelessToken(KeycloakSession session, RealmModel realm, AccessToken token) Lookup user from the "stateless" token. Stateless token is the token without sessionState filled (token doesn't belong to any userSession) -
refreshAccessToken
public TokenManager.AccessTokenResponseBuilder refreshAccessToken(KeycloakSession session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, jakarta.ws.rs.core.HttpHeaders headers, HttpRequest request, String scopeParameter) throws OAuthErrorException - Throws:
OAuthErrorException
-
verifyRefreshToken
public RefreshToken verifyRefreshToken(KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException - Throws:
OAuthErrorException
-
toRefreshToken
public RefreshToken toRefreshToken(KeycloakSession session, String encodedRefreshToken) throws JWSInputException, OAuthErrorException - Throws:
JWSInputException
OAuthErrorException
-
verifyIDToken
public IDToken verifyIDToken(KeycloakSession session, RealmModel realm, String encodedIDToken) throws OAuthErrorException - Throws:
OAuthErrorException
-
verifyIDTokenSignature
public IDToken verifyIDTokenSignature(KeycloakSession session, String encodedIDToken) throws OAuthErrorException - Throws:
OAuthErrorException
-
createClientAccessToken
public AccessToken createClientAccessToken(KeycloakSession session, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
attachAuthenticationSession
public static ClientSessionContext attachAuthenticationSession(KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession) -
dettachClientSession
-
getAccess
public static Set<RoleModel> getAccess(UserModel user, ClientModel client, Stream<ClientScopeModel> clientScopes) -
getRequestedClientScopes
public static Stream<ClientScopeModel> getRequestedClientScopes(String scopeParam, ClientModel client) Return client itself + all default client scopes of client + optional client scopes requested by scope parameter -
isValidScope
public static boolean isValidScope(String scopes, AuthorizationRequestContext authorizationRequestContext, ClientModel client) Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctly- Parameters:
scopes
-authorizationRequestContext
-client
-- Returns:
-
isValidScope
-
parseScopeParameter
-
verifyConsentStillAvailable
public static boolean verifyConsentStillAvailable(KeycloakSession session, UserModel user, ClientModel client, Stream<ClientScopeModel> requestedClientScopes) -
transformAccessToken
public AccessToken transformAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
transformAccessTokenResponse
public AccessTokenResponse transformAccessTokenResponse(KeycloakSession session, AccessTokenResponse accessTokenResponse, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
transformUserInfoAccessToken
public AccessToken transformUserInfoAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
transformIntrospectionAccessToken
public AccessToken transformIntrospectionAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
generateUserInfoClaims
-
transformIDToken
public IDToken transformIDToken(KeycloakSession session, IDToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
initToken
protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionContext clientSessionCtx, jakarta.ws.rs.core.UriInfo uriInfo) -
responseBuilder
public TokenManager.AccessTokenResponseBuilder responseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
verifyLogoutToken
public LogoutTokenValidationCode verifyLogoutToken(KeycloakSession session, RealmModel realm, String encodedLogoutToken) -
toLogoutToken
-
getValidOIDCIdentityProvidersForBackchannelLogout
public Stream<OIDCIdentityProvider> getValidOIDCIdentityProvidersForBackchannelLogout(RealmModel realm, KeycloakSession session, String encodedLogoutToken, LogoutToken logoutToken) -
validateLogoutTokenAgainstIdpProvider
public Stream<OIDCIdentityProvider> validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> oidcIdps, String encodedLogoutToken, LogoutToken logoutToken)
-