Package org.keycloak.protocol.oidc

Class TokenManager

java.lang.Object

org.keycloak.protocol.oidc.TokenManager

public class TokenManager
extends Object

Stateless object that creates tokens and manages oauth access codes

Version:

$Revision: 1 $

Author:

Bill Burke

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
class	TokenManager.AccessTokenResponseBuilder
static class	TokenManager.NotBeforeCheck
static class	TokenManager.TokenRevocationCheck	Check if access token was revoked with OAuth revocation endpoint
static class	TokenManager.TokenValidation

Constructor Summary

Constructors

Constructor	Description
TokenManager()

Method Summary

Modifier and Type	Method	Description
static ClientSessionContext	attachAuthenticationSession(KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession)
AccessToken	checkTokenValidForIntrospection(KeycloakSession session, RealmModel realm, AccessToken token, EventBuilder eventBuilder)	Checks if the token is valid.
AccessToken	createClientAccessToken(KeycloakSession session, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
static void	dettachClientSession(AuthenticatedClientSessionModel clientSession)
Map<String,Object>	generateUserInfoClaims(AccessToken userInfo, UserModel userModel)
static Set<RoleModel>	getAccess(UserModel user, ClientModel client, Stream<ClientScopeModel> clientScopes)
static Stream<ClientScopeModel>	getRequestedClientScopes(KeycloakSession session, String scopeParam, ClientModel client, UserModel user)	Return client itself + all default client scopes of client + optional client scopes requested by scope parameter
UserSessionModel	getValidUserSessionIfTokenIsValid(KeycloakSession session, RealmModel realm, AccessToken token, EventBuilder eventBuilder)	Checks if the token is valid and return a valid user session.
protected AccessToken	initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionContext clientSessionCtx, jakarta.ws.rs.core.UriInfo uriInfo)
static boolean	isUserValid(KeycloakSession session, RealmModel realm, AccessToken token, UserModel user)
static boolean	isValidScope(KeycloakSession session, String scopes, ClientModel client, UserModel user)
static boolean	isValidScope(KeycloakSession session, String scopes, AuthorizationRequestContext authorizationRequestContext, ClientModel client, UserModel user)	Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctly
static UserModel	lookupUserFromStatelessToken(KeycloakSession session, RealmModel realm, AccessToken token)	Lookup user from the "stateless" token.
static Stream<String>	parseScopeParameter(String scopeParam)
TokenManager.AccessTokenResponseBuilder	refreshAccessToken(KeycloakSession session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, jakarta.ws.rs.core.HttpHeaders headers, HttpRequest request, String scopeParameter)
TokenManager.AccessTokenResponseBuilder	responseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
Optional<LogoutToken>	toLogoutToken(String encodedLogoutToken)
RefreshToken	toRefreshToken(KeycloakSession session, String encodedRefreshToken)
AccessToken	transformAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
AccessTokenResponse	transformAccessTokenResponse(KeycloakSession session, AccessTokenResponse accessTokenResponse, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
IDToken	transformIDToken(KeycloakSession session, IDToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
AccessToken	transformIntrospectionAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
AccessToken	transformUserInfoAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
Stream<OIDCIdentityProvider>	validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> oidcIdps, String encodedLogoutToken)
TokenManager.TokenValidation	validateToken(KeycloakSession session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, RefreshToken oldToken, jakarta.ws.rs.core.HttpHeaders headers, String oldTokenScope)
static boolean	verifyConsentStillAvailable(KeycloakSession session, UserModel user, ClientModel client, Stream<ClientScopeModel> requestedClientScopes)
IDToken	verifyIDToken(KeycloakSession session, RealmModel realm, String encodedIDToken)
IDToken	verifyIDTokenSignature(KeycloakSession session, String encodedIDToken)
LogoutTokenValidationContext	verifyLogoutToken(KeycloakSession session, String encodedLogoutToken)
RefreshToken	verifyRefreshToken(KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

TokenManager

public TokenManager()

Method Details

validateToken

public TokenManager.TokenValidation validateToken(KeycloakSession session,
 jakarta.ws.rs.core.UriInfo uriInfo,
 ClientConnection connection,
 RealmModel realm,
 RefreshToken oldToken,
 jakarta.ws.rs.core.HttpHeaders headers,
 String oldTokenScope)
                                           throws OAuthErrorException

Throws:

OAuthErrorException

checkTokenValidForIntrospection

public AccessToken checkTokenValidForIntrospection(KeycloakSession session,
 RealmModel realm,
 AccessToken token,
 EventBuilder eventBuilder)

Checks if the token is valid.

Parameters:

session -

realm -

token -

Returns:

getValidUserSessionIfTokenIsValid

public UserSessionModel getValidUserSessionIfTokenIsValid(KeycloakSession session,
 RealmModel realm,
 AccessToken token,
 EventBuilder eventBuilder)

Checks if the token is valid and return a valid user session.

Parameters:

session -

realm -

token -

Returns:

isUserValid

public static boolean isUserValid(KeycloakSession session,
 RealmModel realm,
 AccessToken token,
 UserModel user)

lookupUserFromStatelessToken

public static UserModel lookupUserFromStatelessToken(KeycloakSession session,
 RealmModel realm,
 AccessToken token)

Lookup user from the "stateless" token. Stateless token is the token without sessionState filled (token doesn't belong to any userSession)

refreshAccessToken

public TokenManager.AccessTokenResponseBuilder refreshAccessToken(KeycloakSession session,
 jakarta.ws.rs.core.UriInfo uriInfo,
 ClientConnection connection,
 RealmModel realm,
 ClientModel authorizedClient,
 String encodedRefreshToken,
 EventBuilder event,
 jakarta.ws.rs.core.HttpHeaders headers,
 HttpRequest request,
 String scopeParameter)
                                                           throws OAuthErrorException

Throws:

OAuthErrorException

verifyRefreshToken

public RefreshToken verifyRefreshToken(KeycloakSession session,
 RealmModel realm,
 ClientModel client,
 HttpRequest request,
 String encodedRefreshToken,
 boolean checkExpiration)
                                throws OAuthErrorException

Throws:

OAuthErrorException

toRefreshToken

public RefreshToken toRefreshToken(KeycloakSession session,
 String encodedRefreshToken)
                            throws JWSInputException,
OAuthErrorException

Throws:

JWSInputException

OAuthErrorException

verifyIDToken

public IDToken verifyIDToken(KeycloakSession session,
 RealmModel realm,
 String encodedIDToken)
                      throws OAuthErrorException

Throws:

OAuthErrorException

verifyIDTokenSignature

public IDToken verifyIDTokenSignature(KeycloakSession session,
 String encodedIDToken)
                               throws OAuthErrorException

Throws:

OAuthErrorException

createClientAccessToken

public AccessToken createClientAccessToken(KeycloakSession session,
 RealmModel realm,
 ClientModel client,
 UserModel user,
 UserSessionModel userSession,
 ClientSessionContext clientSessionCtx)

attachAuthenticationSession

public static ClientSessionContext attachAuthenticationSession(KeycloakSession session,
 UserSessionModel userSession,
 AuthenticationSessionModel authSession)

dettachClientSession

public static void dettachClientSession(AuthenticatedClientSessionModel clientSession)

getAccess

public static Set<RoleModel> getAccess(UserModel user,
 ClientModel client,
 Stream<ClientScopeModel> clientScopes)

getRequestedClientScopes

public static Stream<ClientScopeModel> getRequestedClientScopes(KeycloakSession session,
 String scopeParam,
 ClientModel client,
 UserModel user)

Return client itself + all default client scopes of client + optional client scopes requested by scope parameter

isValidScope

public static boolean isValidScope(KeycloakSession session,
 String scopes,
 AuthorizationRequestContext authorizationRequestContext,
 ClientModel client,
 UserModel user)

Check that all the ClientScopes that have been parsed into authorization_resources are actually in the requested scopes otherwise, the scope wasn't parsed correctly

Parameters:

scopes -

authorizationRequestContext -

client -

Returns:

isValidScope

public static boolean isValidScope(KeycloakSession session,
 String scopes,
 ClientModel client,
 UserModel user)

parseScopeParameter

public static Stream<String> parseScopeParameter(String scopeParam)

verifyConsentStillAvailable

public static boolean verifyConsentStillAvailable(KeycloakSession session,
 UserModel user,
 ClientModel client,
 Stream<ClientScopeModel> requestedClientScopes)

transformAccessToken

public AccessToken transformAccessToken(KeycloakSession session,
 AccessToken token,
 UserSessionModel userSession,
 ClientSessionContext clientSessionCtx)

transformAccessTokenResponse

public AccessTokenResponse transformAccessTokenResponse(KeycloakSession session,
 AccessTokenResponse accessTokenResponse,
 UserSessionModel userSession,
 ClientSessionContext clientSessionCtx)

transformUserInfoAccessToken

public AccessToken transformUserInfoAccessToken(KeycloakSession session,
 AccessToken token,
 UserSessionModel userSession,
 ClientSessionContext clientSessionCtx)

transformIntrospectionAccessToken

public AccessToken transformIntrospectionAccessToken(KeycloakSession session,
 AccessToken token,
 UserSessionModel userSession,
 ClientSessionContext clientSessionCtx)

generateUserInfoClaims

public Map<String,Object> generateUserInfoClaims(AccessToken userInfo,
 UserModel userModel)

transformIDToken

public IDToken transformIDToken(KeycloakSession session,
 IDToken token,
 UserSessionModel userSession,
 ClientSessionContext clientSessionCtx)

initToken

protected AccessToken initToken(RealmModel realm,
 ClientModel client,
 UserModel user,
 UserSessionModel session,
 ClientSessionContext clientSessionCtx,
 jakarta.ws.rs.core.UriInfo uriInfo)

responseBuilder

public TokenManager.AccessTokenResponseBuilder responseBuilder(RealmModel realm,
 ClientModel client,
 EventBuilder event,
 KeycloakSession session,
 UserSessionModel userSession,
 ClientSessionContext clientSessionCtx)

verifyLogoutToken

public LogoutTokenValidationContext verifyLogoutToken(KeycloakSession session,
 String encodedLogoutToken)

toLogoutToken

public Optional<LogoutToken> toLogoutToken(String encodedLogoutToken)

validateLogoutTokenAgainstIdpProvider

public Stream<OIDCIdentityProvider> validateLogoutTokenAgainstIdpProvider(Stream<OIDCIdentityProvider> oidcIdps,
 String encodedLogoutToken)