org.keycloak.adapters.BearerTokenRequestAuthenticator の継承関係図

org.keycloak.adapters.BearerTokenRequestAuthenticator 連携図

公開メンバ関数
	BearerTokenRequestAuthenticator (KeycloakDeployment deployment)

AuthChallenge	getChallenge ()

String	getTokenString ()

AccessToken	getToken ()

String	getSurrogate ()

AuthOutcome	authenticate (HttpFacade exchange)

限定公開メンバ関数
AuthOutcome	authenticateToken (HttpFacade exchange, String tokenString)

AuthChallenge	clientCertChallenge ()

AuthChallenge	challengeResponse (HttpFacade facade, final OIDCAuthenticationError.Reason reason, final String error, final String description)

限定公開変数類
Logger	log = Logger.getLogger(BearerTokenRequestAuthenticator.class)

String	tokenString

AccessToken	token

String	surrogate

AuthChallenge	challenge

KeycloakDeployment	deployment

詳解

著者: Bill Burke

バージョン

Revision: 1

構築子と解体子

◆ BearerTokenRequestAuthenticator()

org.keycloak.adapters.BearerTokenRequestAuthenticator.BearerTokenRequestAuthenticator ( KeycloakDeployment deployment )

inline

                                                                           {
         this.deployment = deployment;
     }

関数詳解

◆ authenticate()

AuthOutcome org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate ( HttpFacade exchange )

inline

                                                           {
         List<String> authHeaders = exchange.getRequest().getHeaders("Authorization");
         if (authHeaders == null || authHeaders.size() == 0) {
             challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.NO_BEARER_TOKEN, null, null);
             return AuthOutcome.NOT_ATTEMPTED;
         }
 
         tokenString = null;
         for (String authHeader : authHeaders) {
             String[] split = authHeader.trim().split("\\s+");
             if (split == null || split.length != 2) continue;
             if (!split[0].equalsIgnoreCase("Bearer")) continue;
             tokenString = split[1];
         }
 
         if (tokenString == null) {
             challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.NO_BEARER_TOKEN, null, null);
             return AuthOutcome.NOT_ATTEMPTED;
         }
 
         return (authenticateToken(exchange, tokenString));
     }

◆ authenticateToken()

AuthOutcome org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken	(	HttpFacade	exchange,
		String	tokenString
	)

inlineprotected

                                                                                      {
         log.debug("Verifying access_token");
         if (log.isTraceEnabled()) {
             try {
                 JWSInput jwsInput = new JWSInput(tokenString);
                 String wireString = jwsInput.getWireString();
                 log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
             } catch (JWSInputException e) {
                 log.errorf(e, "Failed to parse access_token: %s", tokenString);
             }
         }
         try {
             token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
         } catch (VerificationException e) {
             log.error("Failed to verify token", e);
             challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage());
             return AuthOutcome.FAILED;
         }
         if (token.getIssuedAt() < deployment.getNotBefore()) {
             log.error("Stale token");
             challenge = challengeResponse(exchange,  OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token");
             return AuthOutcome.FAILED;
         }
         boolean verifyCaller = false;
         if (deployment.isUseResourceRoleMappings()) {
             verifyCaller = token.isVerifyCaller(deployment.getResourceName());
         } else {
             verifyCaller = token.isVerifyCaller();
         }
         surrogate = null;
         if (verifyCaller) {
             if (token.getTrustedCertificates() == null || token.getTrustedCertificates().size() == 0) {
                 log.warn("No trusted certificates in token");
                 challenge = clientCertChallenge();
                 return AuthOutcome.FAILED;
             }
 
             // for now, we just make sure Undertow did two-way SSL
             // assume JBoss Web verifies the client cert
             X509Certificate[] chain = new X509Certificate[0];
             try {
                 chain = exchange.getCertificateChain();
             } catch (Exception ignore) {
 
             }
             if (chain == null || chain.length == 0) {
                 log.warn("No certificates provided by undertow to verify the caller");
                 challenge = clientCertChallenge();
                 return AuthOutcome.FAILED;
             }
             surrogate = chain[0].getSubjectDN().getName();
         }
         log.debug("successful authorized");
         return AuthOutcome.AUTHENTICATED;
     }

◆ challengeResponse()

AuthChallenge org.keycloak.adapters.BearerTokenRequestAuthenticator.challengeResponse	(	HttpFacade	facade,
		final OIDCAuthenticationError.Reason	reason,
		final String	error,
		final String	description
	)

inlineprotected

                                                                                                                                                             {
         StringBuilder header = new StringBuilder("Bearer realm=\"");
         header.append(deployment.getRealm()).append("\"");
         if (error != null) {
             header.append(", error=\"").append(error).append("\"");
         }
         if (description != null) {
             header.append(", error_description=\"").append(description).append("\"");
         }
         final String challenge = header.toString();
         return new AuthChallenge() {
             @Override
             public int getResponseCode() {
                 return 401;
             }
 
             @Override
             public boolean challenge(HttpFacade facade) {
                 if (deployment.getPolicyEnforcer() != null) {
                     deployment.getPolicyEnforcer().enforce(OIDCHttpFacade.class.cast(facade));
                     return true;
                 }
                 OIDCAuthenticationError error = new OIDCAuthenticationError(reason, description);
                 facade.getRequest().setError(error);
                 facade.getResponse().addHeader("WWW-Authenticate", challenge);
                 if(deployment.isDelegateBearerErrorResponseSending()){
                     facade.getResponse().setStatus(401);
                 }
                 else {
                     facade.getResponse().sendError(401);
                 }
                 return true;
             }
         };
     }

◆ clientCertChallenge()

AuthChallenge org.keycloak.adapters.BearerTokenRequestAuthenticator.clientCertChallenge ( )

inlineprotected

                                                   {
         return new AuthChallenge() {
             @Override
             public int getResponseCode() {
                 return 0;
             }
 
             @Override
             public boolean challenge(HttpFacade exchange) {
                 // do the same thing as client cert auth
                 return false;
             }
         };
     }

◆ getChallenge()

AuthChallenge org.keycloak.adapters.BearerTokenRequestAuthenticator.getChallenge ( )

inline

                                         {
         return challenge;
     }

◆ getSurrogate()

String org.keycloak.adapters.BearerTokenRequestAuthenticator.getSurrogate ( )

inline

                                  {
         return surrogate;
     }

◆ getToken()

AccessToken org.keycloak.adapters.BearerTokenRequestAuthenticator.getToken ( )

inline

                                   {
         return token;
     }

◆ getTokenString()

String org.keycloak.adapters.BearerTokenRequestAuthenticator.getTokenString ( )

inline

                                    {
         return tokenString;
     }

メンバ詳解

◆ challenge

AuthChallenge org.keycloak.adapters.BearerTokenRequestAuthenticator.challenge

protected

◆ deployment

KeycloakDeployment org.keycloak.adapters.BearerTokenRequestAuthenticator.deployment

protected

◆ log

Logger org.keycloak.adapters.BearerTokenRequestAuthenticator.log = Logger.getLogger(BearerTokenRequestAuthenticator.class)

protected

◆ surrogate

String org.keycloak.adapters.BearerTokenRequestAuthenticator.surrogate

protected

◆ token

AccessToken org.keycloak.adapters.BearerTokenRequestAuthenticator.token

protected

◆ tokenString

String org.keycloak.adapters.BearerTokenRequestAuthenticator.tokenString

protected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/keycloak/doxygen/src/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java

公開メンバ関数

限定公開メンバ関数

限定公開変数類

詳解

構築子と解体子

◆ BearerTokenRequestAuthenticator()

関数詳解

◆ authenticate()

◆ authenticateToken()

◆ challengeResponse()

◆ clientCertChallenge()

◆ getChallenge()

◆ getSurrogate()

◆ getToken()

◆ getTokenString()

メンバ詳解

◆ challenge

◆ deployment

◆ log

◆ surrogate

◆ token

◆ tokenString