org.keycloak.adapters.OAuthRequestAuthenticator 連携図

公開メンバ関数
	OAuthRequestAuthenticator (RequestAuthenticator requestAuthenticator, HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort, AdapterSessionStore tokenStore)

AuthChallenge	getChallenge ()

String	getTokenString ()

AccessToken	getToken ()

String	getRefreshToken ()

String	getIdTokenString ()

void	setIdTokenString (String idTokenString)

IDToken	getIdToken ()

void	setIdToken (IDToken idToken)

String	getStrippedOauthParametersRequestUri ()

void	setStrippedOauthParametersRequestUri (String strippedOauthParametersRequestUri)

AuthOutcome	authenticate ()

限定公開メンバ関数
String	getRequestUrl ()

boolean	isRequestSecure ()

OIDCHttpFacade.Cookie	getCookie (String cookieName)

String	getCookieValue (String cookieName)

String	getQueryParamValue (String paramName)

String	getError ()

String	getCode ()

String	getRedirectUri (String state)

int	sslRedirectPort ()

String	getStateCode ()

AuthChallenge	loginRedirect ()

AuthChallenge	checkStateCookie ()

AuthChallenge	challenge (final int code, final OIDCAuthenticationError.Reason reason, final String description)

AuthChallenge	resolveCode (String code)

String	stripOauthParametersFromRedirect ()

限定公開変数類
KeycloakDeployment	deployment

RequestAuthenticator	reqAuthenticator

int	sslRedirectPort

AdapterSessionStore	tokenStore

String	tokenString

String	idTokenString

IDToken	idToken

AccessToken	token

HttpFacade	facade

AuthChallenge	challenge

String	refreshToken

String	strippedOauthParametersRequestUri

非公開メンバ関数
String	rewrittenRedirectUri (String originalUri)

void	logToken (String name, String token)

静的非公開変数類
static final Logger	log = Logger.getLogger(OAuthRequestAuthenticator.class)

詳解

著者: Bill Burke

バージョン

Revision: 1

構築子と解体子

◆ OAuthRequestAuthenticator()

org.keycloak.adapters.OAuthRequestAuthenticator.OAuthRequestAuthenticator	(	RequestAuthenticator	requestAuthenticator,
		HttpFacade	facade,
		KeycloakDeployment	deployment,
		int	sslRedirectPort,
		AdapterSessionStore	tokenStore
	)

inline

                                                                                                                                                                                        {
         this.reqAuthenticator = requestAuthenticator;
         this.facade = facade;
         this.deployment = deployment;
         this.sslRedirectPort = deployment.getConfidentialPort() != -1 ? deployment.getConfidentialPort() : sslRedirectPort;
         this.tokenStore = tokenStore;
     }

関数詳解

◆ authenticate()

AuthOutcome org.keycloak.adapters.OAuthRequestAuthenticator.authenticate ( )

inline

                                       {
         String code = getCode();
         if (code == null) {
             log.debug("there was no code");
             String error = getError();
             if (error != null) {
                 // todo how do we send a response?
                 log.warn("There was an error: " + error);
                 challenge = challenge(400, OIDCAuthenticationError.Reason.OAUTH_ERROR, error);
                 return AuthOutcome.FAILED;
             } else {
                 log.debug("redirecting to auth server");
                 challenge = loginRedirect();
                 return AuthOutcome.NOT_ATTEMPTED;
             }
         } else {
             log.debug("there was a code, resolving");
             challenge = resolveCode(code);
             if (challenge != null) {
                 return AuthOutcome.FAILED;
             }
             return AuthOutcome.AUTHENTICATED;
         }
 
     }

◆ challenge()

AuthChallenge org.keycloak.adapters.OAuthRequestAuthenticator.challenge	(	final int	code,
		final OIDCAuthenticationError.Reason	reason,
		final String	description
	)

inlineprotected

                                                                                                                              {
         return new AuthChallenge() {
             @Override
             public int getResponseCode() {
                 return code;
             }
 
             @Override
             public boolean challenge(HttpFacade exchange) {
                 OIDCAuthenticationError error = new OIDCAuthenticationError(reason, description);
                 exchange.getRequest().setError(error);
                 exchange.getResponse().sendError(code);
                 return true;
             }
         };
     }

◆ checkStateCookie()

AuthChallenge org.keycloak.adapters.OAuthRequestAuthenticator.checkStateCookie ( )

inlineprotected

                                                {
         OIDCHttpFacade.Cookie stateCookie = getCookie(deployment.getStateCookieName());
 
         if (stateCookie == null) {
             log.warn("No state cookie");
             return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
         }
         // reset the cookie
         log.debug("** reseting application state cookie");
         facade.getResponse().resetCookie(deployment.getStateCookieName(), stateCookie.getPath());
         String stateCookieValue = getCookieValue(deployment.getStateCookieName());
 
         String state = getQueryParamValue(OAuth2Constants.STATE);
         if (state == null) {
             log.warn("state parameter was null");
             return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
         }
         if (!state.equals(stateCookieValue)) {
             log.warn("state parameter invalid");
             log.warn("cookie: " + stateCookieValue);
             log.warn("queryParam: " + state);
             return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
         }
         return null;
 
     }

◆ getChallenge()

AuthChallenge org.keycloak.adapters.OAuthRequestAuthenticator.getChallenge ( )

inline

                                         {
         return challenge;
     }

◆ getCode()

String org.keycloak.adapters.OAuthRequestAuthenticator.getCode ( )

inlineprotected

                                {
         return getQueryParamValue(OAuth2Constants.CODE);
     }

◆ getCookie()

OIDCHttpFacade.Cookie org.keycloak.adapters.OAuthRequestAuthenticator.getCookie ( String cookieName )

inlineprotected

                                                                  {
         return facade.getRequest().getCookie(cookieName);
     }

◆ getCookieValue()

String org.keycloak.adapters.OAuthRequestAuthenticator.getCookieValue ( String cookieName )

inlineprotected

                                                        {
         OIDCHttpFacade.Cookie cookie = getCookie(cookieName);
         if (cookie == null) return null;
         return cookie.getValue();
     }

◆ getError()

String org.keycloak.adapters.OAuthRequestAuthenticator.getError ( )

inlineprotected

                                 {
         return getQueryParamValue(OAuth2Constants.ERROR);
     }

◆ getIdToken()

IDToken org.keycloak.adapters.OAuthRequestAuthenticator.getIdToken ( )

inline

                                 {
         return idToken;
     }

◆ getIdTokenString()

String org.keycloak.adapters.OAuthRequestAuthenticator.getIdTokenString ( )

inline

                                      {
         return idTokenString;
     }

◆ getQueryParamValue()

String org.keycloak.adapters.OAuthRequestAuthenticator.getQueryParamValue ( String paramName )

inlineprotected

                                                           {
         return facade.getRequest().getQueryParamValue(paramName);
     }

◆ getRedirectUri()

String org.keycloak.adapters.OAuthRequestAuthenticator.getRedirectUri ( String state )

inlineprotected

                                                   {
         String url = getRequestUrl();
         log.debugf("callback uri: %s", url);
       
         if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
             int port = sslRedirectPort();
             if (port < 0) {
                 // disabled?
                 return null;
             }
             KeycloakUriBuilder secureUrl = KeycloakUriBuilder.fromUri(url).scheme("https").port(-1);
             if (port != 443) secureUrl.port(port);
             url = secureUrl.build().toString();
         }
 
         String loginHint = getQueryParamValue("login_hint");
         url = UriUtils.stripQueryParam(url,"login_hint");
 
         String idpHint = getQueryParamValue(AdapterConstants.KC_IDP_HINT);
         url = UriUtils.stripQueryParam(url, AdapterConstants.KC_IDP_HINT);
 
         String scope = getQueryParamValue(OAuth2Constants.SCOPE);
         url = UriUtils.stripQueryParam(url, OAuth2Constants.SCOPE);
 
         String prompt = getQueryParamValue(OAuth2Constants.PROMPT);
         url = UriUtils.stripQueryParam(url, OAuth2Constants.PROMPT);
 
         String maxAge = getQueryParamValue(OAuth2Constants.MAX_AGE);
         url = UriUtils.stripQueryParam(url, OAuth2Constants.MAX_AGE);
 
         String uiLocales = getQueryParamValue(OAuth2Constants.UI_LOCALES_PARAM);
         url = UriUtils.stripQueryParam(url, OAuth2Constants.UI_LOCALES_PARAM);
 
         KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone()
                 .queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
                 .queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName())
                 .queryParam(OAuth2Constants.REDIRECT_URI, rewrittenRedirectUri(url))
                 .queryParam(OAuth2Constants.STATE, state)
                 .queryParam("login", "true");
         if(loginHint != null && loginHint.length() > 0){
             redirectUriBuilder.queryParam("login_hint",loginHint);
         }
         if (idpHint != null && idpHint.length() > 0) {
             redirectUriBuilder.queryParam(AdapterConstants.KC_IDP_HINT,idpHint);
         }
         if (prompt != null && prompt.length() > 0) {
             redirectUriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
         }
         if (maxAge != null && maxAge.length() > 0) {
             redirectUriBuilder.queryParam(OAuth2Constants.MAX_AGE, maxAge);
         }
         if (uiLocales != null && uiLocales.length() > 0) {
             redirectUriBuilder.queryParam(OAuth2Constants.UI_LOCALES_PARAM, uiLocales);
         }
 
         scope = TokenUtil.attachOIDCScope(scope);
         redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope);
 
         return redirectUriBuilder.build().toString();
     }

◆ getRefreshToken()

String org.keycloak.adapters.OAuthRequestAuthenticator.getRefreshToken ( )

inline

                                     {
         return refreshToken;
     }

◆ getRequestUrl()

String org.keycloak.adapters.OAuthRequestAuthenticator.getRequestUrl ( )

inlineprotected

                                      {
         return facade.getRequest().getURI();
     }

◆ getStateCode()

String org.keycloak.adapters.OAuthRequestAuthenticator.getStateCode ( )

inlineprotected

                                     {
         return AdapterUtils.generateId();
     }

◆ getStrippedOauthParametersRequestUri()

String org.keycloak.adapters.OAuthRequestAuthenticator.getStrippedOauthParametersRequestUri ( )

inline

                                                          {
         return strippedOauthParametersRequestUri;
     }

◆ getToken()

AccessToken org.keycloak.adapters.OAuthRequestAuthenticator.getToken ( )

inline

                                   {
         return token;
     }

◆ getTokenString()

String org.keycloak.adapters.OAuthRequestAuthenticator.getTokenString ( )

inline

                                    {
         return tokenString;
     }

◆ isRequestSecure()

boolean org.keycloak.adapters.OAuthRequestAuthenticator.isRequestSecure ( )

inlineprotected

                                         {
         return facade.getRequest().isSecure();
     }

◆ loginRedirect()

AuthChallenge org.keycloak.adapters.OAuthRequestAuthenticator.loginRedirect ( )

inlineprotected

                                             {
         final String state = getStateCode();
         final String redirect =  getRedirectUri(state);
         if (redirect == null) {
             return challenge(403, OIDCAuthenticationError.Reason.NO_REDIRECT_URI, null);
         }
         return new AuthChallenge() {
 
             @Override
             public int getResponseCode() {
                 return 0;
             }
 
             @Override
             public boolean challenge(HttpFacade exchange) {
                 tokenStore.saveRequest();
                 log.debug("Sending redirect to login page: " + redirect);
                 exchange.getResponse().setStatus(302);
                 exchange.getResponse().setCookie(deployment.getStateCookieName(), state, /* need to set path? */ null, null, -1, deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()), true);
                 exchange.getResponse().setHeader("Location", redirect);
                 return true;
             }
         };
     }

◆ logToken()

void org.keycloak.adapters.OAuthRequestAuthenticator.logToken	(	String	name,
		String	token
	)

inlineprivate

                                                      {
         try {
             JWSInput jwsInput = new JWSInput(token);
             String wireString = jwsInput.getWireString();
             log.tracef("\t%s: %s", name, wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
         } catch (JWSInputException e) {
             log.errorf(e, "Failed to parse %s: %s", name, token);
         }
     }

◆ resolveCode()

AuthChallenge org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode ( String code )

inlineprotected

Start or continue the oauth login process.

if code query parameter is not present, then browser is redirected to authUrl. The redirect URL will be the URL of the current request.

If code query parameter is present, then an access token is obtained by invoking a secure request to the codeUrl. If the access token is obtained, the browser is again redirected to the current request URL, but any OAuth protocol specific query parameters are removed.

戻り値: null if an access token was obtained, otherwise a challenge is returned

                                                      {
         // abort if not HTTPS
         if (!isRequestSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
             log.error("Adapter requires SSL. Request: " + facade.getRequest().getURI());
             return challenge(403, OIDCAuthenticationError.Reason.SSL_REQUIRED, null);
         }
 
         log.debug("checking state cookie for after code");
         AuthChallenge challenge = checkStateCookie();
         if (challenge != null) return challenge;
 
         AccessTokenResponse tokenResponse = null;
         strippedOauthParametersRequestUri = stripOauthParametersFromRedirect();
     
         try {
             // For COOKIE store we don't have httpSessionId and single sign-out won't be available
             String httpSessionId = deployment.getTokenStore() == TokenStore.SESSION ? reqAuthenticator.changeHttpSessionId(true) : null;
             tokenResponse = ServerRequest.invokeAccessCodeToToken(deployment, code, rewrittenRedirectUri(strippedOauthParametersRequestUri), httpSessionId);
         } catch (ServerRequest.HttpFailure failure) {
             log.error("failed to turn code into token");
             log.error("status from server: " + failure.getStatus());
             if (failure.getError() != null) {
                 log.error("   " + failure.getError());
             }
             return challenge(403, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
 
         } catch (IOException e) {
             log.error("failed to turn code into token", e);
             return challenge(403, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
         }
 
         tokenString = tokenResponse.getToken();
         refreshToken = tokenResponse.getRefreshToken();
         idTokenString = tokenResponse.getIdToken();
 
         log.debug("Verifying tokens");
         if (log.isTraceEnabled()) {
             logToken("\taccess_token", tokenString);
             logToken("\tid_token", idTokenString);
             logToken("\trefresh_token", refreshToken);
         }
 
         try {
             token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
             if (idTokenString != null) {
                 try {
                     JWSInput input = new JWSInput(idTokenString);
                     idToken = input.readJsonContent(IDToken.class);
                 } catch (JWSInputException e) {
                     throw new VerificationException();
                 }
             }
             log.debug("Token Verification succeeded!");
         } catch (VerificationException e) {
             log.error("failed verification of token: " + e.getMessage());
             return challenge(403, OIDCAuthenticationError.Reason.INVALID_TOKEN, null);
         }
         if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {
             deployment.updateNotBefore(tokenResponse.getNotBeforePolicy());
         }
         if (token.getIssuedAt() < deployment.getNotBefore()) {
             log.error("Stale token");
             return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null);
         }
         log.debug("successful authenticated");
         return null;
     }

◆ rewrittenRedirectUri()

String org.keycloak.adapters.OAuthRequestAuthenticator.rewrittenRedirectUri ( String originalUri )

inlineprivate

                                                             {
         Map<String, String> rewriteRules = deployment.getRedirectRewriteRules();
             if(rewriteRules != null && !rewriteRules.isEmpty()) {
             try {
                 URL url = new URL(originalUri);
                 Map.Entry<String, String> rule =  rewriteRules.entrySet().iterator().next();
                 StringBuilder redirectUriBuilder = new StringBuilder(url.getProtocol());
                 redirectUriBuilder.append("://"+ url.getAuthority());
                 redirectUriBuilder.append(url.getPath().replaceFirst(rule.getKey(), rule.getValue()));
                 return redirectUriBuilder.toString();
             } catch (MalformedURLException ex) {
                 log.error("Not a valid request url");
                 throw new RuntimeException(ex);
             }
             }
         return originalUri;
     }

◆ setIdToken()

void org.keycloak.adapters.OAuthRequestAuthenticator.setIdToken ( IDToken idToken )

inline

                                             {
         this.idToken = idToken;
     }

◆ setIdTokenString()

void org.keycloak.adapters.OAuthRequestAuthenticator.setIdTokenString ( String idTokenString )

inline

                                                        {
         this.idTokenString = idTokenString;
     }

◆ setStrippedOauthParametersRequestUri()

void org.keycloak.adapters.OAuthRequestAuthenticator.setStrippedOauthParametersRequestUri ( String strippedOauthParametersRequestUri )

inline

                                                                                                {
         this.strippedOauthParametersRequestUri = strippedOauthParametersRequestUri;
     }

◆ sslRedirectPort()

int org.keycloak.adapters.OAuthRequestAuthenticator.sslRedirectPort ( )

inlineprotected

                                     {
         return sslRedirectPort;
     }

◆ stripOauthParametersFromRedirect()

String org.keycloak.adapters.OAuthRequestAuthenticator.stripOauthParametersFromRedirect ( )

inlineprotected

strip out unwanted query parameters and redirect so bookmarks don't retain oauth protocol bits

                                                         {
         KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(facade.getRequest().getURI())
                 .replaceQueryParam(OAuth2Constants.CODE, null)
                 .replaceQueryParam(OAuth2Constants.STATE, null)
                 .replaceQueryParam(OAuth2Constants.SESSION_STATE, null);
         return builder.build().toString();
     }

メンバ詳解

◆ challenge

AuthChallenge org.keycloak.adapters.OAuthRequestAuthenticator.challenge

protected

◆ deployment

KeycloakDeployment org.keycloak.adapters.OAuthRequestAuthenticator.deployment

protected

◆ facade

HttpFacade org.keycloak.adapters.OAuthRequestAuthenticator.facade

protected

◆ idToken

IDToken org.keycloak.adapters.OAuthRequestAuthenticator.idToken

protected

◆ idTokenString

String org.keycloak.adapters.OAuthRequestAuthenticator.idTokenString

protected

◆ log

final Logger org.keycloak.adapters.OAuthRequestAuthenticator.log = Logger.getLogger(OAuthRequestAuthenticator.class)

staticprivate

◆ refreshToken

String org.keycloak.adapters.OAuthRequestAuthenticator.refreshToken

protected

◆ reqAuthenticator

RequestAuthenticator org.keycloak.adapters.OAuthRequestAuthenticator.reqAuthenticator

protected

◆ sslRedirectPort

int org.keycloak.adapters.OAuthRequestAuthenticator.sslRedirectPort

protected

◆ strippedOauthParametersRequestUri

String org.keycloak.adapters.OAuthRequestAuthenticator.strippedOauthParametersRequestUri

protected

◆ token

AccessToken org.keycloak.adapters.OAuthRequestAuthenticator.token

protected

◆ tokenStore

AdapterSessionStore org.keycloak.adapters.OAuthRequestAuthenticator.tokenStore

protected

◆ tokenString

String org.keycloak.adapters.OAuthRequestAuthenticator.tokenString

protected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/keycloak/doxygen/src/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java

公開メンバ関数

限定公開メンバ関数

限定公開変数類

非公開メンバ関数

静的非公開変数類

詳解

構築子と解体子

◆ OAuthRequestAuthenticator()

関数詳解

◆ authenticate()

◆ challenge()

◆ checkStateCookie()

◆ getChallenge()

◆ getCode()

◆ getCookie()

◆ getCookieValue()

◆ getError()

◆ getIdToken()

◆ getIdTokenString()

◆ getQueryParamValue()

◆ getRedirectUri()

◆ getRefreshToken()

◆ getRequestUrl()

◆ getStateCode()

◆ getStrippedOauthParametersRequestUri()

◆ getToken()

◆ getTokenString()

◆ isRequestSecure()

◆ loginRedirect()

◆ logToken()

◆ resolveCode()

◆ rewrittenRedirectUri()

◆ setIdToken()

◆ setIdTokenString()

◆ setStrippedOauthParametersRequestUri()

◆ sslRedirectPort()

◆ stripOauthParametersFromRedirect()

メンバ詳解

◆ challenge

◆ deployment

◆ facade

◆ idToken

◆ idTokenString

◆ log

◆ refreshToken

◆ reqAuthenticator

◆ sslRedirectPort

◆ strippedOauthParametersRequestUri

◆ token

◆ tokenStore

◆ tokenString