org.keycloak.TokenVerifier< T extends JsonWebToken > の継承関係図

org.keycloak.TokenVerifier< T extends JsonWebToken > 連携図

クラス
class	AudienceCheck

interface	Predicate

class	RealmUrlCheck

class	TokenTypeCheck

公開メンバ関数
TokenVerifier< T >	verifierContext (SignatureVerifierContext verifier)

TokenVerifier< T >	withDefaultChecks ()

TokenVerifier< T >	withChecks (Predicate<? super T >... checks)

TokenVerifier< T >	publicKey (PublicKey publicKey)

TokenVerifier< T >	secretKey (SecretKey secretKey)

TokenVerifier< T >	realmUrl (String realmUrl)

TokenVerifier< T >	checkTokenType (boolean checkTokenType)

TokenVerifier< T >	tokenType (String tokenType)

TokenVerifier< T >	checkActive (boolean checkActive)

TokenVerifier< T >	checkRealmUrl (boolean checkRealmUrl)

TokenVerifier< T >	audience (String expectedAudience)

TokenVerifier< T >	parse () throws VerificationException

T	getToken () throws VerificationException

JWSHeader	getHeader () throws VerificationException

void	verifySignature () throws VerificationException

TokenVerifier< T >	verify () throws VerificationException

静的公開メンバ関数
static< T extends JsonWebToken > TokenVerifier< T >	create (String tokenString, Class< T > clazz)

static< T extends JsonWebToken > TokenVerifier< T >	createWithoutSignature (T token)

static< T extends JsonWebToken > Predicate< T >	optional (final Predicate< T > mandatoryPredicate)

static< T extends JsonWebToken > Predicate< T >	alternative (final Predicate<? super T >... predicates)

静的公開変数類
static final Predicate< JsonWebToken >	SUBJECT_EXISTS_CHECK

static final Predicate< JsonWebToken >	IS_ACTIVE

限定公開メンバ関数
	TokenVerifier (String tokenString, Class< T > clazz)

	TokenVerifier (T token)

関数
private< P extends Predicate<? super T > > TokenVerifier< T >	replaceCheck (Class<? extends Predicate<?>> checkClass, boolean active, P predicate)

private< P extends Predicate<? super T > > TokenVerifier< T >	replaceCheck (Predicate<? super T > check, boolean active, P predicate)

非公開メンバ関数
void	removeCheck (Class<? extends Predicate<?>> checkClass)

void	removeCheck (Predicate<? super T > check)

非公開変数類
String	tokenString

Class<? extends T >	clazz

PublicKey	publicKey

SecretKey	secretKey

String	realmUrl

String	expectedTokenType = TokenUtil.TOKEN_TYPE_BEARER

boolean	checkTokenType = true

boolean	checkRealmUrl = true

final LinkedList< Predicate<? super T > >	checks = new LinkedList<>()

JWSInput	jws

T	token

SignatureVerifierContext	verifier = null

静的非公開変数類
static final Logger	LOG = Logger.getLogger(TokenVerifier.class.getName())

詳解

著者: Bill Burke

バージョン

Revision: 1

構築子と解体子

◆ TokenVerifier() [1/2]

org.keycloak.TokenVerifier< T extends JsonWebToken >.TokenVerifier	(	String	tokenString,
		Class< T >	clazz
	)

inlineprotected

                                                                 {
         this.tokenString = tokenString;
         this.clazz = clazz;
     }

◆ TokenVerifier() [2/2]

org.keycloak.TokenVerifier< T extends JsonWebToken >.TokenVerifier ( T token )

inlineprotected

                                      {
         this.token = token;
     }

関数詳解

◆ alternative()

static <T extends JsonWebToken> Predicate<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.alternative ( final Predicate<? super T >... predicates )

inlinestatic

Creates a predicate that will proceed with checks of the given predicates and will pass if and only if at least one of the given predicates passes.

引数

<T>
predicates

戻り値

                                                                                                               {
         return new Predicate<T>() {
             @Override
             public boolean test(T t) {
                 for (Predicate<? super T> predicate : predicates) {
                     try {
                         if (predicate.test(t)) {
                             return true;
                         }
 
                         LOG.finer("[alternative] predicate failed: " + predicate);
                     } catch (VerificationException ex) {
                         LOG.log(Level.FINER, "[alternative] predicate " + predicate + " failed.", ex);
                     }
                 }
 
                 return false;
             }
         };
     }

◆ audience()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.audience ( String expectedAudience )

inline

Add check for verifying that token contains the expectedAudience

引数

expectedAudience Audience, which needs to be in the target token. Can't be null

戻り値: This token verifier

                                                               {
         return this.replaceCheck(AudienceCheck.class, true, new AudienceCheck(expectedAudience));
     }

◆ checkActive()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.checkActive ( boolean checkActive )

inline

非推奨:: This method is here only for backward compatibility with previous version of

TokenVerifier

.

戻り値: This token verifier

                                                              {
         return replaceCheck(IS_ACTIVE, checkActive, IS_ACTIVE);
     }

◆ checkRealmUrl()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.checkRealmUrl ( boolean checkRealmUrl )

inline

非推奨:: This method is here only for backward compatibility with previous version of

TokenVerifier

.

戻り値: This token verifier

                                                                  {
         this.checkRealmUrl = checkRealmUrl;
         return replaceCheck(RealmUrlCheck.class, this.checkRealmUrl, new RealmUrlCheck(realmUrl));
     }

◆ checkTokenType()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.checkTokenType ( boolean checkTokenType )

inline

非推奨:: This method is here only for backward compatibility with previous version of

TokenVerifier

.

戻り値: This token verifier

                                                                    {
         this.checkTokenType = checkTokenType;
         return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(expectedTokenType));
     }

◆ create()

static <T extends JsonWebToken> TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.create	(	String	tokenString,
		Class< T >	clazz
	)

inlinestatic

Creates an instance of

TokenVerifier

from the given string on a JWT of the given class. The token verifier has no checks defined. Note that the checks are only tested when verify() method is invoked.

引数

<T>	Type of the token
tokenString	String representation of JWT
clazz	Class of the token

戻り値

                                                                                                        {
         return new TokenVerifier(tokenString, clazz);
     }

◆ createWithoutSignature()

static <T extends JsonWebToken> TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.createWithoutSignature ( T token )

inlinestatic

Creates an instance of

TokenVerifier

for the given token. The token verifier has no checks defined. Note that the checks are only tested when verify() method is invoked.

NOTE: The returned token verifier cannot verify token signature since that is not part of the JsonWebToken object.

戻り値

                                                                                             {
         return new TokenVerifier(token);
     }

◆ getHeader()

JWSHeader org.keycloak.TokenVerifier< T extends JsonWebToken >.getHeader ( ) throws VerificationException

inline

                                                               {
         parse();
         return jws.getHeader();
     }

◆ getToken()

T org.keycloak.TokenVerifier< T extends JsonWebToken >.getToken ( ) throws VerificationException

inline

                                                      {
         if (token == null) {
             parse();
         }
         return token;
     }

◆ optional()

static <T extends JsonWebToken> Predicate<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.optional ( final Predicate< T > mandatoryPredicate )

inlinestatic

Creates an optional predicate from a predicate that will proceed with check but always pass.

引数

<T>
mandatoryPredicate

戻り値

                                                                                                         {
         return new Predicate<T>() {
             @Override
             public boolean test(T t) throws VerificationException {
                 try {
                     if (! mandatoryPredicate.test(t)) {
                         LOG.finer("[optional] predicate failed: " + mandatoryPredicate);
                     }
 
                     return true;
                 } catch (VerificationException ex) {
                     LOG.log(Level.FINER, "[optional] predicate " + mandatoryPredicate + " failed.", ex);
                     return true;
                 }
             }
         };
     }

◆ parse()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.parse ( ) throws VerificationException

inline

                                                                  {
         if (jws == null) {
             if (tokenString == null) {
                 throw new VerificationException("Token not set");
             }
 
             try {
                 jws = new JWSInput(tokenString);
             } catch (JWSInputException e) {
                 throw new VerificationException("Failed to parse JWT", e);
             }
 
 
             try {
                 token = jws.readJsonContent(clazz);
             } catch (JWSInputException e) {
                 throw new VerificationException("Failed to read access token from JWT", e);
             }
         }
         return this;
     }

◆ publicKey()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.publicKey ( PublicKey publicKey )

inline

Sets the key for verification of RSA-based signature.

引数

publicKey

戻り値

                                                            {
         this.publicKey = publicKey;
         return this;
     }

◆ realmUrl()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.realmUrl ( String realmUrl )

inline

非推奨:: This method is here only for backward compatibility with previous version of

TokenVerifier

.

戻り値: This token verifier

                                                       {
         this.realmUrl = realmUrl;
         return replaceCheck(RealmUrlCheck.class, checkRealmUrl, new RealmUrlCheck(realmUrl));
     }

◆ removeCheck() [1/2]

void org.keycloak.TokenVerifier< T extends JsonWebToken >.removeCheck ( Class<? extends Predicate<?>> checkClass )

inlineprivate

                                                                        {
         for (Iterator<Predicate<? super T>> it = checks.iterator(); it.hasNext();) {
             if (it.next().getClass() == checkClass) {
                 it.remove();
             }
         }
     }

◆ removeCheck() [2/2]

void org.keycloak.TokenVerifier< T extends JsonWebToken >.removeCheck ( Predicate<? super T > check )

inlineprivate

                                                          {
         checks.remove(check);
     }

◆ replaceCheck() [1/2]

private<P extends Predicate<? super T> > TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.replaceCheck	(	Class<? extends Predicate<?>>	checkClass,
		boolean	active,
		P	predicate
	)

inlinepackage

                                                                                                                                                   {
         removeCheck(checkClass);
         if (active) {
             checks.add(predicate);
         }
         return this;
     }

◆ replaceCheck() [2/2]

private<P extends Predicate<? super T> > TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.replaceCheck	(	Predicate<? super T >	check,
		boolean	active,
		P	predicate
	)

inlinepackage

                                                                                                                                     {
         removeCheck(check);
         if (active) {
             checks.add(predicate);
         }
         return this;
     }

◆ secretKey()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.secretKey ( SecretKey secretKey )

inline

Sets the key for verification of HMAC-based signature.

引数

secretKey

戻り値

                                                            {
         this.secretKey = secretKey;
         return this;
     }

◆ tokenType()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.tokenType ( String tokenType )

inline

非推奨:: This method is here only for backward compatibility with previous version of

TokenVerifier

.

戻り値: This token verifier

                                                         {
         this.expectedTokenType = tokenType;
         return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(expectedTokenType));
     }

◆ verifierContext()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.verifierContext ( SignatureVerifierContext verifier )

inline

                                                                                {
         this.verifier = verifier;
         return this;
     }

◆ verify()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.verify ( ) throws VerificationException

inline

                                                                   {
         if (getToken() == null) {
             parse();
         }
         if (jws != null) {
             verifySignature();
         }
 
         for (Predicate<? super T> check : checks) {
             if (! check.test(getToken())) {
                 throw new VerificationException("JWT check failed for check " + check);
             }
         }
 
         return this;
     }

◆ verifySignature()

void org.keycloak.TokenVerifier< T extends JsonWebToken >.verifySignature ( ) throws VerificationException

inline

                                                                {
         if (this.verifier != null) {
             try {
                 if (!verifier.verify(jws.getEncodedSignatureInput().getBytes("UTF-8"), jws.getSignature())) {
                     throw new TokenSignatureInvalidException(token, "Invalid token signature");
                 }
             } catch (Exception e) {
                 throw new VerificationException(e);
             }
         } else {
             AlgorithmType algorithmType = getHeader().getAlgorithm().getType();
 
             if (null == algorithmType) {
                 throw new VerificationException("Unknown or unsupported token algorithm");
             } else switch (algorithmType) {
                 case RSA:
                     if (publicKey == null) {
                         throw new VerificationException("Public key not set");
                     }
                     if (!RSAProvider.verify(jws, publicKey)) {
                         throw new TokenSignatureInvalidException(token, "Invalid token signature");
                     }
                     break;
                 case HMAC:
                     if (secretKey == null) {
                         throw new VerificationException("Secret key not set");
                     }
                     if (!HMACProvider.verify(jws, secretKey)) {
                         throw new TokenSignatureInvalidException(token, "Invalid token signature");
                     }
                     break;
                 default:
                     throw new VerificationException("Unknown or unsupported token algorithm");
             }
         }
     }

◆ withChecks()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.withChecks ( Predicate<? super T >... checks )

inline

Will test the given checks in verify() method in addition to already set checks.

引数

checks

戻り値

                                                                        {
         if (checks != null) {
             this.checks.addAll(Arrays.asList(checks));
         }
         return this;
     }

◆ withDefaultChecks()

TokenVerifier<T> org.keycloak.TokenVerifier< T extends JsonWebToken >.withDefaultChecks ( )

inline

Adds default checks to the token verification:

Realm URL (JWT issuer field:
iss
) has to be defined and match realm set via realmUrl(java.lang.String) method
Subject (JWT subject field:
sub
) has to be defined
Token type (JWT type field:
typ
) has to be
Bearer
. The type can be set via tokenType(java.lang.String) method
Token has to be active, ie. both not expired and not used before its validity (JWT issuer fields:
exp
and
nbf
)

戻り値: This token verifier.

                                                  {
         return withChecks(
           RealmUrlCheck.NULL_INSTANCE,
           SUBJECT_EXISTS_CHECK,
           TokenTypeCheck.INSTANCE_BEARER,
           IS_ACTIVE
         );
     }

メンバ詳解

◆ checkRealmUrl

boolean org.keycloak.TokenVerifier< T extends JsonWebToken >.checkRealmUrl = true

private

◆ checks

final LinkedList<Predicate<? super T> > org.keycloak.TokenVerifier< T extends JsonWebToken >.checks = new LinkedList<>()

private

◆ checkTokenType

boolean org.keycloak.TokenVerifier< T extends JsonWebToken >.checkTokenType = true

private

◆ clazz

Class<? extends T> org.keycloak.TokenVerifier< T extends JsonWebToken >.clazz

private

◆ expectedTokenType

String org.keycloak.TokenVerifier< T extends JsonWebToken >.expectedTokenType = TokenUtil.TOKEN_TYPE_BEARER

private

◆ IS_ACTIVE

final Predicate<JsonWebToken> org.keycloak.TokenVerifier< T extends JsonWebToken >.IS_ACTIVE

static

初期値:

= new Predicate<JsonWebToken>() {
        @Override
        public boolean test(JsonWebToken t) throws VerificationException {
            if (! t.isActive()) {
                throw new TokenNotActiveException(t, "Token is not active");
            }
            return true;
        }
    }

Check for token being neither expired nor used before it gets valid.

参照: JsonWebToken::isActive()

◆ jws

JWSInput org.keycloak.TokenVerifier< T extends JsonWebToken >.jws

private

◆ LOG

final Logger org.keycloak.TokenVerifier< T extends JsonWebToken >.LOG = Logger.getLogger(TokenVerifier.class.getName())

staticprivate

◆ publicKey

PublicKey org.keycloak.TokenVerifier< T extends JsonWebToken >.publicKey

private

◆ realmUrl

String org.keycloak.TokenVerifier< T extends JsonWebToken >.realmUrl

private

◆ secretKey

SecretKey org.keycloak.TokenVerifier< T extends JsonWebToken >.secretKey

private

◆ SUBJECT_EXISTS_CHECK

final Predicate<JsonWebToken> org.keycloak.TokenVerifier< T extends JsonWebToken >.SUBJECT_EXISTS_CHECK

static

初期値:

= new Predicate<JsonWebToken>() {
        @Override
        public boolean test(JsonWebToken t) throws VerificationException {
            String subject = t.getSubject();
            if (subject == null) {
                throw new VerificationException("Subject missing in token");
            }
            return true;
        }
    }

◆ token

T org.keycloak.TokenVerifier< T extends JsonWebToken >.token

private

◆ tokenString

String org.keycloak.TokenVerifier< T extends JsonWebToken >.tokenString

private

◆ verifier

SignatureVerifierContext org.keycloak.TokenVerifier< T extends JsonWebToken >.verifier = null

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/TokenVerifier.java

クラス

公開メンバ関数

静的公開メンバ関数

静的公開変数類

限定公開メンバ関数

関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ TokenVerifier() [1/2]

◆ TokenVerifier() [2/2]

関数詳解

◆ alternative()

◆ audience()

◆ checkActive()

◆ checkRealmUrl()

◆ checkTokenType()

◆ create()

◆ createWithoutSignature()

◆ getHeader()

◆ getToken()

◆ optional()

◆ parse()

◆ publicKey()

◆ realmUrl()

◆ removeCheck() [1/2]

◆ removeCheck() [2/2]

◆ replaceCheck() [1/2]

◆ replaceCheck() [2/2]

◆ secretKey()

◆ tokenType()

◆ verifierContext()

◆ verify()

◆ verifySignature()

◆ withChecks()

◆ withDefaultChecks()

メンバ詳解

◆ checkRealmUrl

◆ checks

◆ checkTokenType

◆ clazz

◆ expectedTokenType

◆ IS_ACTIVE

◆ jws

◆ LOG

◆ publicKey

◆ realmUrl

◆ secretKey

◆ SUBJECT_EXISTS_CHECK

◆ token

◆ tokenString

◆ verifier