org.keycloak.adapters.QueryParamterTokenRequestAuthenticator の継承関係図

org.keycloak.adapters.QueryParamterTokenRequestAuthenticator 連携図

公開メンバ関数
	QueryParamterTokenRequestAuthenticator (KeycloakDeployment deployment)

AuthOutcome	authenticate (HttpFacade exchange)

AuthChallenge	getChallenge ()

String	getTokenString ()

AccessToken	getToken ()

String	getSurrogate ()

静的公開変数類
static final String	ACCESS_TOKEN = "access_token"

限定公開メンバ関数
AuthOutcome	authenticateToken (HttpFacade exchange, String tokenString)

AuthChallenge	clientCertChallenge ()

AuthChallenge	challengeResponse (HttpFacade facade, final OIDCAuthenticationError.Reason reason, final String error, final String description)

限定公開変数類
Logger	log = Logger.getLogger(QueryParamterTokenRequestAuthenticator.class)

String	tokenString

AccessToken	token

String	surrogate

AuthChallenge	challenge

KeycloakDeployment	deployment

関数
String	getAccessTokenFromQueryParamter (HttpFacade exchange)

詳解

著者: Christian Froehlich; Brad Culley; John D. Ament

バージョン

Revision: 1

構築子と解体子

◆ QueryParamterTokenRequestAuthenticator()

org.keycloak.adapters.QueryParamterTokenRequestAuthenticator.QueryParamterTokenRequestAuthenticator ( KeycloakDeployment deployment )

inline

                                                                                  {
         super(deployment);
     }

関数詳解

◆ authenticate()

AuthOutcome org.keycloak.adapters.QueryParamterTokenRequestAuthenticator.authenticate ( HttpFacade exchange )

inline

                                                          {
         if(!deployment.isOAuthQueryParameterEnabled()) {
             return AuthOutcome.NOT_ATTEMPTED;
         }
         tokenString = null;
         tokenString = getAccessTokenFromQueryParamter(exchange);
         if (tokenString == null || tokenString.trim().isEmpty()) {
             challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.NO_QUERY_PARAMETER_ACCESS_TOKEN, null, null);
             return AuthOutcome.NOT_ATTEMPTED;
         }
         return (authenticateToken(exchange, tokenString));
     }

◆ authenticateToken()

AuthOutcome org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken	(	HttpFacade	exchange,
		String	tokenString
	)

inlineprotectedinherited

                                                                                      {
         log.debug("Verifying access_token");
         if (log.isTraceEnabled()) {
             try {
                 JWSInput jwsInput = new JWSInput(tokenString);
                 String wireString = jwsInput.getWireString();
                 log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
             } catch (JWSInputException e) {
                 log.errorf(e, "Failed to parse access_token: %s", tokenString);
             }
         }
         try {
             token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
         } catch (VerificationException e) {
             log.error("Failed to verify token", e);
             challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage());
             return AuthOutcome.FAILED;
         }
         if (token.getIssuedAt() < deployment.getNotBefore()) {
             log.error("Stale token");
             challenge = challengeResponse(exchange,  OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token");
             return AuthOutcome.FAILED;
         }
         boolean verifyCaller = false;
         if (deployment.isUseResourceRoleMappings()) {
             verifyCaller = token.isVerifyCaller(deployment.getResourceName());
         } else {
             verifyCaller = token.isVerifyCaller();
         }
         surrogate = null;
         if (verifyCaller) {
             if (token.getTrustedCertificates() == null || token.getTrustedCertificates().size() == 0) {
                 log.warn("No trusted certificates in token");
                 challenge = clientCertChallenge();
                 return AuthOutcome.FAILED;
             }
 
             // for now, we just make sure Undertow did two-way SSL
             // assume JBoss Web verifies the client cert
             X509Certificate[] chain = new X509Certificate[0];
             try {
                 chain = exchange.getCertificateChain();
             } catch (Exception ignore) {
 
             }
             if (chain == null || chain.length == 0) {
                 log.warn("No certificates provided by undertow to verify the caller");
                 challenge = clientCertChallenge();
                 return AuthOutcome.FAILED;
             }
             surrogate = chain[0].getSubjectDN().getName();
         }
         log.debug("successful authorized");
         return AuthOutcome.AUTHENTICATED;
     }

◆ challengeResponse()

AuthChallenge org.keycloak.adapters.BearerTokenRequestAuthenticator.challengeResponse	(	HttpFacade	facade,
		final OIDCAuthenticationError.Reason	reason,
		final String	error,
		final String	description
	)

inlineprotectedinherited

                                                                                                                                                             {
         StringBuilder header = new StringBuilder("Bearer realm=\"");
         header.append(deployment.getRealm()).append("\"");
         if (error != null) {
             header.append(", error=\"").append(error).append("\"");
         }
         if (description != null) {
             header.append(", error_description=\"").append(description).append("\"");
         }
         final String challenge = header.toString();
         return new AuthChallenge() {
             @Override
             public int getResponseCode() {
                 return 401;
             }
 
             @Override
             public boolean challenge(HttpFacade facade) {
                 if (deployment.getPolicyEnforcer() != null) {
                     deployment.getPolicyEnforcer().enforce(OIDCHttpFacade.class.cast(facade));
                     return true;
                 }
                 OIDCAuthenticationError error = new OIDCAuthenticationError(reason, description);
                 facade.getRequest().setError(error);
                 facade.getResponse().addHeader("WWW-Authenticate", challenge);
                 if(deployment.isDelegateBearerErrorResponseSending()){
                     facade.getResponse().setStatus(401);
                 }
                 else {
                     facade.getResponse().sendError(401);
                 }
                 return true;
             }
         };
     }

◆ clientCertChallenge()

AuthChallenge org.keycloak.adapters.BearerTokenRequestAuthenticator.clientCertChallenge ( )

inlineprotectedinherited

                                                   {
         return new AuthChallenge() {
             @Override
             public int getResponseCode() {
                 return 0;
             }
 
             @Override
             public boolean challenge(HttpFacade exchange) {
                 // do the same thing as client cert auth
                 return false;
             }
         };
     }

◆ getAccessTokenFromQueryParamter()

String org.keycloak.adapters.QueryParamterTokenRequestAuthenticator.getAccessTokenFromQueryParamter ( HttpFacade exchange )

inlinepackage

                                                                 {
         try {
             if (exchange != null && exchange.getRequest() != null) {
                 return exchange.getRequest().getQueryParamValue(ACCESS_TOKEN);
             }
         } catch (Exception ignore) {
         }
         return null;
     }

◆ getChallenge()

AuthChallenge org.keycloak.adapters.BearerTokenRequestAuthenticator.getChallenge ( )

inlineinherited

                                         {
         return challenge;
     }

◆ getSurrogate()

String org.keycloak.adapters.BearerTokenRequestAuthenticator.getSurrogate ( )

inlineinherited

                                  {
         return surrogate;
     }

◆ getToken()

AccessToken org.keycloak.adapters.BearerTokenRequestAuthenticator.getToken ( )

inlineinherited

                                   {
         return token;
     }

◆ getTokenString()

String org.keycloak.adapters.BearerTokenRequestAuthenticator.getTokenString ( )

inlineinherited

                                    {
         return tokenString;
     }

メンバ詳解

◆ ACCESS_TOKEN

final String org.keycloak.adapters.QueryParamterTokenRequestAuthenticator.ACCESS_TOKEN = "access_token"

static

◆ challenge

AuthChallenge org.keycloak.adapters.BearerTokenRequestAuthenticator.challenge

protectedinherited

◆ deployment

KeycloakDeployment org.keycloak.adapters.BearerTokenRequestAuthenticator.deployment

protectedinherited

◆ log

Logger org.keycloak.adapters.QueryParamterTokenRequestAuthenticator.log = Logger.getLogger(QueryParamterTokenRequestAuthenticator.class)

protected

◆ surrogate

String org.keycloak.adapters.BearerTokenRequestAuthenticator.surrogate

protectedinherited

◆ token

AccessToken org.keycloak.adapters.BearerTokenRequestAuthenticator.token

protectedinherited

◆ tokenString

String org.keycloak.adapters.BearerTokenRequestAuthenticator.tokenString

protectedinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/keycloak/doxygen/src/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/QueryParamterTokenRequestAuthenticator.java

公開メンバ関数

静的公開変数類

限定公開メンバ関数

限定公開変数類

関数

詳解

構築子と解体子

◆ QueryParamterTokenRequestAuthenticator()

関数詳解

◆ authenticate()

◆ authenticateToken()

◆ challengeResponse()

◆ clientCertChallenge()

◆ getAccessTokenFromQueryParamter()

◆ getChallenge()

◆ getSurrogate()

◆ getToken()

◆ getTokenString()

メンバ詳解

◆ ACCESS_TOKEN

◆ challenge

◆ deployment

◆ log

◆ surrogate

◆ token

◆ tokenString