org.keycloak.broker.oidc.OIDCIdentityProvider の継承関係図

org.keycloak.broker.oidc.OIDCIdentityProvider 連携図

クラス
class	OIDCEndpoint

公開メンバ関数
	OIDCIdentityProvider (KeycloakSession session, OIDCIdentityProviderConfig config)

Object	callback (RealmModel realm, AuthenticationCallback callback, EventBuilder event)

void	backchannelLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

Response	keycloakInitiatedBrowserLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

String	refreshTokenForLogout (KeycloakSession session, UserSessionModel userSession)

BrokeredIdentityContext	getFederatedIdentity (String response)

void	authenticationFinished (AuthenticationSessionModel authSession, BrokeredIdentityContext context)

boolean	isIssuer (String issuer, MultivaluedMap< String, String > params)

Response	performLogin (AuthenticationRequest request)

Response	retrieveToken (KeycloakSession session, FederatedIdentityModel identity)

C	getConfig ()

Response	exchangeFromToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject, MultivaluedMap< String, String > params)

String	getJsonProperty (JsonNode jsonNode, String name)

JsonNode	asJsonNode (String json) throws IOException

final BrokeredIdentityContext	exchangeExternal (EventBuilder event, MultivaluedMap< String, String > params)

void	exchangeExternalComplete (UserSessionModel userSession, BrokeredIdentityContext context, MultivaluedMap< String, String > params)

静的公開変数類
static final String	SCOPE_OPENID = "openid"

static final String	FEDERATED_ID_TOKEN = "FEDERATED_ID_TOKEN"

static final String	USER_INFO = "UserInfo"

static final String	FEDERATED_ACCESS_TOKEN_RESPONSE = "FEDERATED_ACCESS_TOKEN_RESPONSE"

static final String	VALIDATED_ID_TOKEN = "VALIDATED_ID_TOKEN"

static final String	ACCESS_TOKEN_EXPIRATION = "accessTokenExpiration"

static final String	EXCHANGE_PROVIDER = "EXCHANGE_PROVIDER"

static final String	OAUTH2_GRANT_TYPE_REFRESH_TOKEN

static final String	OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

static final String	FEDERATED_REFRESH_TOKEN

static final String	FEDERATED_TOKEN_EXPIRATION

static final String	ACCESS_DENIED

static final String	OAUTH2_PARAMETER_ACCESS_TOKEN

static final String	OAUTH2_PARAMETER_SCOPE

static final String	OAUTH2_PARAMETER_STATE

static final String	OAUTH2_PARAMETER_RESPONSE_TYPE

static final String	OAUTH2_PARAMETER_REDIRECT_URI

static final String	OAUTH2_PARAMETER_CODE

static final String	OAUTH2_PARAMETER_CLIENT_ID

static final String	OAUTH2_PARAMETER_CLIENT_SECRET

static final String	OAUTH2_PARAMETER_GRANT_TYPE

限定公開メンバ関数
void	backchannelLogout (UserSessionModel userSession, String idToken)

void	processAccessTokenResponse (BrokeredIdentityContext context, AccessTokenResponse response)

Response	exchangeStoredToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeSessionToken (UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

BrokeredIdentityContext	extractIdentity (AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) throws IOException

String	getusernameClaimNameForIdToken ()

String	getUserInfoUrl ()

boolean	verify (JWSInput jws)

JsonWebToken	validateToken (String encodedToken)

JsonWebToken	validateToken (String encodedToken, boolean ignoreAudience)

String	getDefaultScopes ()

boolean	supportsExternalExchange ()

String	getProfileEndpointForValidation (EventBuilder event)

BrokeredIdentityContext	extractIdentityFromProfile (EventBuilder event, JsonNode userInfo)

String	getUsernameFromUserInfo (JsonNode userInfo)

final BrokeredIdentityContext	validateJwt (EventBuilder event, String subjectToken, String subjectTokenType)

BrokeredIdentityContext	exchangeExternalImpl (EventBuilder event, MultivaluedMap< String, String > params)

String	extractTokenFromResponse (String response, String tokenName)

Response	hasExternalExchangeToken (EventBuilder event, UserSessionModel tokenUserSession, MultivaluedMap< String, String > params)

String	getAccessTokenResponseParameter ()

BrokeredIdentityContext	doGetFederatedIdentity (String accessToken)

UriBuilder	createAuthorizationUrl (AuthenticationRequest request)

BrokeredIdentityContext	validateExternalTokenThroughUserInfo (EventBuilder event, String subjectToken, String subjectTokenType)

SimpleHttp	buildUserInfoRequest (String subjectToken, String userInfoUrl)

BrokeredIdentityContext	exchangeExternalUserInfoValidationOnly (EventBuilder event, MultivaluedMap< String, String > params)

静的限定公開変数類
static final Logger	logger = Logger.getLogger(OIDCIdentityProvider.class)

static ObjectMapper	mapper

非公開メンバ関数
String	getIDTokenForLogout (KeycloakSession session, UserSessionModel userSession)

String	verifyAccessToken (AccessTokenResponse tokenResponse)

詳解

著者: Pedro Igor

構築子と解体子

◆ OIDCIdentityProvider()

org.keycloak.broker.oidc.OIDCIdentityProvider.OIDCIdentityProvider	(	KeycloakSession	session,
		OIDCIdentityProviderConfig	config
	)

inline

                                                                                             {
         super(session, config);
 
         String defaultScope = config.getDefaultScope();
 
         if (!defaultScope.contains(SCOPE_OPENID)) {
             config.setDefaultScope((SCOPE_OPENID + " " + defaultScope).trim());
         }
     }

関数詳解

◆ asJsonNode()

JsonNode org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.asJsonNode ( String json ) throws IOException

inlineinherited

                                                                {
         return mapper.readTree(json);
     }

◆ authenticationFinished()

void org.keycloak.broker.oidc.OIDCIdentityProvider.authenticationFinished	(	AuthenticationSessionModel	authSession,
		BrokeredIdentityContext	context
	)

inline

                                                                                                                 {
         AccessTokenResponse tokenResponse = (AccessTokenResponse) context.getContextData().get(FEDERATED_ACCESS_TOKEN_RESPONSE);
         int currentTime = Time.currentTime();
         long expiration = tokenResponse.getExpiresIn() > 0 ? tokenResponse.getExpiresIn() + currentTime : 0;
         authSession.setUserSessionNote(FEDERATED_TOKEN_EXPIRATION, Long.toString(expiration));
         authSession.setUserSessionNote(FEDERATED_REFRESH_TOKEN, tokenResponse.getRefreshToken());
         authSession.setUserSessionNote(FEDERATED_ACCESS_TOKEN, tokenResponse.getToken());
         authSession.setUserSessionNote(FEDERATED_ID_TOKEN, tokenResponse.getIdToken());
     }

◆ backchannelLogout() [1/2]

void org.keycloak.broker.oidc.OIDCIdentityProvider.backchannelLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inline

                                                                                                                             {
         if (getConfig().getLogoutUrl() == null || getConfig().getLogoutUrl().trim().equals("") || !getConfig().isBackchannelSupported())
             return;
         String idToken = getIDTokenForLogout(session, userSession);
         if (idToken == null) return;
         backchannelLogout(userSession, idToken);
     }

◆ backchannelLogout() [2/2]

void org.keycloak.broker.oidc.OIDCIdentityProvider.backchannelLogout	(	UserSessionModel	userSession,
		String	idToken
	)

inlineprotected

                                                                                    {
         String sessionId = userSession.getId();
         UriBuilder logoutUri = UriBuilder.fromUri(getConfig().getLogoutUrl())
                 .queryParam("state", sessionId);
         logoutUri.queryParam("id_token_hint", idToken);
         String url = logoutUri.build().toString();
         try {
             int status = SimpleHttp.doGet(url, session).asStatus();
             boolean success = status >= 200 && status < 400;
             if (!success) {
                 logger.warn("Failed backchannel broker logout to: " + url);
             }
         } catch (Exception e) {
             logger.warn("Failed backchannel broker logout to: " + url, e);
         }
     }

◆ buildUserInfoRequest()

SimpleHttp org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.buildUserInfoRequest	(	String	subjectToken,
		String	userInfoUrl
	)

inlineprotectedinherited

                                                                                        {
         return SimpleHttp.doGet(userInfoUrl, session)
                   .header("Authorization", "Bearer " + subjectToken);
     }

◆ callback()

Object org.keycloak.broker.oidc.OIDCIdentityProvider.callback	(	RealmModel	realm,
		AuthenticationCallback	callback,
		EventBuilder	event
	)

inline

                                                                                                   {
         return new OIDCEndpoint(callback, realm, event);
     }

◆ createAuthorizationUrl()

UriBuilder org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.createAuthorizationUrl ( AuthenticationRequest request )

inlineprotectedinherited

                                                                                {
         final UriBuilder uriBuilder = UriBuilder.fromUri(getConfig().getAuthorizationUrl())
                 .queryParam(OAUTH2_PARAMETER_SCOPE, getConfig().getDefaultScope())
                 .queryParam(OAUTH2_PARAMETER_STATE, request.getState().getEncoded())
                 .queryParam(OAUTH2_PARAMETER_RESPONSE_TYPE, "code")
                 .queryParam(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
                 .queryParam(OAUTH2_PARAMETER_REDIRECT_URI, request.getRedirectUri());
 
         String loginHint = request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM);
         if (getConfig().isLoginHint() && loginHint != null) {
             uriBuilder.queryParam(OIDCLoginProtocol.LOGIN_HINT_PARAM, loginHint);
         }
 
         if (getConfig().isUiLocales()) {
             uriBuilder.queryParam(OIDCLoginProtocol.UI_LOCALES_PARAM, session.getContext().resolveLocale(null).toLanguageTag());
         }
 
         String prompt = getConfig().getPrompt();
         if (prompt == null || prompt.isEmpty()) {
             prompt = request.getAuthenticationSession().getClientNote(OAuth2Constants.PROMPT);
         }
         if (prompt != null) {
             uriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
         }
 
         String nonce = request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.NONCE_PARAM);
         if (nonce == null || nonce.isEmpty()) {
             nonce = UUID.randomUUID().toString();
             request.getAuthenticationSession().setClientNote(OIDCLoginProtocol.NONCE_PARAM, nonce);
         }
         uriBuilder.queryParam(OIDCLoginProtocol.NONCE_PARAM, nonce);
 
         String acr = request.getAuthenticationSession().getClientNote(OAuth2Constants.ACR_VALUES);
         if (acr != null) {
             uriBuilder.queryParam(OAuth2Constants.ACR_VALUES, acr);
         }
         String forwardParameterConfig = getConfig().getForwardParameters() != null ? getConfig().getForwardParameters(): "";
         List<String> forwardParameters = Arrays.asList(forwardParameterConfig.split("\\s*,\\s*"));
         for(String forwardParameter: forwardParameters) {
             String name = AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + forwardParameter.trim();
             String parameter = request.getAuthenticationSession().getClientNote(name);
             if(parameter != null && !parameter.isEmpty()) {
                 uriBuilder.queryParam(forwardParameter, parameter);
             }
         }
         return uriBuilder;
     }

◆ doGetFederatedIdentity()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.doGetFederatedIdentity ( String accessToken )

inlineprotectedinherited

                                                                                  {
         return null;
     }

◆ exchangeExternal()

final BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternal	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inlineinherited

                                                                                                                      {
         if (!supportsExternalExchange()) return null;
         BrokeredIdentityContext context = exchangeExternalImpl(event, params);
         if (context != null) {
             context.setIdp(this);
             context.setIdpConfig(getConfig());
         }
         return context;
     }

◆ exchangeExternalComplete()

void org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternalComplete	(	UserSessionModel	userSession,
		BrokeredIdentityContext	context,
		MultivaluedMap< String, String >	params
	)

inlineinherited

                                                                                                                                                {
         if (context.getContextData().containsKey(OIDCIdentityProvider.VALIDATED_ID_TOKEN))
             userSession.setNote(FEDERATED_ACCESS_TOKEN, params.getFirst(OAuth2Constants.SUBJECT_TOKEN));
         if (context.getContextData().containsKey(OIDCIdentityProvider.VALIDATED_ID_TOKEN))
             userSession.setNote(OIDCIdentityProvider.FEDERATED_ID_TOKEN, params.getFirst(OAuth2Constants.SUBJECT_TOKEN));
         userSession.setNote(OIDCIdentityProvider.EXCHANGE_PROVIDER, getConfig().getAlias());
 
     }

◆ exchangeExternalImpl()

BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.exchangeExternalImpl	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inlineprotected

                                                                                                                       {
         if (!supportsExternalExchange()) return null;
         String subjectToken = params.getFirst(OAuth2Constants.SUBJECT_TOKEN);
         if (subjectToken == null) {
             event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN + " param unset");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "token not set", Response.Status.BAD_REQUEST);
         }
         String subjectTokenType = params.getFirst(OAuth2Constants.SUBJECT_TOKEN_TYPE);
         if (subjectTokenType == null) {
             subjectTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE;
         }
         if (OAuth2Constants.JWT_TOKEN_TYPE.equals(subjectTokenType) || OAuth2Constants.ID_TOKEN_TYPE.equals(subjectTokenType)) {
             return validateJwt(event, subjectToken, subjectTokenType);
         } else if (OAuth2Constants.ACCESS_TOKEN_TYPE.equals(subjectTokenType)) {
             return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType);
         } else {
             event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN_TYPE + " invalid");
             event.error(Errors.INVALID_TOKEN_TYPE);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token type", Response.Status.BAD_REQUEST);
         }
     }

◆ exchangeExternalUserInfoValidationOnly()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeExternalUserInfoValidationOnly	(	EventBuilder	event,
		MultivaluedMap< String, String >	params
	)

inlineprotectedinherited

                                                                                                                                         {
         String subjectToken = params.getFirst(OAuth2Constants.SUBJECT_TOKEN);
         if (subjectToken == null) {
             event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN + " param unset");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "token not set", Response.Status.BAD_REQUEST);
         }
         String subjectTokenType = params.getFirst(OAuth2Constants.SUBJECT_TOKEN_TYPE);
         if (subjectTokenType == null) {
             subjectTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE;
         }
         if (!OAuth2Constants.ACCESS_TOKEN_TYPE.equals(subjectTokenType)) {
             event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN_TYPE + " invalid");
             event.error(Errors.INVALID_TOKEN_TYPE);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token type", Response.Status.BAD_REQUEST);
         }
         return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType);
     }

◆ exchangeFromToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.exchangeFromToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject,
		MultivaluedMap< String, String >	params
	)

inlineinherited

                                                                                                                                                                                                            {
         // check to see if we have a token exchange in session
         // in other words check to see if this session was created by an external exchange
         Response tokenResponse = hasExternalExchangeToken(event, tokenUserSession, params);
         if (tokenResponse != null) return tokenResponse;
 
         // going further we only support access token type?  Why?
         String requestedType = params.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
         if (requestedType != null && !requestedType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)) {
             event.detail(Details.REASON, "requested_token_type unsupported");
             event.error(Errors.INVALID_REQUEST);
             return exchangeUnsupportedRequiredType();
         }
         if (!getConfig().isStoreToken()) {
             // if token isn't stored, we need to see if this session has been linked
             String brokerId = tokenUserSession.getNote(Details.IDENTITY_PROVIDER);
             brokerId = brokerId == null ? tokenUserSession.getNote(IdentityProvider.EXTERNAL_IDENTITY_PROVIDER) : brokerId;
             if (brokerId == null || !brokerId.equals(getConfig().getAlias())) {
                 event.detail(Details.REASON, "requested_issuer has not linked");
                 event.error(Errors.INVALID_REQUEST);
                 return exchangeNotLinkedNoStore(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
             }
             return exchangeSessionToken(uriInfo, event, authorizedClient, tokenUserSession, tokenSubject);
         } else {
             return exchangeStoredToken(uriInfo, event, authorizedClient, tokenUserSession, tokenSubject);
         }
     }

◆ exchangeSessionToken()

Response org.keycloak.broker.oidc.OIDCIdentityProvider.exchangeSessionToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineprotected

                                                                                                                                                                           {
         String refreshToken = tokenUserSession.getNote(FEDERATED_REFRESH_TOKEN);
         String accessToken = tokenUserSession.getNote(FEDERATED_ACCESS_TOKEN);
         String idToken = tokenUserSession.getNote(FEDERATED_ID_TOKEN);
 
         if (accessToken == null) {
             event.detail(Details.REASON, "requested_issuer is not linked");
             event.error(Errors.INVALID_TOKEN);
             return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
         try {
             long expiration = Long.parseLong(tokenUserSession.getNote(FEDERATED_TOKEN_EXPIRATION));
             if (expiration == 0 || expiration > Time.currentTime()) {
                 AccessTokenResponse tokenResponse = new AccessTokenResponse();
                 tokenResponse.setExpiresIn(expiration);
                 tokenResponse.setToken(accessToken);
                 tokenResponse.setIdToken(null);
                 tokenResponse.setRefreshToken(null);
                 tokenResponse.setRefreshExpiresIn(0);
                 tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
                 tokenResponse.getOtherClaims().put(ACCOUNT_LINK_URL, getLinkingUrl(uriInfo, authorizedClient, tokenUserSession));
                 event.success();
                 return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
             }
             String response = SimpleHttp.doPost(getConfig().getTokenUrl(), session)
                     .param("refresh_token", refreshToken)
                     .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                     .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
                     .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
             if (response.contains("error")) {
                 logger.debugv("Error refreshing token, refresh token expiration?: {0}", response);
                 event.detail(Details.REASON, "requested_issuer token expired");
                 event.error(Errors.INVALID_TOKEN);
                 return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
             }
             AccessTokenResponse newResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
             long accessTokenExpiration = newResponse.getExpiresIn() > 0 ? Time.currentTime() + newResponse.getExpiresIn() : 0;
             tokenUserSession.setNote(FEDERATED_TOKEN_EXPIRATION, Long.toString(accessTokenExpiration));
             tokenUserSession.setNote(FEDERATED_REFRESH_TOKEN, newResponse.getRefreshToken());
             tokenUserSession.setNote(FEDERATED_ACCESS_TOKEN, newResponse.getToken());
             tokenUserSession.setNote(FEDERATED_ID_TOKEN, newResponse.getIdToken());
             newResponse.setIdToken(null);
             newResponse.setRefreshToken(null);
             newResponse.setRefreshExpiresIn(0);
             newResponse.getOtherClaims().clear();
             newResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
             newResponse.getOtherClaims().put(ACCOUNT_LINK_URL, getLinkingUrl(uriInfo, authorizedClient, tokenUserSession));
             event.success();
             return Response.ok(newResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
     }

◆ exchangeStoredToken()

Response org.keycloak.broker.oidc.OIDCIdentityProvider.exchangeStoredToken	(	UriInfo	uriInfo,
		EventBuilder	event,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineprotected

                                                                                                                                                                          {
         FederatedIdentityModel model = session.users().getFederatedIdentity(tokenSubject, getConfig().getAlias(), authorizedClient.getRealm());
         if (model == null || model.getToken() == null) {
             event.detail(Details.REASON, "requested_issuer is not linked");
             event.error(Errors.INVALID_TOKEN);
             return exchangeNotLinked(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
         try {
             String modelTokenString = model.getToken();
             AccessTokenResponse tokenResponse = JsonSerialization.readValue(modelTokenString, AccessTokenResponse.class);
             Integer exp = (Integer) tokenResponse.getOtherClaims().get(ACCESS_TOKEN_EXPIRATION);
             if (exp != null && exp < Time.currentTime()) {
                 if (tokenResponse.getRefreshToken() == null) {
                     return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
                 }
                 String response = SimpleHttp.doPost(getConfig().getTokenUrl(), session)
                         .param("refresh_token", tokenResponse.getRefreshToken())
                         .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                         .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
                         .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
                 if (response.contains("error")) {
                     logger.debugv("Error refreshing token, refresh token expiration?: {0}", response);
                     model.setToken(null);
                     session.users().updateFederatedIdentity(authorizedClient.getRealm(), tokenSubject, model);
                     event.detail(Details.REASON, "requested_issuer token expired");
                     event.error(Errors.INVALID_TOKEN);
                     return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
                 }
                 AccessTokenResponse newResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
                 if (newResponse.getExpiresIn() > 0) {
                     int accessTokenExpiration = Time.currentTime() + (int) newResponse.getExpiresIn();
                     newResponse.getOtherClaims().put(ACCESS_TOKEN_EXPIRATION, accessTokenExpiration);
                     response = JsonSerialization.writeValueAsString(newResponse);
                 }
                 String oldToken = tokenUserSession.getNote(FEDERATED_ACCESS_TOKEN);
                 if (oldToken != null && oldToken.equals(tokenResponse.getToken())) {
                     int accessTokenExpiration = newResponse.getExpiresIn() > 0 ? Time.currentTime() + (int) newResponse.getExpiresIn() : 0;
                     tokenUserSession.setNote(FEDERATED_TOKEN_EXPIRATION, Long.toString(accessTokenExpiration));
                     tokenUserSession.setNote(FEDERATED_REFRESH_TOKEN, newResponse.getRefreshToken());
                     tokenUserSession.setNote(FEDERATED_ACCESS_TOKEN, newResponse.getToken());
                     tokenUserSession.setNote(FEDERATED_ID_TOKEN, newResponse.getIdToken());
 
                 }
                 model.setToken(response);
                 tokenResponse = newResponse;
             } else if (exp != null) {
                 tokenResponse.setExpiresIn(exp - Time.currentTime());
             }
             tokenResponse.setIdToken(null);
             tokenResponse.setRefreshToken(null);
             tokenResponse.setRefreshExpiresIn(0);
             tokenResponse.getOtherClaims().clear();
             tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
             tokenResponse.getOtherClaims().put(ACCOUNT_LINK_URL, getLinkingUrl(uriInfo, authorizedClient, tokenUserSession));
             event.success();
             return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
     }

◆ extractIdentity()

BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.extractIdentity	(	AccessTokenResponse	tokenResponse,
		String	accessToken,
		JsonWebToken	idToken
	)		throws IOException

inlineprotected

                                                                                                                                                       {
         String id = idToken.getSubject();
         BrokeredIdentityContext identity = new BrokeredIdentityContext(id);
         String name = (String) idToken.getOtherClaims().get(IDToken.NAME);
         String preferredUsername = (String) idToken.getOtherClaims().get(getusernameClaimNameForIdToken());
         String email = (String) idToken.getOtherClaims().get(IDToken.EMAIL);
 
         if (!getConfig().isDisableUserInfoService()) {
             String userInfoUrl = getUserInfoUrl();
             if (userInfoUrl != null && !userInfoUrl.isEmpty() && (id == null || name == null || preferredUsername == null || email == null)) {
 
                 if (accessToken != null) {
                     SimpleHttp.Response response = SimpleHttp.doGet(userInfoUrl, session)
                             .header("Authorization", "Bearer " + accessToken).asResponse();
                     if (response.getStatus() != 200) {
                         String msg = "failed to invoke user info url";
                         try {
                             String tmp = response.asString();
                             if (tmp != null) msg = tmp;
 
                         } catch (IOException e) {
 
                         }
                         throw new IdentityBrokerException("Failed to invoke on user info url: " + msg);
                     }
                     JsonNode userInfo = response.asJson();
 
                     id = getJsonProperty(userInfo, "sub");
                     name = getJsonProperty(userInfo, "name");
                     preferredUsername = getUsernameFromUserInfo(userInfo);
                     email = getJsonProperty(userInfo, "email");
                     AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, userInfo, getConfig().getAlias());
                 }
             }
         }
         identity.getContextData().put(VALIDATED_ID_TOKEN, idToken);
 
         identity.setId(id);
         identity.setName(name);
         identity.setEmail(email);
 
         identity.setBrokerUserId(getConfig().getAlias() + "." + id);
 
         if (preferredUsername == null) {
             preferredUsername = email;
         }
 
         if (preferredUsername == null) {
             preferredUsername = id;
         }
 
         identity.setUsername(preferredUsername);
         if (tokenResponse != null && tokenResponse.getSessionState() != null) {
             identity.setBrokerSessionId(getConfig().getAlias() + "." + tokenResponse.getSessionState());
         }
         if (tokenResponse != null) identity.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, tokenResponse);
         if (tokenResponse != null) processAccessTokenResponse(identity, tokenResponse);
         return identity;
     }

◆ extractIdentityFromProfile()

BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.extractIdentityFromProfile	(	EventBuilder	event,
		JsonNode	userInfo
	)

inlineprotected

                                                                                                         {
         String id = getJsonProperty(userInfo, "sub");
         if (id == null) {
             event.detail(Details.REASON, "sub claim is null from user info json");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         BrokeredIdentityContext identity = new BrokeredIdentityContext(id);
 
         String name = getJsonProperty(userInfo, "name");
         String preferredUsername = getUsernameFromUserInfo(userInfo);
         String email = getJsonProperty(userInfo, "email");
         AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, userInfo, getConfig().getAlias());
 
         identity.setId(id);
         identity.setName(name);
         identity.setEmail(email);
 
         identity.setBrokerUserId(getConfig().getAlias() + "." + id);
 
         if (preferredUsername == null) {
             preferredUsername = email;
         }
 
         if (preferredUsername == null) {
             preferredUsername = id;
         }
 
         identity.setUsername(preferredUsername);
         return identity;
     }

◆ extractTokenFromResponse()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.extractTokenFromResponse	(	String	response,
		String	tokenName
	)

inlineprotectedinherited

                                                                                  {
           if(response == null)
                 return null;
           
         if (response.startsWith("{")) {
             try {
                         JsonNode node = mapper.readTree(response);
                         if(node.has(tokenName)){
                                 String s = node.get(tokenName).textValue();
                                 if(s == null || s.trim().isEmpty())
                                         return null;
                   return s;
                         } else {
                                 return null;
                         }
             } catch (IOException e) {
                 throw new IdentityBrokerException("Could not extract token [" + tokenName + "] from response [" + response + "] due: " + e.getMessage(), e);
             }
         } else {
             Matcher matcher = Pattern.compile(tokenName + "=([^&]+)").matcher(response);
 
             if (matcher.find()) {
                 return matcher.group(1);
             }
         }
 
         return null;
     }

◆ getAccessTokenResponseParameter()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getAccessTokenResponseParameter ( )

inlineprotectedinherited

                                                        {
         return OAUTH2_PARAMETER_ACCESS_TOKEN;
     }

◆ getConfig()

C org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getConfig ( )

inlineinherited

                          {
         return super.getConfig();
     }

◆ getDefaultScopes()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getDefaultScopes ( )

inlineprotected

                                         {
         return "openid";
     }

◆ getFederatedIdentity()

BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity ( String response )

inline

                                                                          {
         AccessTokenResponse tokenResponse = null;
         try {
             tokenResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
         } catch (IOException e) {
             throw new IdentityBrokerException("Could not decode access token response.", e);
         }
         String accessToken = verifyAccessToken(tokenResponse);
 
         String encodedIdToken = tokenResponse.getIdToken();
 
         JsonWebToken idToken = validateToken(encodedIdToken);
 
         try {
             BrokeredIdentityContext identity = extractIdentity(tokenResponse, accessToken, idToken);
 
             if (getConfig().isStoreToken()) {
                 if (tokenResponse.getExpiresIn() > 0) {
                     long accessTokenExpiration = Time.currentTime() + tokenResponse.getExpiresIn();
                     tokenResponse.getOtherClaims().put(ACCESS_TOKEN_EXPIRATION, accessTokenExpiration);
                     response = JsonSerialization.writeValueAsString(tokenResponse);
                 }
                 identity.setToken(response);
             }
 
             return identity;
         } catch (Exception e) {
             throw new IdentityBrokerException("Could not fetch attributes from userinfo endpoint.", e);
         }
     }

◆ getIDTokenForLogout()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getIDTokenForLogout	(	KeycloakSession	session,
		UserSessionModel	userSession
	)

inlineprivate

                                                                                               {
         String tokenExpirationString = userSession.getNote(FEDERATED_TOKEN_EXPIRATION);
         long exp = tokenExpirationString == null ? 0 : Long.parseLong(tokenExpirationString);
         int currentTime = Time.currentTime();
         if (exp > 0 && currentTime > exp) {
             String response = refreshTokenForLogout(session, userSession);
             AccessTokenResponse tokenResponse = null;
             try {
                 tokenResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
             } catch (IOException e) {
                 throw new RuntimeException(e);
             }
             return tokenResponse.getIdToken();
         } else {
             return userSession.getNote(FEDERATED_ID_TOKEN);
 
         }
     }

◆ getJsonProperty()

String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.getJsonProperty	(	JsonNode	jsonNode,
		String	name
	)

inlineinherited

Get JSON property as text. JSON numbers and booleans are converted to text. Empty string is converted to null.

引数

jsonNode	to get property from
name	of property to get

戻り値: string value of the property or null.

                                                                   {
         if (jsonNode.has(name) && !jsonNode.get(name).isNull()) {
                   String s = jsonNode.get(name).asText();
                   if(s != null && !s.isEmpty())
                                 return s;
                   else
                                 return null;
         }
 
         return null;
     }

◆ getProfileEndpointForValidation()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getProfileEndpointForValidation ( EventBuilder event )

inlineprotected

                                                                          {
         String userInfoUrl = getUserInfoUrl();
         if (getConfig().isDisableUserInfoService() || userInfoUrl == null || userInfoUrl.isEmpty()) {
             event.detail(Details.REASON, "user info service disabled");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
 
         }
         return userInfoUrl;
     }

◆ getUserInfoUrl()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getUserInfoUrl ( )

inlineprotected

                                       {
         return getConfig().getUserInfoUrl();
     }

◆ getusernameClaimNameForIdToken()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getusernameClaimNameForIdToken ( )

inlineprotected

                                                       {
         return IDToken.PREFERRED_USERNAME;
     }

◆ getUsernameFromUserInfo()

String org.keycloak.broker.oidc.OIDCIdentityProvider.getUsernameFromUserInfo ( JsonNode userInfo )

inlineprotected

                                                                 {
         return getJsonProperty(userInfo, "preferred_username");
     }

◆ hasExternalExchangeToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.hasExternalExchangeToken	(	EventBuilder	event,
		UserSessionModel	tokenUserSession,
		MultivaluedMap< String, String >	params
	)

inlineprotectedinherited

check to see if we have a token exchange in session in other words check to see if this session was created by an external exchange

引数

tokenUserSession
params

戻り値

                                                                                                                                               {
         if (getConfig().getAlias().equals(tokenUserSession.getNote(OIDCIdentityProvider.EXCHANGE_PROVIDER))) {
 
             String requestedType = params.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
             if ((requestedType == null || requestedType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE))) {
                 String accessToken = tokenUserSession.getNote(FEDERATED_ACCESS_TOKEN);
                 if (accessToken != null) {
                     AccessTokenResponse tokenResponse = new AccessTokenResponse();
                     tokenResponse.setToken(accessToken);
                     tokenResponse.setIdToken(null);
                     tokenResponse.setRefreshToken(null);
                     tokenResponse.setRefreshExpiresIn(0);
                     tokenResponse.setExpiresIn(0);
                     tokenResponse.getOtherClaims().clear();
                     tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
                     event.success();
                     return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
                 }
             } else if (OAuth2Constants.ID_TOKEN_TYPE.equals(requestedType)) {
                 String idToken = tokenUserSession.getNote(OIDCIdentityProvider.FEDERATED_ID_TOKEN);
                 if (idToken != null) {
                     AccessTokenResponse tokenResponse = new AccessTokenResponse();
                     tokenResponse.setToken(null);
                     tokenResponse.setIdToken(idToken);
                     tokenResponse.setRefreshToken(null);
                     tokenResponse.setRefreshExpiresIn(0);
                     tokenResponse.setExpiresIn(0);
                     tokenResponse.getOtherClaims().clear();
                     tokenResponse.getOtherClaims().put(OAuth2Constants.ISSUED_TOKEN_TYPE, OAuth2Constants.ID_TOKEN_TYPE);
                     event.success();
                     return Response.ok(tokenResponse).type(MediaType.APPLICATION_JSON_TYPE).build();
                 }
 
             }
 
         }
         return null;
     }

◆ isIssuer()

boolean org.keycloak.broker.oidc.OIDCIdentityProvider.isIssuer	(	String	issuer,
		MultivaluedMap< String, String >	params
	)

inline

                                                                                   {
         if (!supportsExternalExchange()) return false;
         String requestedIssuer = params.getFirst(OAuth2Constants.SUBJECT_ISSUER);
         if (requestedIssuer == null) requestedIssuer = issuer;
         if (requestedIssuer.equals(getConfig().getAlias())) return true;
 
         String[] issuers = getConfig().getIssuer().split(",");
 
         for (String trustedIssuer : issuers) {
             if (requestedIssuer.equals(trustedIssuer.trim())) {
                 return true;
             }
         }
         return false;
 
     }

◆ keycloakInitiatedBrowserLogout()

Response org.keycloak.broker.oidc.OIDCIdentityProvider.keycloakInitiatedBrowserLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inline

                                                                                                                                              {
         if (getConfig().getLogoutUrl() == null || getConfig().getLogoutUrl().trim().equals("")) return null;
         String idToken = getIDTokenForLogout(session, userSession);
         if (idToken != null && getConfig().isBackchannelSupported()) {
             backchannelLogout(userSession, idToken);
             return null;
         } else {
             String sessionId = userSession.getId();
             UriBuilder logoutUri = UriBuilder.fromUri(getConfig().getLogoutUrl())
                     .queryParam("state", sessionId);
             if (idToken != null) logoutUri.queryParam("id_token_hint", idToken);
             String redirect = RealmsResource.brokerUrl(uriInfo)
                     .path(IdentityBrokerService.class, "getEndpoint")
                     .path(OIDCEndpoint.class, "logoutResponse")
                     .build(realm.getName(), getConfig().getAlias()).toString();
             logoutUri.queryParam("post_logout_redirect_uri", redirect);
             Response response = Response.status(302).location(logoutUri.build()).build();
             return response;
         }
     }

◆ performLogin()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.performLogin ( AuthenticationRequest request )

inlineinherited

                                                                 {
         try {
             URI authorizationUrl = createAuthorizationUrl(request).build();
 
             return Response.seeOther(authorizationUrl).build();
         } catch (Exception e) {
             throw new IdentityBrokerException("Could not create authentication request.", e);
         }
     }

◆ processAccessTokenResponse()

void org.keycloak.broker.oidc.OIDCIdentityProvider.processAccessTokenResponse	(	BrokeredIdentityContext	context,
		AccessTokenResponse	response
	)

inlineprotected

                                                                                                              {
 
     }

◆ refreshTokenForLogout()

String org.keycloak.broker.oidc.OIDCIdentityProvider.refreshTokenForLogout	(	KeycloakSession	session,
		UserSessionModel	userSession
	)

inline

Returns access token response as a string from a refresh token invocation on the remote OIDC broker

引数

session
userSession

戻り値

                                                                                                {
         String refreshToken = userSession.getNote(FEDERATED_REFRESH_TOKEN);
         try {
             return SimpleHttp.doPost(getConfig().getTokenUrl(), session)
                     .param("refresh_token", refreshToken)
                     .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                     .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
                     .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
     }

◆ retrieveToken()

Response org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.retrieveToken	(	KeycloakSession	session,
		FederatedIdentityModel	identity
	)

inlineinherited

                                                                                             {
         return Response.ok(identity.getToken()).build();
     }

◆ supportsExternalExchange()

boolean org.keycloak.broker.oidc.OIDCIdentityProvider.supportsExternalExchange ( )

inlineprotected

                                                  {
         return true;
     }

◆ validateExternalTokenThroughUserInfo()

BrokeredIdentityContext org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.validateExternalTokenThroughUserInfo	(	EventBuilder	event,
		String	subjectToken,
		String	subjectTokenType
	)

inlineprotectedinherited

                                                                                                                                              {
         event.detail("validation_method", "user info");
         SimpleHttp.Response response = null;
         int status = 0;
         try {
             String userInfoUrl = getProfileEndpointForValidation(event);
             response = buildUserInfoRequest(subjectToken, userInfoUrl).asResponse();
             status = response.getStatus();
         } catch (IOException e) {
             logger.debug("Failed to invoke user info for external exchange", e);
         }
         if (status != 200) {
             logger.debug("Failed to invoke user info status: " + status);
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         JsonNode profile = null;
         try {
             profile = response.asJson();
         } catch (IOException e) {
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         BrokeredIdentityContext context = extractIdentityFromProfile(event, profile);
         if (context.getId() == null) {
             event.detail(Details.REASON, "user info call failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
         return context;
     }

◆ validateJwt()

final BrokeredIdentityContext org.keycloak.broker.oidc.OIDCIdentityProvider.validateJwt	(	EventBuilder	event,
		String	subjectToken,
		String	subjectTokenType
	)

inlineprotected

                                                                                                                           {
         if (!getConfig().isValidateSignature()) {
             return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType);
         }
         event.detail("validation_method", "signature");
         if (getConfig().isUseJwksUrl()) {
             if (getConfig().getJwksUrl() == null) {
                 event.detail(Details.REASON, "jwks url unset");
                 event.error(Errors.INVALID_CONFIG);
                 throw new ErrorResponseException(Errors.INVALID_CONFIG, "Invalid server config", Response.Status.BAD_REQUEST);
             }
         } else if (getConfig().getPublicKeySignatureVerifier() == null) {
             event.detail(Details.REASON, "public key unset");
             event.error(Errors.INVALID_CONFIG);
             throw new ErrorResponseException(Errors.INVALID_CONFIG, "Invalid server config", Response.Status.BAD_REQUEST);
         }
 
         JsonWebToken parsedToken = null;
         try {
             parsedToken = validateToken(subjectToken, true);
         } catch (IdentityBrokerException e) {
             logger.debug("Unable to validate token for exchange", e);
             event.detail(Details.REASON, "token validation failure");
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
 
         try {
 
             boolean idTokenType = OAuth2Constants.ID_TOKEN_TYPE.equals(subjectTokenType);
             BrokeredIdentityContext context = extractIdentity(null, idTokenType ? null : subjectToken, parsedToken);
             if (context == null) {
                 event.detail(Details.REASON, "Failed to extract identity from token");
                 event.error(Errors.INVALID_TOKEN);
                 throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
 
             }
             if (idTokenType) {
                 context.getContextData().put(VALIDATED_ID_TOKEN, subjectToken);
             } else {
                 context.getContextData().put(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN, parsedToken);
             }
             context.getContextData().put(EXCHANGE_PROVIDER, getConfig().getAlias());
             context.setIdp(this);
             context.setIdpConfig(getConfig());
             return context;
         } catch (IOException e) {
             logger.debug("Unable to extract identity from identity token", e);
             throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
         }
 
 
     }

◆ validateToken() [1/2]

JsonWebToken org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken ( String encodedToken )

inlineprotected

                                                               {
         boolean ignoreAudience = false;
 
         return validateToken(encodedToken, ignoreAudience);
     }

◆ validateToken() [2/2]

JsonWebToken org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken	(	String	encodedToken,
		boolean	ignoreAudience
	)

inlineprotected

                                                                                       {
         if (encodedToken == null) {
             throw new IdentityBrokerException("No token from server.");
         }
 
         JsonWebToken token;
         try {
             JWSInput jws = new JWSInput(encodedToken);
             if (!verify(jws)) {
                 throw new IdentityBrokerException("token signature validation failed");
             }
             token = jws.readJsonContent(JsonWebToken.class);
         } catch (JWSInputException e) {
             throw new IdentityBrokerException("Invalid token", e);
         }
 
         String iss = token.getIssuer();
 
         if (!token.isActive(getConfig().getAllowedClockSkew())) {
             throw new IdentityBrokerException("Token is no longer valid");
         }
 
         if (!ignoreAudience && !token.hasAudience(getConfig().getClientId())) {
             throw new IdentityBrokerException("Wrong audience from token.");
         }
 
         String trustedIssuers = getConfig().getIssuer();
 
         if (trustedIssuers != null && trustedIssuers.length() > 0) {
             String[] issuers = trustedIssuers.split(",");
 
             for (String trustedIssuer : issuers) {
                 if (iss != null && iss.equals(trustedIssuer.trim())) {
                     return token;
                 }
             }
 
             throw new IdentityBrokerException("Wrong issuer from token. Got: " + iss + " expected: " + getConfig().getIssuer());
         }
 
         return token;
     }

◆ verify()

boolean org.keycloak.broker.oidc.OIDCIdentityProvider.verify ( JWSInput jws )

inlineprotected

                                            {
         if (!getConfig().isValidateSignature()) return true;
 
         PublicKey publicKey = PublicKeyStorageManager.getIdentityProviderPublicKey(session, session.getContext().getRealm(), getConfig(), jws);
 
         return publicKey != null && RSAProvider.verify(jws, publicKey);
     }

◆ verifyAccessToken()

String org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken ( AccessTokenResponse tokenResponse )

inlineprivate

                                                                         {
         String accessToken = tokenResponse.getToken();
 
         if (accessToken == null) {
             throw new IdentityBrokerException("No access_token from server.");
         }
         return accessToken;
     }

メンバ詳解

◆ ACCESS_DENIED

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.ACCESS_DENIED

staticinherited

◆ ACCESS_TOKEN_EXPIRATION

final String org.keycloak.broker.oidc.OIDCIdentityProvider.ACCESS_TOKEN_EXPIRATION = "accessTokenExpiration"

static

◆ EXCHANGE_PROVIDER

final String org.keycloak.broker.oidc.OIDCIdentityProvider.EXCHANGE_PROVIDER = "EXCHANGE_PROVIDER"

static

◆ FEDERATED_ACCESS_TOKEN_RESPONSE

final String org.keycloak.broker.oidc.OIDCIdentityProvider.FEDERATED_ACCESS_TOKEN_RESPONSE = "FEDERATED_ACCESS_TOKEN_RESPONSE"

static

◆ FEDERATED_ID_TOKEN

final String org.keycloak.broker.oidc.OIDCIdentityProvider.FEDERATED_ID_TOKEN = "FEDERATED_ID_TOKEN"

static

◆ FEDERATED_REFRESH_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.FEDERATED_REFRESH_TOKEN

staticinherited

◆ FEDERATED_TOKEN_EXPIRATION

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.FEDERATED_TOKEN_EXPIRATION

staticinherited

◆ logger

final Logger org.keycloak.broker.oidc.OIDCIdentityProvider.logger = Logger.getLogger(OIDCIdentityProvider.class)

staticprotected

◆ mapper

ObjectMapper org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.mapper

staticprotectedinherited

◆ OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

staticinherited

◆ OAUTH2_GRANT_TYPE_REFRESH_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_GRANT_TYPE_REFRESH_TOKEN

staticinherited

◆ OAUTH2_PARAMETER_ACCESS_TOKEN

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_ACCESS_TOKEN

staticinherited

◆ OAUTH2_PARAMETER_CLIENT_ID

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CLIENT_ID

staticinherited

◆ OAUTH2_PARAMETER_CLIENT_SECRET

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CLIENT_SECRET

staticinherited

◆ OAUTH2_PARAMETER_CODE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_CODE

staticinherited

◆ OAUTH2_PARAMETER_GRANT_TYPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_GRANT_TYPE

staticinherited

◆ OAUTH2_PARAMETER_REDIRECT_URI

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_REDIRECT_URI

staticinherited

◆ OAUTH2_PARAMETER_RESPONSE_TYPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_RESPONSE_TYPE

staticinherited

◆ OAUTH2_PARAMETER_SCOPE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_SCOPE

staticinherited

◆ OAUTH2_PARAMETER_STATE

final String org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider< C extends OAuth2IdentityProviderConfig >.OAUTH2_PARAMETER_STATE

staticinherited

◆ SCOPE_OPENID

final String org.keycloak.broker.oidc.OIDCIdentityProvider.SCOPE_OPENID = "openid"

static

◆ USER_INFO

final String org.keycloak.broker.oidc.OIDCIdentityProvider.USER_INFO = "UserInfo"

static

◆ VALIDATED_ID_TOKEN

final String org.keycloak.broker.oidc.OIDCIdentityProvider.VALIDATED_ID_TOKEN = "VALIDATED_ID_TOKEN"

static

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java

クラス

公開メンバ関数

静的公開変数類

限定公開メンバ関数

静的限定公開変数類

非公開メンバ関数

詳解

構築子と解体子

◆ OIDCIdentityProvider()

関数詳解

◆ asJsonNode()

◆ authenticationFinished()

◆ backchannelLogout() [1/2]

◆ backchannelLogout() [2/2]

◆ buildUserInfoRequest()

◆ callback()

◆ createAuthorizationUrl()

◆ doGetFederatedIdentity()

◆ exchangeExternal()

◆ exchangeExternalComplete()

◆ exchangeExternalImpl()

◆ exchangeExternalUserInfoValidationOnly()

◆ exchangeFromToken()

◆ exchangeSessionToken()

◆ exchangeStoredToken()

◆ extractIdentity()

◆ extractIdentityFromProfile()

◆ extractTokenFromResponse()

◆ getAccessTokenResponseParameter()

◆ getConfig()

◆ getDefaultScopes()

◆ getFederatedIdentity()

◆ getIDTokenForLogout()

◆ getJsonProperty()

◆ getProfileEndpointForValidation()

◆ getUserInfoUrl()

◆ getusernameClaimNameForIdToken()

◆ getUsernameFromUserInfo()

◆ hasExternalExchangeToken()

◆ isIssuer()

◆ keycloakInitiatedBrowserLogout()

◆ performLogin()

◆ processAccessTokenResponse()

◆ refreshTokenForLogout()

◆ retrieveToken()

◆ supportsExternalExchange()

◆ validateExternalTokenThroughUserInfo()

◆ validateJwt()

◆ validateToken() [1/2]

◆ validateToken() [2/2]

◆ verify()

◆ verifyAccessToken()

メンバ詳解

◆ ACCESS_DENIED

◆ ACCESS_TOKEN_EXPIRATION

◆ EXCHANGE_PROVIDER

◆ FEDERATED_ACCESS_TOKEN_RESPONSE

◆ FEDERATED_ID_TOKEN

◆ FEDERATED_REFRESH_TOKEN

◆ FEDERATED_TOKEN_EXPIRATION

◆ logger

◆ mapper

◆ OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

◆ OAUTH2_GRANT_TYPE_REFRESH_TOKEN

◆ OAUTH2_PARAMETER_ACCESS_TOKEN

◆ OAUTH2_PARAMETER_CLIENT_ID

◆ OAUTH2_PARAMETER_CLIENT_SECRET

◆ OAUTH2_PARAMETER_CODE

◆ OAUTH2_PARAMETER_GRANT_TYPE

◆ OAUTH2_PARAMETER_REDIRECT_URI

◆ OAUTH2_PARAMETER_RESPONSE_TYPE

◆ OAUTH2_PARAMETER_SCOPE

◆ OAUTH2_PARAMETER_STATE

◆ SCOPE_OPENID

◆ USER_INFO

◆ VALIDATED_ID_TOKEN