124 .event(EventType.USER_INFO_REQUEST)
125 .detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN);
127 if (tokenString == null) {
128 event.error(Errors.INVALID_TOKEN);
129 throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST,
"Token not provided", Response.Status.BAD_REQUEST);
134 TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
135 .realmUrl(Urls.realmIssuer(
session.getContext().getUri().getBaseUri(),
realm.getName()));
137 SignatureVerifierContext verifierContext =
session.getProvider(SignatureProvider.class, verifier.getHeader().getAlgorithm().name()).verifier(verifier.getHeader().getKeyId());
138 verifier.verifierContext(verifierContext);
140 token = verifier.verify().getToken();
141 }
catch (VerificationException e) {
142 event.error(Errors.INVALID_TOKEN);
143 throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN,
"Token invalid: " + e.getMessage(), Response.Status.UNAUTHORIZED);
146 ClientModel clientModel =
realm.getClientByClientId(token.getIssuedFor());
147 if (clientModel == null) {
148 event.error(Errors.CLIENT_NOT_FOUND);
149 throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST,
"Client not found", Response.Status.BAD_REQUEST);
152 session.getContext().setClient(clientModel);
154 event.client(clientModel);
156 if (!clientModel.isEnabled()) {
157 event.error(Errors.CLIENT_DISABLED);
158 throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST,
"Client disabled", Response.Status.BAD_REQUEST);
163 UserModel userModel = userSession.getUser();
164 if (userModel == null) {
165 event.error(Errors.USER_NOT_FOUND);
166 throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST,
"User not found", Response.Status.BAD_REQUEST);
169 event.user(userModel)
170 .detail(Details.USERNAME, userModel.getUsername());
174 if (OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseMtlsHokToken()) {
175 if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(token,
request,
session)) {
176 event.error(Errors.NOT_ALLOWED);
177 throw new ErrorResponseException(OAuthErrorException.UNAUTHORIZED_CLIENT,
"Client certificate missing, or its thumbprint and one in the refresh token did NOT match", Response.Status.UNAUTHORIZED);
182 AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(clientModel.getId());
185 ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession);
187 AccessToken userInfo =
new AccessToken();
190 Map<String, Object> claims =
new HashMap<String, Object>();
191 claims.put(
"sub", userModel.getId());
192 claims.putAll(userInfo.getOtherClaims());
194 Response.ResponseBuilder responseBuilder;
195 OIDCAdvancedConfigWrapper cfg = OIDCAdvancedConfigWrapper.fromClientModel(clientModel);
197 if (cfg.isUserInfoSignatureRequired()) {
198 String issuerUrl = Urls.realmIssuer(
session.getContext().getUri().getBaseUri(),
realm.getName());
199 String audience = clientModel.getClientId();
200 claims.put(
"iss", issuerUrl);
201 claims.put(
"aud", audience);
203 String signatureAlgorithm =
session.tokens().signatureAlgorithm(TokenCategory.USERINFO);
205 SignatureProvider signatureProvider =
session.getProvider(SignatureProvider.class, signatureAlgorithm);
206 SignatureSignerContext signer = signatureProvider.signer();
208 String signedUserInfo =
new JWSBuilder().type(
"JWT").jsonContent(claims).sign(signer);
210 responseBuilder = Response.ok(signedUserInfo).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JWT);
212 event.detail(Details.SIGNATURE_REQUIRED,
"true");
213 event.detail(Details.SIGNATURE_ALGORITHM, cfg.getUserInfoSignedResponseAlg().toString());
215 responseBuilder = Response.ok(claims).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON);
217 event.detail(Details.SIGNATURE_REQUIRED,
"false");
222 return Cors.add(
request, responseBuilder).auth().allowedOrigins(token).build();
final org.keycloak.protocol.oidc.TokenManager tokenManager
Definition: UserInfoEndpoint.java:82
final RealmModel realm
Definition: UserInfoEndpoint.java:84
KeycloakSession session
Definition: UserInfoEndpoint.java:77
ClientConnection clientConnection
Definition: UserInfoEndpoint.java:80
UserSessionModel findValidSession(AccessToken token, EventBuilder event, ClientModel client)
Definition: UserInfoEndpoint.java:226
HttpRequest request
Definition: UserInfoEndpoint.java:71
AccessToken transformUserInfoAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
Definition: TokenManager.java:613