org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint クラス

org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint 連携図

公開メンバ関数
	UserInfoEndpoint (org.keycloak.protocol.oidc.TokenManager tokenManager, RealmModel realm)
Response	issueUserInfoPreflight ()
Response	issueUserInfoGet (@Context final HttpHeaders headers)
Response	issueUserInfoPost ()

非公開メンバ関数
Response	issueUserInfo (String tokenString)
UserSessionModel	findValidSession (AccessToken token, EventBuilder event, ClientModel client)

非公開変数類
HttpRequest	request
HttpResponse	response
KeycloakSession	session
ClientConnection	clientConnection
final org.keycloak.protocol.oidc.TokenManager	tokenManager
final AppAuthManager	appAuthManager
final RealmModel	realm

詳解

著者

pedroigor

構築子と解体子

UserInfoEndpoint()

org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.UserInfoEndpoint ( org.keycloak.protocol.oidc.TokenManager  tokenManager, RealmModel  realm  )

inline

                                                                                                    {
        this.realm = realm;
        this.tokenManager = tokenManager;
        this.appAuthManager = new AppAuthManager();
    }

関数詳解

findValidSession()

UserSessionModel org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.findValidSession ( AccessToken  token, EventBuilder  event, ClientModel  client  )

inlineprivate

                                                                                                         {
        UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), false, client.getId());
        UserSessionModel offlineUserSession = null;
        if (AuthenticationManager.isSessionValid(realm, userSession)) {
            event.session(userSession);
            return userSession;
        } else {
            offlineUserSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), true, client.getId());
            if (AuthenticationManager.isOfflineSessionValid(realm, offlineUserSession)) {
                event.session(offlineUserSession);
                return offlineUserSession;
            }
        }

        if (userSession == null && offlineUserSession == null) {
            event.error(Errors.USER_SESSION_NOT_FOUND);
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "User session not found or doesn't have client attached on it", Response.Status.UNAUTHORIZED);
        }

        if (userSession != null) {
            event.session(userSession);
        } else {
            event.session(offlineUserSession);
        }

        event.error(Errors.SESSION_EXPIRED);
        throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Session expired", Response.Status.UNAUTHORIZED);
    }

issueUserInfo()

Response org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo ( String  tokenString )

inlineprivate

                                                       {
        EventBuilder event = new EventBuilder(realm, session, clientConnection)
                .event(EventType.USER_INFO_REQUEST)
                .detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN);

        if (tokenString == null) {
            event.error(Errors.INVALID_TOKEN);
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Token not provided", Response.Status.BAD_REQUEST);
        }

        AccessToken token;
        try {
            TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
                    .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));

            SignatureVerifierContext verifierContext = session.getProvider(SignatureProvider.class, verifier.getHeader().getAlgorithm().name()).verifier(verifier.getHeader().getKeyId());
            verifier.verifierContext(verifierContext);

            token = verifier.verify().getToken();
        } catch (VerificationException e) {
            event.error(Errors.INVALID_TOKEN);
            throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Token invalid: " + e.getMessage(), Response.Status.UNAUTHORIZED);
        }

        ClientModel clientModel = realm.getClientByClientId(token.getIssuedFor());
        if (clientModel == null) {
            event.error(Errors.CLIENT_NOT_FOUND);
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client not found", Response.Status.BAD_REQUEST);
        }

        session.getContext().setClient(clientModel);

        event.client(clientModel);

        if (!clientModel.isEnabled()) {
            event.error(Errors.CLIENT_DISABLED);
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client disabled", Response.Status.BAD_REQUEST);
        }

        UserSessionModel userSession = findValidSession(token, event, clientModel);

        UserModel userModel = userSession.getUser();
        if (userModel == null) {
            event.error(Errors.USER_NOT_FOUND);
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "User not found", Response.Status.BAD_REQUEST);
        }

        event.user(userModel)
                .detail(Details.USERNAME, userModel.getUsername());

        // KEYCLOAK-6771 Certificate Bound Token
        // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-3
        if (OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseMtlsHokToken()) {
            if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(token, request, session)) {
                event.error(Errors.NOT_ALLOWED);
                throw new ErrorResponseException(OAuthErrorException.UNAUTHORIZED_CLIENT, "Client certificate missing, or its thumbprint and one in the refresh token did NOT match", Response.Status.UNAUTHORIZED);
            }
        }

        // Existence of authenticatedClientSession for our client already handled before
        AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(clientModel.getId());

        // Retrieve by latest scope parameter
        ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession);

        AccessToken userInfo = new AccessToken();
        tokenManager.transformUserInfoAccessToken(session, userInfo, userSession, clientSessionCtx);

        Map<String, Object> claims = new HashMap<String, Object>();
        claims.put("sub", userModel.getId());
        claims.putAll(userInfo.getOtherClaims());

        Response.ResponseBuilder responseBuilder;
        OIDCAdvancedConfigWrapper cfg = OIDCAdvancedConfigWrapper.fromClientModel(clientModel);

        if (cfg.isUserInfoSignatureRequired()) {
            String issuerUrl = Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName());
            String audience = clientModel.getClientId();
            claims.put("iss", issuerUrl);
            claims.put("aud", audience);

            String signatureAlgorithm = session.tokens().signatureAlgorithm(TokenCategory.USERINFO);

            SignatureProvider signatureProvider = session.getProvider(SignatureProvider.class, signatureAlgorithm);
            SignatureSignerContext signer = signatureProvider.signer();

            String signedUserInfo = new JWSBuilder().type("JWT").jsonContent(claims).sign(signer);

            responseBuilder = Response.ok(signedUserInfo).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JWT);

            event.detail(Details.SIGNATURE_REQUIRED, "true");
            event.detail(Details.SIGNATURE_ALGORITHM, cfg.getUserInfoSignedResponseAlg().toString());
        } else {
            responseBuilder = Response.ok(claims).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON);

            event.detail(Details.SIGNATURE_REQUIRED, "false");
        }

        event.success();

        return Cors.add(request, responseBuilder).auth().allowedOrigins(token).build();
    }

issueUserInfoGet()

Response org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet ( @Context final HttpHeaders  headers )

inline

                                                                         {
        String accessToken = this.appAuthManager.extractAuthorizationHeaderToken(headers);
        return issueUserInfo(accessToken);
    }

issueUserInfoPost()

Response org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoPost ( )

inline

                                        {
        // Try header first
        HttpHeaders headers = request.getHttpHeaders();
        String accessToken = this.appAuthManager.extractAuthorizationHeaderToken(headers);

        // Fallback to form parameter
        if (accessToken == null) {
            accessToken = request.getDecodedFormParameters().getFirst("access_token");
        }

        return issueUserInfo(accessToken);
    }

issueUserInfoPreflight()

Response org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoPreflight ( )

inline

                                             {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

メンバ詳解

appAuthManager

final AppAuthManager org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.appAuthManager

private

clientConnection

ClientConnection org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.clientConnection

private

realm

final RealmModel org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.realm

private

request

HttpRequest org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.request

private

response

HttpResponse org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.response

private

session

KeycloakSession org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.session

private

tokenManager

final org.keycloak.protocol.oidc.TokenManager org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.tokenManager

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java