org.keycloak.protocol.oidc.TokenManager 連携図

クラス
class	AccessTokenResponseBuilder

class	RefreshResult

class	TokenValidation

公開メンバ関数
TokenValidation	validateToken (KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, RefreshToken oldToken, HttpHeaders headers) throws OAuthErrorException

boolean	checkTokenValidForIntrospection (KeycloakSession session, RealmModel realm, AccessToken token) throws OAuthErrorException

RefreshResult	refreshAccessToken (KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, HttpHeaders headers, HttpRequest request) throws OAuthErrorException

RefreshToken	verifyRefreshToken (KeycloakSession session, RealmModel realm, String encodedRefreshToken) throws OAuthErrorException

RefreshToken	verifyRefreshToken (KeycloakSession session, RealmModel realm, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException

RefreshToken	verifyRefreshToken (KeycloakSession session, RealmModel realm, ClientModel client, HttpRequest request, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException

RefreshToken	toRefreshToken (KeycloakSession session, String encodedRefreshToken) throws JWSInputException, OAuthErrorException

IDToken	verifyIDToken (KeycloakSession session, RealmModel realm, String encodedIDToken) throws OAuthErrorException

IDToken	verifyIDTokenSignature (KeycloakSession session, String encodedIDToken) throws OAuthErrorException

AccessToken	createClientAccessToken (KeycloakSession session, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx)

AccessToken	transformAccessToken (KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)

AccessToken	transformUserInfoAccessToken (KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)

void	transformIDToken (KeycloakSession session, IDToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)

AccessTokenResponseBuilder	responseBuilder (RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx)

静的公開メンバ関数
static void	applyScope (RoleModel role, RoleModel scope, Set< RoleModel > visited, Set< RoleModel > requested)

static ClientSessionContext	attachAuthenticationSession (KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession)

static void	dettachClientSession (UserSessionProvider sessions, RealmModel realm, AuthenticatedClientSessionModel clientSession)

static Set< RoleModel >	getAccess (UserModel user, ClientModel client, Set< ClientScopeModel > clientScopes)

static Set< ClientScopeModel >	getRequestedClientScopes (String scopeParam, ClientModel client)

static boolean	verifyConsentStillAvailable (KeycloakSession session, UserModel user, ClientModel client, Set< ClientScopeModel > requestedClientScopes)

限定公開メンバ関数
AccessToken	initToken (RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionContext clientSessionCtx, UriInfo uriInfo)

void	addComposites (AccessToken token, RoleModel role)

非公開メンバ関数
boolean	isUserValid (KeycloakSession session, RealmModel realm, AccessToken token, UserSessionModel userSession)

void	validateTokenReuse (KeycloakSession session, RealmModel realm, RefreshToken refreshToken, TokenValidation validation) throws OAuthErrorException

void	verifyAccess (AccessToken token, AccessToken newToken) throws OAuthErrorException

int	getTokenExpiration (RealmModel realm, ClientModel client, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

静的非公開メンバ関数
static void	addGroupRoles (GroupModel group, Set< RoleModel > roleMappings)

静的非公開変数類
static final Logger	logger = Logger.getLogger(TokenManager.class)

static final String	JWT = "JWT"

詳解

Stateless object that creates tokens and manages oauth access codes

著者: Bill Burke

バージョン

Revision: 1

関数詳解

◆ addComposites()

void org.keycloak.protocol.oidc.TokenManager.addComposites	(	AccessToken	token,
		RoleModel	role
	)

inlineprotected

                                                                     {
         AccessToken.Access access = null;
         if (role.getContainer() instanceof RealmModel) {
             access = token.getRealmAccess();
             if (token.getRealmAccess() == null) {
                 access = new AccessToken.Access();
                 token.setRealmAccess(access);
             } else if (token.getRealmAccess().getRoles() != null && token.getRealmAccess().isUserInRole(role.getName()))
                 return;
 
         } else {
             ClientModel app = (ClientModel) role.getContainer();
             access = token.getResourceAccess(app.getClientId());
             if (access == null) {
                 access = token.addAccess(app.getClientId());
                 if (app.isSurrogateAuthRequired()) access.verifyCaller(true);
             } else if (access.isUserInRole(role.getName())) return;
 
         }
         access.addRole(role.getName());
         if (!role.isComposite()) return;
 
         for (RoleModel composite : role.getComposites()) {
             addComposites(token, composite);
         }
 
     }

◆ addGroupRoles()

static void org.keycloak.protocol.oidc.TokenManager.addGroupRoles	(	GroupModel	group,
		Set< RoleModel >	roleMappings
	)

inlinestaticprivate

                                                                                      {
         roleMappings.addAll(group.getRoleMappings());
         if (group.getParentId() == null) return;
         addGroupRoles(group.getParent(), roleMappings);
     }

◆ applyScope()

static void org.keycloak.protocol.oidc.TokenManager.applyScope	(	RoleModel	role,
		RoleModel	scope,
		Set< RoleModel >	visited,
		Set< RoleModel >	requested
	)

inlinestatic

                                                                                                                      {
         if (visited.contains(scope)) return;
         visited.add(scope);
         if (role.hasRole(scope)) {
             requested.add(scope);
             return;
         }
         if (!scope.isComposite()) return;
 
         for (RoleModel contained : scope.getComposites()) {
             applyScope(role, contained, visited, requested);
         }
     }

◆ attachAuthenticationSession()

static ClientSessionContext org.keycloak.protocol.oidc.TokenManager.attachAuthenticationSession	(	KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticationSessionModel	authSession
	)

inlinestatic

                                                                                                                                                                   {
         ClientModel client = authSession.getClient();
 
         AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
         if (clientSession == null) {
             clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession);
         }
 
         clientSession.setRedirectUri(authSession.getRedirectUri());
         clientSession.setProtocol(authSession.getProtocol());
 
         Set<String> clientScopeIds = authSession.getClientScopes();
 
         Map<String, String> transferredNotes = authSession.getClientNotes();
         for (Map.Entry<String, String> entry : transferredNotes.entrySet()) {
             clientSession.setNote(entry.getKey(), entry.getValue());
         }
 
         Map<String, String> transferredUserSessionNotes = authSession.getUserSessionNotes();
         for (Map.Entry<String, String> entry : transferredUserSessionNotes.entrySet()) {
             userSession.setNote(entry.getKey(), entry.getValue());
         }
 
         clientSession.setTimestamp(Time.currentTime());
 
         // Remove authentication session now
         new AuthenticationSessionManager(session).removeAuthenticationSession(userSession.getRealm(), authSession, true);
 
         return DefaultClientSessionContext.fromClientSessionAndClientScopeIds(clientSession, clientScopeIds);
     }

◆ checkTokenValidForIntrospection()

boolean org.keycloak.protocol.oidc.TokenManager.checkTokenValidForIntrospection	(	KeycloakSession	session,
		RealmModel	realm,
		AccessToken	token
	)		throws OAuthErrorException

inline

Checks if the token is valid. Intended usage is for token introspection endpoints as the session last refresh is updated if the token was valid. This is used to keep the session alive when long lived tokens are used.

引数

session
realm
token

戻り値

例外

OAuthErrorException

                                                                                                                                             {
         if (!token.isActive()) {
             return false;
         }
 
         if (token.getIssuedAt() < realm.getNotBefore()) {
             return false;
         }
 
         ClientModel client = realm.getClientByClientId(token.getIssuedFor());
         if (client == null || !client.isEnabled() || token.getIssuedAt() < client.getNotBefore()) {
             return false;
         }
 
         boolean valid = false;
 
         UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), false, client.getId());
 
         if (AuthenticationManager.isSessionValid(realm, userSession)) {
             valid = isUserValid(session, realm, token, userSession);
         } else {
             userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), true, client.getId());
             if (AuthenticationManager.isOfflineSessionValid(realm, userSession)) {
                 valid = isUserValid(session, realm, token, userSession);
             }
         }
 
         if (valid) {
             userSession.setLastSessionRefresh(Time.currentTime());
         }
 
         return valid;
     }

◆ createClientAccessToken()

AccessToken org.keycloak.protocol.oidc.TokenManager.createClientAccessToken	(	KeycloakSession	session,
		RealmModel	realm,
		ClientModel	client,
		UserModel	user,
		UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx
	)

inline

                                                                                       {
         Set<RoleModel> requestedRoles = clientSessionCtx.getRoles();
         AccessToken token = initToken(realm, client, user, userSession, clientSessionCtx, session.getContext().getUri());
         for (RoleModel role : requestedRoles) {
             addComposites(token, role);
         }
         token = transformAccessToken(session, token, userSession, clientSessionCtx);
         return token;
     }

◆ dettachClientSession()

static void org.keycloak.protocol.oidc.TokenManager.dettachClientSession	(	UserSessionProvider	sessions,
		RealmModel	realm,
		AuthenticatedClientSessionModel	clientSession
	)

inlinestatic

                                                                                                                                            {
         UserSessionModel userSession = clientSession.getUserSession();
         if (userSession == null) {
             return;
         }
 
         clientSession.detachFromUserSession();
 
         // TODO: Might need optimization to prevent loading client sessions from cache in getAuthenticatedClientSessions()
         if (userSession.getAuthenticatedClientSessions().isEmpty()) {
             sessions.removeUserSession(realm, userSession);
         }
     }

◆ getAccess()

static Set<RoleModel> org.keycloak.protocol.oidc.TokenManager.getAccess	(	UserModel	user,
		ClientModel	client,
		Set< ClientScopeModel >	clientScopes
	)

inlinestatic

                                                                                                                    {
         Set<RoleModel> requestedRoles = new HashSet<RoleModel>();
 
         Set<RoleModel> mappings = user.getRoleMappings();
         Set<RoleModel> roleMappings = new HashSet<>();
         roleMappings.addAll(mappings);
         for (GroupModel group : user.getGroups()) {
             addGroupRoles(group, roleMappings);
         }
 
         if (client.isFullScopeAllowed()) {
             if (logger.isTraceEnabled()) {
                 logger.tracef("Using full scope for client %s", client.getClientId());
             }
             requestedRoles = roleMappings;
         } else {
             Set<RoleModel> scopeMappings = new HashSet<>();
 
             // 1 - Client roles of this client itself
             scopeMappings.addAll(client.getRoles());
 
             // 2 - Role mappings of client itself + default client scopes + optional client scopes requested by scope parameter (if applyScopeParam is true)
             for (ClientScopeModel clientScope : clientScopes) {
                 if (logger.isTraceEnabled()) {
                     logger.tracef("Adding client scope role mappings of client scope '%s' to client '%s'", clientScope.getName(), client.getClientId());
                 }
                 scopeMappings.addAll(clientScope.getScopeMappings());
             }
 
             for (RoleModel role : roleMappings) {
                 for (RoleModel desiredRole : scopeMappings) {
                     Set<RoleModel> visited = new HashSet<RoleModel>();
                     applyScope(role, desiredRole, visited, requestedRoles);
                 }
             }
         }
 
         return requestedRoles;
     }

◆ getRequestedClientScopes()

static Set<ClientScopeModel> org.keycloak.protocol.oidc.TokenManager.getRequestedClientScopes	(	String	scopeParam,
		ClientModel	client
	)

inlinestatic

Return client itself + all default client scopes of client + optional client scopes requested by scope parameter

                                                                                                         {
         // Add all default client scopes automatically
         Set<ClientScopeModel> clientScopes = new HashSet<>(client.getClientScopes(true, true).values());
 
         // Add client itself
         clientScopes.add(client);
 
         if (scopeParam == null) {
             return clientScopes;
         }
 
         // Add optional client scopes requested by scope parameter
         String[] scopes = scopeParam.split(" ");
         Collection<String> scopeParamParts = Arrays.asList(scopes);
         Map<String, ClientScopeModel> allOptionalScopes = client.getClientScopes(false, true);
         for (String scopeParamPart : scopeParamParts) {
             ClientScopeModel scope = allOptionalScopes.get(scopeParamPart);
             if (scope != null) {
                 clientScopes.add(scope);
             }
         }
 
         return clientScopes;
     }

◆ getTokenExpiration()

int org.keycloak.protocol.oidc.TokenManager.getTokenExpiration	(	RealmModel	realm,
		ClientModel	client,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inlineprivate

                                                                                                                                                        {
         boolean implicitFlow = false;
         String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM);
         if (responseType != null) {
             implicitFlow = OIDCResponseType.parse(responseType).isImplicitFlow();
         }
 
         int tokenLifespan;
 
         if (implicitFlow) {
             tokenLifespan = realm.getAccessTokenLifespanForImplicitFlow();
         } else {
             String clientLifespan = client.getAttribute(OIDCConfigAttributes.ACCESS_TOKEN_LIFESPAN);
             if (clientLifespan != null && !clientLifespan.trim().isEmpty()) {
                 tokenLifespan = Integer.parseInt(clientLifespan);
             } else {
                 tokenLifespan = realm.getAccessTokenLifespan();
             }
         }
 
         int expiration;
         if (tokenLifespan == -1) {
             expiration = userSession.getStarted() + realm.getSsoSessionMaxLifespan();
         } else {
             expiration = Time.currentTime() + tokenLifespan;
         }
 
         if (!userSession.isOffline()) {
             int sessionExpires = userSession.getStarted() + realm.getSsoSessionMaxLifespan();
             expiration = expiration <= sessionExpires ? expiration : sessionExpires;
         }
 
         return expiration;
     }

◆ initToken()

AccessToken org.keycloak.protocol.oidc.TokenManager.initToken	(	RealmModel	realm,
		ClientModel	client,
		UserModel	user,
		UserSessionModel	session,
		ClientSessionContext	clientSessionCtx,
		UriInfo	uriInfo
	)

inlineprotected

                                                                                             {
         AccessToken token = new AccessToken();
         token.id(KeycloakModelUtils.generateId());
         token.type(TokenUtil.TOKEN_TYPE_BEARER);
         token.subject(user.getId());
         token.audience(client.getClientId());
         token.issuedNow();
         token.issuedFor(client.getClientId());
 
         AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
         token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
         token.setNonce(clientSession.getNote(OIDCLoginProtocol.NONCE_PARAM));
         token.setScope(clientSessionCtx.getScopeString());
 
         // Best effort for "acr" value. Use 0 if clientSession was authenticated through cookie ( SSO )
         // TODO: Add better acr support. See KEYCLOAK-3314
         String acr = (AuthenticationManager.isSSOAuthentication(clientSession)) ? "0" : "1";
         token.setAcr(acr);
 
         String authTime = session.getNote(AuthenticationManager.AUTH_TIME);
         if (authTime != null) {
             token.setAuthTime(Integer.parseInt(authTime));
         }
 
 
         token.setSessionState(session.getId());
         token.expiration(getTokenExpiration(realm, client, session, clientSession));
 
         Set<String> allowedOrigins = client.getWebOrigins();
         if (allowedOrigins != null) {
             token.setAllowedOrigins(WebOriginsUtils.resolveValidWebOrigins(uriInfo, client));
         }
         return token;
     }

◆ isUserValid()

boolean org.keycloak.protocol.oidc.TokenManager.isUserValid	(	KeycloakSession	session,
		RealmModel	realm,
		AccessToken	token,
		UserSessionModel	userSession
	)

inlineprivate

                                                                                                                             {
         UserModel user = userSession.getUser();
         if (user == null) {
             return false;
         }
         if (!user.isEnabled()) {
             return false;
         }
         if (token.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
             return false;
         }
         return true;
     }

◆ refreshAccessToken()

RefreshResult org.keycloak.protocol.oidc.TokenManager.refreshAccessToken	(	KeycloakSession	session,
		UriInfo	uriInfo,
		ClientConnection	connection,
		RealmModel	realm,
		ClientModel	authorizedClient,
		String	encodedRefreshToken,
		EventBuilder	event,
		HttpHeaders	headers,
		HttpRequest	request
	)		throws OAuthErrorException

inline

                                                                                                                                                                  {
         RefreshToken refreshToken = verifyRefreshToken(session, realm, authorizedClient, request, encodedRefreshToken, true);
 
         event.user(refreshToken.getSubject()).session(refreshToken.getSessionState())
                 .detail(Details.REFRESH_TOKEN_ID, refreshToken.getId())
                 .detail(Details.REFRESH_TOKEN_TYPE, refreshToken.getType());
 
         TokenValidation validation = validateToken(session, uriInfo, connection, realm, refreshToken, headers);
         AuthenticatedClientSessionModel clientSession = validation.clientSessionCtx.getClientSession();
 
         // validate authorizedClient is same as validated client
         if (!clientSession.getClient().getId().equals(authorizedClient.getId())) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token. Token client and authorized client don't match");
         }
 
         validateTokenReuse(session, realm, refreshToken, validation);
 
         int currentTime = Time.currentTime();
         clientSession.setTimestamp(currentTime);
         validation.userSession.setLastSessionRefresh(currentTime);
 
         if (refreshToken.getAuthorization() != null) {
             validation.newToken.setAuthorization(refreshToken.getAuthorization());
         }
 
         AccessTokenResponseBuilder responseBuilder = responseBuilder(realm, authorizedClient, event, session, validation.userSession, validation.clientSessionCtx)
                 .accessToken(validation.newToken)
                 .generateRefreshToken();
 
         if (validation.newToken.getAuthorization() != null) {
             responseBuilder.getRefreshToken().setAuthorization(validation.newToken.getAuthorization());
         }
 
         // KEYCLOAK-6771 Certificate Bound Token
         // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-3.1
         // bind refreshed access and refresh token with Client Certificate
         AccessToken.CertConf certConf = refreshToken.getCertConf();
         if (certConf != null) {
             responseBuilder.getAccessToken().setCertConf(certConf);
             responseBuilder.getRefreshToken().setCertConf(certConf);
         }
 
         String scopeParam = clientSession.getNote(OAuth2Constants.SCOPE);
         if (TokenUtil.isOIDCRequest(scopeParam)) {
             responseBuilder.generateIDToken();
         }
 
         AccessTokenResponse res = responseBuilder.build();
 
         return new RefreshResult(res, TokenUtil.TOKEN_TYPE_OFFLINE.equals(refreshToken.getType()));
     }

◆ responseBuilder()

AccessTokenResponseBuilder org.keycloak.protocol.oidc.TokenManager.responseBuilder	(	RealmModel	realm,
		ClientModel	client,
		EventBuilder	event,
		KeycloakSession	session,
		UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx
	)

inline

                                                                                                                            {
         return new AccessTokenResponseBuilder(realm, client, event, session, userSession, clientSessionCtx);
     }

◆ toRefreshToken()

RefreshToken org.keycloak.protocol.oidc.TokenManager.toRefreshToken	(	KeycloakSession	session,
		String	encodedRefreshToken
	)		throws JWSInputException, OAuthErrorException

inline

                                                                                                                                           {
         RefreshToken refreshToken = session.tokens().decode(encodedRefreshToken, RefreshToken.class);
         if (refreshToken == null) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token");
         }
         return refreshToken;
     }

◆ transformAccessToken()

AccessToken org.keycloak.protocol.oidc.TokenManager.transformAccessToken	(	KeycloakSession	session,
		AccessToken	token,
		UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx
	)

inline

                                                                                                                  {
         Set<ProtocolMapperModel> mappings = clientSessionCtx.getProtocolMappers();
         KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
         for (ProtocolMapperModel mapping : mappings) {
 
             ProtocolMapper mapper = (ProtocolMapper)sessionFactory.getProviderFactory(ProtocolMapper.class, mapping.getProtocolMapper());
             if (mapper instanceof OIDCAccessTokenMapper) {
                 token = ((OIDCAccessTokenMapper) mapper).transformAccessToken(token, mapping, session, userSession, clientSessionCtx.getClientSession());
             }
         }
 
         return token;
     }

◆ transformIDToken()

void org.keycloak.protocol.oidc.TokenManager.transformIDToken	(	KeycloakSession	session,
		IDToken	token,
		UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx
	)

inline

                                                                                                            {
         Set<ProtocolMapperModel> mappings = clientSessionCtx.getProtocolMappers();
         KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
         for (ProtocolMapperModel mapping : mappings) {
 
             ProtocolMapper mapper = (ProtocolMapper)sessionFactory.getProviderFactory(ProtocolMapper.class, mapping.getProtocolMapper());
             if (mapper instanceof OIDCIDTokenMapper) {
                 token = ((OIDCIDTokenMapper) mapper).transformIDToken(token, mapping, session, userSession, clientSessionCtx.getClientSession());
             }
         }
     }

◆ transformUserInfoAccessToken()

AccessToken org.keycloak.protocol.oidc.TokenManager.transformUserInfoAccessToken	(	KeycloakSession	session,
		AccessToken	token,
		UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx
	)

inline

                                                                                                                  {
         Set<ProtocolMapperModel> mappings = clientSessionCtx.getProtocolMappers();
         KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
         for (ProtocolMapperModel mapping : mappings) {
 
             ProtocolMapper mapper = (ProtocolMapper)sessionFactory.getProviderFactory(ProtocolMapper.class, mapping.getProtocolMapper());
             if (mapper instanceof UserInfoTokenMapper) {
                 token = ((UserInfoTokenMapper) mapper).transformUserInfoToken(token, mapping, session, userSession, clientSessionCtx.getClientSession());
             }
         }
 
         return token;
     }

◆ validateToken()

TokenValidation org.keycloak.protocol.oidc.TokenManager.validateToken	(	KeycloakSession	session,
		UriInfo	uriInfo,
		ClientConnection	connection,
		RealmModel	realm,
		RefreshToken	oldToken,
		HttpHeaders	headers
	)		throws OAuthErrorException

inline

                                                                                                                 {
         UserSessionModel userSession = null;
         boolean offline = TokenUtil.TOKEN_TYPE_OFFLINE.equals(oldToken.getType());
 
         if (offline) {
 
             UserSessionManager sessionManager = new UserSessionManager(session);
             userSession = sessionManager.findOfflineUserSession(realm, oldToken.getSessionState());
             if (userSession != null) {
 
                 // Revoke timeouted offline userSession
                 if (!AuthenticationManager.isOfflineSessionValid(realm, userSession)) {
                     sessionManager.revokeOfflineUserSession(userSession);
                     throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Offline session not active", "Offline session not active");
                 }
 
             } else {
                 throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Offline user session not found", "Offline user session not found");
             }
         } else {
             // Find userSession regularly for online tokens
             userSession = session.sessions().getUserSession(realm, oldToken.getSessionState());
             if (!AuthenticationManager.isSessionValid(realm, userSession)) {
                 AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
                 throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Session not active", "Session not active");
             }
         }
 
         UserModel user = userSession.getUser();
         if (user == null) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token", "Unknown user");
         }
 
         if (!user.isEnabled()) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "User disabled", "User disabled");
         }
 
         ClientModel client = session.getContext().getClient();
         AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
 
         // Can theoretically happen in cross-dc environment. Try to see if userSession with our client is available in remoteCache
         if (clientSession == null) {
             userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, userSession.getId(), offline, client.getId());
             if (userSession != null) {
                 clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
             } else {
                 throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Session doesn't have required client", "Session doesn't have required client");
             }
         }
 
         if (!client.getClientId().equals(oldToken.getIssuedFor())) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Unmatching clients", "Unmatching clients");
         }
 
         if (oldToken.getIssuedAt() < client.getNotBefore()) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
         }
         if (oldToken.getIssuedAt() < realm.getNotBefore()) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
         }
         if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
         }
 
 
         // Setup clientScopes from refresh token to the context
         String oldTokenScope = oldToken.getScope();
 
         // Case when offline token is migrated from previous version
         if (oldTokenScope == null && userSession.isOffline()) {
             logger.debugf("Migrating offline token of user '%s' for client '%s' of realm '%s'", user.getUsername(), client.getClientId(), realm.getName());
             MigrationUtils.migrateOldOfflineToken(session, realm, client, user);
         }
 
         ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, oldTokenScope);
 
         // Check user didn't revoke granted consent
         if (!verifyConsentStillAvailable(session, user, client, clientSessionCtx.getClientScopes())) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_SCOPE, "Client no longer has requested consent from user");
         }
 
         // recreate token.
         AccessToken newToken = createClientAccessToken(session, realm, client, user, userSession, clientSessionCtx);
         verifyAccess(oldToken, newToken);
 
         return new TokenValidation(user, userSession, clientSessionCtx, newToken);
     }

◆ validateTokenReuse()

void org.keycloak.protocol.oidc.TokenManager.validateTokenReuse	(	KeycloakSession	session,
		RealmModel	realm,
		RefreshToken	refreshToken,
		TokenValidation	validation
	)		throws OAuthErrorException

inlineprivate

                                                                    {
         if (realm.isRevokeRefreshToken()) {
             AuthenticatedClientSessionModel clientSession = validation.clientSessionCtx.getClientSession();
 
             int clusterStartupTime = session.getProvider(ClusterProvider.class).getClusterStartupTime();
 
             if (clientSession.getCurrentRefreshToken() != null &&
                     !refreshToken.getId().equals(clientSession.getCurrentRefreshToken()) &&
                     refreshToken.getIssuedAt() < clientSession.getTimestamp() &&
                     clusterStartupTime != clientSession.getTimestamp()) {
                 throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
             }
 
 
             if (!refreshToken.getId().equals(clientSession.getCurrentRefreshToken())) {
                 clientSession.setCurrentRefreshToken(refreshToken.getId());
                 clientSession.setCurrentRefreshTokenUseCount(0);
             }
 
             int currentCount = clientSession.getCurrentRefreshTokenUseCount();
             if (currentCount > realm.getRefreshTokenMaxReuse()) {
                 throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Maximum allowed refresh token reuse exceeded",
                         "Maximum allowed refresh token reuse exceeded");
             }
             clientSession.setCurrentRefreshTokenUseCount(currentCount + 1);
         }
     }

◆ verifyAccess()

void org.keycloak.protocol.oidc.TokenManager.verifyAccess	(	AccessToken	token,
		AccessToken	newToken
	)		throws OAuthErrorException

inlineprivate

                                                                                                   {
         if (token.getRealmAccess() != null) {
             if (newToken.getRealmAccess() == null) throw new OAuthErrorException(OAuthErrorException.INVALID_SCOPE, "User no long has permission for realm roles");
 
             for (String roleName : token.getRealmAccess().getRoles()) {
                 if (!newToken.getRealmAccess().getRoles().contains(roleName)) {
                     throw new OAuthErrorException(OAuthErrorException.INVALID_SCOPE, "User no long has permission for realm role: " + roleName);
                 }
             }
         }
         if (token.getResourceAccess() != null) {
             for (Map.Entry<String, AccessToken.Access> entry : token.getResourceAccess().entrySet()) {
                 AccessToken.Access appAccess = newToken.getResourceAccess(entry.getKey());
                 if (appAccess == null && !entry.getValue().getRoles().isEmpty()) {
                     throw new OAuthErrorException(OAuthErrorException.INVALID_SCOPE, "User or client no longer has role permissions for client key: " + entry.getKey());
 
                 }
                 for (String roleName : entry.getValue().getRoles()) {
                     if (!appAccess.getRoles().contains(roleName)) {
                         throw new OAuthErrorException(OAuthErrorException.INVALID_SCOPE, "User no long has permission for client role " + roleName);
                     }
                 }
             }
         }
     }

◆ verifyConsentStillAvailable()

static boolean org.keycloak.protocol.oidc.TokenManager.verifyConsentStillAvailable	(	KeycloakSession	session,
		UserModel	user,
		ClientModel	client,
		Set< ClientScopeModel >	requestedClientScopes
	)

inlinestatic

                                                                                                                                                                 {
         if (!client.isConsentRequired()) {
             return true;
         }
 
         UserConsentModel grantedConsent = session.users().getConsentByClient(client.getRealm(), user.getId(), client.getId());
 
         for (ClientScopeModel requestedScope : requestedClientScopes) {
             if (!requestedScope.isDisplayOnConsentScreen()) {
                 continue;
             }
 
             if (!grantedConsent.getGrantedClientScopes().contains(requestedScope)) {
                 logger.debugf("Client '%s' no longer has requested consent from user '%s' for client scope '%s'",
                         client.getClientId(), user.getUsername(), requestedScope.getName());
                 return false;
             }
         }
 
         return true;
     }

◆ verifyIDToken()

IDToken org.keycloak.protocol.oidc.TokenManager.verifyIDToken	(	KeycloakSession	session,
		RealmModel	realm,
		String	encodedIDToken
	)		throws OAuthErrorException

inline

                                                                                                                               {
         IDToken idToken = session.tokens().decode(encodedIDToken, IDToken.class);
         if (idToken == null) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid IDToken");
         }
         if (idToken.isExpired()) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "IDToken expired");
         }
         if (idToken.getIssuedAt() < realm.getNotBefore()) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale IDToken");
         }
         return idToken;
     }

◆ verifyIDTokenSignature()

IDToken org.keycloak.protocol.oidc.TokenManager.verifyIDTokenSignature	(	KeycloakSession	session,
		String	encodedIDToken
	)		throws OAuthErrorException

inline

                                                                                                                      {
         IDToken idToken = session.tokens().decode(encodedIDToken, IDToken.class);
         if (idToken == null) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid IDToken");
         }
         return idToken;
     }

◆ verifyRefreshToken() [1/3]

RefreshToken org.keycloak.protocol.oidc.TokenManager.verifyRefreshToken	(	KeycloakSession	session,
		RealmModel	realm,
		String	encodedRefreshToken
	)		throws OAuthErrorException

inline

                                                                                                                                              {
         return verifyRefreshToken(session, realm, encodedRefreshToken, true);
     }

◆ verifyRefreshToken() [2/3]

RefreshToken org.keycloak.protocol.oidc.TokenManager.verifyRefreshToken	(	KeycloakSession	session,
		RealmModel	realm,
		String	encodedRefreshToken,
		boolean	checkExpiration
	)		throws OAuthErrorException

inline

                                                                                                                                                                       {
         return verifyRefreshToken(session, realm, null, null, encodedRefreshToken, true);
     }

◆ verifyRefreshToken() [3/3]

RefreshToken org.keycloak.protocol.oidc.TokenManager.verifyRefreshToken	(	KeycloakSession	session,
		RealmModel	realm,
		ClientModel	client,
		HttpRequest	request,
		String	encodedRefreshToken,
		boolean	checkExpiration
	)		throws OAuthErrorException

inline

                                                                                                                                                                                                                {
         try {
             RefreshToken refreshToken = toRefreshToken(session, encodedRefreshToken);
 
             if (!(TokenUtil.TOKEN_TYPE_REFRESH.equals(refreshToken.getType()) || TokenUtil.TOKEN_TYPE_OFFLINE.equals(refreshToken.getType()))) {
                 throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token");
             }
 
             if (checkExpiration) {
                 if (refreshToken.getExpiration() != 0 && refreshToken.isExpired()) {
                     throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Refresh token expired");
                 }
 
                 if (refreshToken.getIssuedAt() < realm.getNotBefore()) {
                     throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token");
                 }
             }
 
             // KEYCLOAK-6771 Certificate Bound Token
             if (client != null && OIDCAdvancedConfigWrapper.fromClientModel(client).isUseMtlsHokToken()) {
                 if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
                     throw new OAuthErrorException(OAuthErrorException.UNAUTHORIZED_CLIENT, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC);
                 }
             }
 
             return refreshToken;
         } catch (JWSInputException e) {
             throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token", e);
         }
     }

メンバ詳解

◆ JWT

final String org.keycloak.protocol.oidc.TokenManager.JWT = "JWT"

staticprivate

◆ logger

final Logger org.keycloak.protocol.oidc.TokenManager.logger = Logger.getLogger(TokenManager.class)

staticprivate

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java

クラス

公開メンバ関数

静的公開メンバ関数

限定公開メンバ関数

非公開メンバ関数

静的非公開メンバ関数

静的非公開変数類

詳解

関数詳解

◆ addComposites()

◆ addGroupRoles()

◆ applyScope()

◆ attachAuthenticationSession()

◆ checkTokenValidForIntrospection()

◆ createClientAccessToken()

◆ dettachClientSession()

◆ getAccess()

◆ getRequestedClientScopes()

◆ getTokenExpiration()

◆ initToken()

◆ isUserValid()

◆ refreshAccessToken()

◆ responseBuilder()

◆ toRefreshToken()

◆ transformAccessToken()

◆ transformIDToken()

◆ transformUserInfoAccessToken()

◆ validateToken()

◆ validateTokenReuse()

◆ verifyAccess()

◆ verifyConsentStillAvailable()

◆ verifyIDToken()

◆ verifyIDTokenSignature()

◆ verifyRefreshToken() [1/3]

◆ verifyRefreshToken() [2/3]

◆ verifyRefreshToken() [3/3]

メンバ詳解

◆ JWT

◆ logger