Example 11 with JWSInputException
use of org.keycloak.jose.jws.JWSInputException in project keycloak by keycloak.
the class OIDCIdentityProvider method validateToken.
protected JsonWebToken validateToken(String encodedToken, boolean ignoreAudience) {
if (encodedToken == null) {
throw new IdentityBrokerException("No token from server.");
}
JsonWebToken token;
try {
JWSInput jws = new JWSInput(encodedToken);
if (!verify(jws)) {
throw new IdentityBrokerException("token signature validation failed");
}
token = jws.readJsonContent(JsonWebToken.class);
} catch (JWSInputException e) {
throw new IdentityBrokerException("Invalid token", e);
}
String iss = token.getIssuer();
if (!token.isActive(getConfig().getAllowedClockSkew())) {
throw new IdentityBrokerException("Token is no longer valid");
}
if (!ignoreAudience && !token.hasAudience(getConfig().getClientId())) {
throw new IdentityBrokerException("Wrong audience from token.");
}
if (!ignoreAudience && (token.getIssuedFor() != null && !getConfig().getClientId().equals(token.getIssuedFor()))) {
throw new IdentityBrokerException("Token issued for does not match client id");
}
String trustedIssuers = getConfig().getIssuer();
if (trustedIssuers != null && trustedIssuers.length() > 0) {
String[] issuers = trustedIssuers.split(",");
for (String trustedIssuer : issuers) {
if (iss != null && iss.equals(trustedIssuer.trim())) {
return token;
}
}
throw new IdentityBrokerException("Wrong issuer from token. Got: " + iss + " expected: " + getConfig().getIssuer());
}
return token;
}
Also used :
IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
JsonWebToken(org.keycloak.representations.JsonWebToken)
Example 12 with JWSInputException
use of org.keycloak.jose.jws.JWSInputException in project keycloak by keycloak.
the class AdminController method showTokens.
@RequestMapping(path = "/TokenServlet", method = RequestMethod.GET)
public String showTokens(WebRequest req, Model model, @RequestParam Map<String, String> attributes) throws IOException {
String timeOffset = attributes.get("timeOffset");
if (!StringUtils.isEmpty(timeOffset)) {
int offset;
try {
offset = Integer.parseInt(timeOffset, 10);
} catch (NumberFormatException e) {
offset = 0;
}
Time.setOffset(offset);
}
RefreshableKeycloakSecurityContext ctx = (RefreshableKeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName(), WebRequest.SCOPE_REQUEST);
String accessTokenPretty = JsonSerialization.writeValueAsPrettyString(ctx.getToken());
RefreshToken refreshToken;
try {
refreshToken = new JWSInput(ctx.getRefreshToken()).readJsonContent(RefreshToken.class);
} catch (JWSInputException e) {
throw new IOException(e);
}
String refreshTokenPretty = JsonSerialization.writeValueAsPrettyString(refreshToken);
model.addAttribute("accessToken", accessTokenPretty);
model.addAttribute("refreshToken", refreshTokenPretty);
model.addAttribute("accessTokenString", ctx.getTokenString());
return "tokens";
}
Also used :
RefreshToken(org.keycloak.representations.RefreshToken)
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
IOException(java.io.IOException)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Example 13 with JWSInputException
use of org.keycloak.jose.jws.JWSInputException in project keycloak by keycloak.
the class ConflictingScopePermissionTest method getEntitlements.
private Collection<Permission> getEntitlements(String username, String password) {
AuthzClient authzClient = getAuthzClient();
AuthorizationResponse response = authzClient.authorization(username, password).authorize();
AccessToken accessToken;
try {
accessToken = new JWSInput(response.getToken()).readJsonContent(AccessToken.class);
} catch (JWSInputException cause) {
throw new RuntimeException("Failed to deserialize RPT", cause);
}
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull("RPT does not contain any authorization data", authorization);
return authorization.getPermissions();
}
Also used :
AuthzClient(org.keycloak.authorization.client.AuthzClient)
AccessToken(org.keycloak.representations.AccessToken)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
Example 14 with JWSInputException
use of org.keycloak.jose.jws.JWSInputException in project keycloak by keycloak.
the class AssertAdminEvents method defaultAuthDetails.
private AuthDetailsRepresentation defaultAuthDetails() {
String accessTokenString = context.getAdminClient().tokenManager().getAccessTokenString();
try {
JWSInput input = new JWSInput(accessTokenString);
AccessToken token = input.readJsonContent(AccessToken.class);
AuthDetailsRepresentation authDetails = new AuthDetailsRepresentation();
String realmId = token.getIssuer().substring(token.getIssuer().lastIndexOf('/') + 1);
authDetails.setRealmId(realmId);
authDetails.setUserId(token.getSubject());
return authDetails;
} catch (JWSInputException jwe) {
throw new RuntimeException(jwe);
}
}
Also used :
AccessToken(org.keycloak.representations.AccessToken)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
AuthDetailsRepresentation(org.keycloak.representations.idm.AuthDetailsRepresentation)
Example 15 with JWSInputException
use of org.keycloak.jose.jws.JWSInputException in project keycloak by keycloak.
the class HoKTest method verifyHoKTokenCertThumbPrint.
private void verifyHoKTokenCertThumbPrint(AccessTokenResponse response, String certThumbPrint, boolean checkRefreshToken) {
JWSInput jws = null;
AccessToken at = null;
try {
jws = new JWSInput(response.getAccessToken());
at = jws.readJsonContent(AccessToken.class);
} catch (JWSInputException e) {
Assert.fail(e.toString());
}
assertTrue(MessageDigest.isEqual(certThumbPrint.getBytes(), at.getCertConf().getCertThumbprint().getBytes()));
if (checkRefreshToken) {
RefreshToken rt = null;
try {
jws = new JWSInput(response.getRefreshToken());
rt = jws.readJsonContent(RefreshToken.class);
} catch (JWSInputException e) {
Assert.fail(e.toString());
}
assertTrue(MessageDigest.isEqual(certThumbPrint.getBytes(), rt.getCertConf().getCertThumbprint().getBytes()));
}
}
Also used :
RefreshToken(org.keycloak.representations.RefreshToken)
AccessToken(org.keycloak.representations.AccessToken)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
Aggregations
JWSInput (org.keycloak.jose.jws.JWSInput)16
JWSInputException (org.keycloak.jose.jws.JWSInputException)16
AccessToken (org.keycloak.representations.AccessToken)8
IOException (java.io.IOException)3
RefreshToken (org.keycloak.representations.RefreshToken)3
JsonNode (com.fasterxml.jackson.databind.JsonNode)2
RefreshableKeycloakSecurityContext (org.keycloak.adapters.RefreshableKeycloakSecurityContext)2
VerificationException (org.keycloak.common.VerificationException)2
JsonWebToken (org.keycloak.representations.JsonWebToken)2
CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)2
AuthenticationManager (org.keycloak.services.managers.AuthenticationManager)2
X509Certificate (javax.security.cert.X509Certificate)1
BadRequestException (javax.ws.rs.BadRequestException)1
Consumes (javax.ws.rs.Consumes)1
NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1
POST (javax.ws.rs.POST)1
Path (javax.ws.rs.Path)1
Produces (javax.ws.rs.Produces)1
MediaType (javax.ws.rs.core.MediaType)1
Response (javax.ws.rs.core.Response)1
