Examples with AccessToken org.keycloak.representations.AccessToken used on opensource projects

Example 96 with AccessToken

use of org.keycloak.representations.AccessToken in project keycloak by keycloak.

the class RPTIntrospectionProvider method introspect.

@Override
public Response introspect(String token) {
    LOGGER.debug("Introspecting requesting party token");
    try {
        AccessToken accessToken = verifyAccessToken(token);
        ObjectNode tokenMetadata;
        if (accessToken != null) {
            AccessToken metadata = new AccessToken();
            metadata.id(accessToken.getId());
            metadata.setAcr(accessToken.getAcr());
            metadata.type(accessToken.getType());
            metadata.expiration(accessToken.getExpiration());
            metadata.issuedAt(accessToken.getIssuedAt());
            metadata.audience(accessToken.getAudience());
            metadata.notBefore(accessToken.getNotBefore());
            metadata.setRealmAccess(null);
            metadata.setResourceAccess(null);
            tokenMetadata = JsonSerialization.createObjectNode(metadata);
            Authorization authorization = accessToken.getAuthorization();
            if (authorization != null) {
                Collection permissions;
                if (authorization.getPermissions() != null) {
                    permissions = authorization.getPermissions().stream().map(UmaPermissionRepresentation::new).collect(Collectors.toSet());
                } else {
                    permissions = Collections.emptyList();
                }
                tokenMetadata.putPOJO("permissions", permissions);
            }
        } else {
            tokenMetadata = JsonSerialization.createObjectNode();
        }
        tokenMetadata.put("active", accessToken != null);
        return Response.ok(JsonSerialization.writeValueAsBytes(tokenMetadata)).type(MediaType.APPLICATION_JSON_TYPE).build();
    } catch (Exception e) {
        throw new RuntimeException("Error creating token introspection response.", e);
    }
}

Example 97 with AccessToken

use of org.keycloak.representations.AccessToken in project keycloak by keycloak.

the class IdentityBrokerService method getToken.

private Response getToken(String providerId, boolean forceRetrieval) {
    this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN);
    try {
        AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session).setRealm(realmModel).setConnection(clientConnection).setHeaders(request.getHttpHeaders()).authenticate();
        if (authResult != null) {
            AccessToken token = authResult.getToken();
            ClientModel clientModel = authResult.getClient();
            session.getContext().setClient(clientModel);
            ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID);
            if (brokerClient == null) {
                return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), clientModel);
            }
            if (!canReadBrokerToken(token)) {
                return corsResponse(forbidden("Client [" + clientModel.getClientId() + "] not authorized to retrieve tokens from identity provider [" + providerId + "]."), clientModel);
            }
            IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId);
            IdentityProviderModel identityProviderConfig = getIdentityProviderConfig(providerId);
            if (identityProviderConfig.isStoreToken()) {
                FederatedIdentityModel identity = this.session.users().getFederatedIdentity(this.realmModel, authResult.getUser(), providerId);
                if (identity == null) {
                    return corsResponse(badRequest("User [" + authResult.getUser().getId() + "] is not associated with identity provider [" + providerId + "]."), clientModel);
                }
                this.event.success();
                return corsResponse(identityProvider.retrieveToken(session, identity), clientModel);
            }
            return corsResponse(badRequest("Identity Provider [" + providerId + "] does not support this operation."), clientModel);
        }
        return badRequest("Invalid token.");
    } catch (IdentityBrokerException e) {
        return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.COULD_NOT_OBTAIN_TOKEN, e, providerId);
    } catch (Exception e) {
        return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e, providerId);
    }
}

Example 98 with AccessToken

use of org.keycloak.representations.AccessToken in project keycloak by keycloak.

the class EntitlementAPITest method testObtainAllEntitlementsWithLimit.

@Test
public void testObtainAllEntitlementsWithLimit() throws Exception {
    org.keycloak.authorization.client.resource.AuthorizationResource authorizationResource = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization("marta", "password");
    AuthorizationResponse response = authorizationResource.authorize();
    AccessToken accessToken = toAccessToken(response.getToken());
    Authorization authorization = accessToken.getAuthorization();
    assertTrue(authorization.getPermissions().size() >= 20);
    AuthorizationRequest request = new AuthorizationRequest();
    Metadata metadata = new Metadata();
    metadata.setLimit(10);
    request.setMetadata(metadata);
    response = authorizationResource.authorize(request);
    accessToken = toAccessToken(response.getToken());
    authorization = accessToken.getAuthorization();
    assertEquals(10, authorization.getPermissions().size());
    metadata.setLimit(1);
    request.setMetadata(metadata);
    response = authorizationResource.authorize(request);
    accessToken = toAccessToken(response.getToken());
    authorization = accessToken.getAuthorization();
    assertEquals(1, authorization.getPermissions().size());
}

Example 99 with AccessToken

use of org.keycloak.representations.AccessToken in project keycloak by keycloak.

the class EntitlementAPITest method testResourceServerAsAudience.

private void testResourceServerAsAudience(String testClientId, String resourceServerClientId, String configFile) throws Exception {
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission("Resource 1");
    String accessToken = new OAuthClient().realm("authz-test").clientId(testClientId).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
    AuthorizationResponse response = getAuthzClient(configFile).authorization(accessToken).authorize(request);
    AccessToken rpt = toAccessToken(response.getToken());
    assertEquals(resourceServerClientId, rpt.getAudience()[0]);
}

Example 100 with AccessToken

use of org.keycloak.representations.AccessToken in project keycloak by keycloak.

the class EntitlementAPITest method testPermissionOrder.

@Test
public void testPermissionOrder() throws Exception {
    ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
    AuthorizationResource authorization = client.authorization();
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName(KeycloakModelUtils.generateId());
    policy.setCode("$evaluation.grant();");
    authorization.policies().js().create(policy).close();
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("my_resource");
    resource.addScope("entity:read");
    try (Response response = authorization.resources().create(resource)) {
        resource = response.readEntity(ResourceRepresentation.class);
    }
    ScopeRepresentation featureAccessScope = new ScopeRepresentation("feature:access");
    authorization.scopes().create(featureAccessScope);
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(KeycloakModelUtils.generateId());
    permission.addPolicy(policy.getName());
    permission.addResource(resource.getId());
    authorization.permissions().resource().create(permission).close();
    ScopePermissionRepresentation scopePermission = new ScopePermissionRepresentation();
    scopePermission.setName(KeycloakModelUtils.generateId());
    scopePermission.addPolicy(policy.getName());
    scopePermission.addScope(featureAccessScope.getName());
    authorization.permissions().scope().create(scopePermission).close();
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(null, "entity:read");
    request.addPermission(null, "feature:access");
    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
    AuthorizationResponse response = authzClient.authorization().authorize(request);
    AccessToken token = toAccessToken(response.getToken());
    Authorization result = token.getAuthorization();
    assertEquals(2, result.getPermissions().size());
    assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() == null && p.getScopes().contains(featureAccessScope.getName())));
    String resourceId = resource.getId();
    assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() != null && p.getResourceId().equals(resourceId) && p.getScopes().contains("entity:read")));
    request = new AuthorizationRequest();
    request.addPermission(null, "feature:access");
    request.addPermission(null, "entity:read");
    response = authzClient.authorization().authorize(request);
    token = toAccessToken(response.getToken());
    result = token.getAuthorization();
    assertEquals(2, result.getPermissions().size());
    assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() == null && p.getScopes().contains(featureAccessScope.getName())));
    assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() != null && p.getResourceId().equals(resourceId) && p.getScopes().contains("entity:read")));
}