use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class OIDCIdentityProvider method validateJwt.
protected final BrokeredIdentityContext validateJwt(EventBuilder event, String subjectToken, String subjectTokenType) {
if (!getConfig().isValidateSignature()) {
return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType);
}
event.detail("validation_method", "signature");
if (getConfig().isUseJwksUrl()) {
if (getConfig().getJwksUrl() == null) {
event.detail(Details.REASON, "jwks url unset");
event.error(Errors.INVALID_CONFIG);
throw new ErrorResponseException(Errors.INVALID_CONFIG, "Invalid server config", Response.Status.BAD_REQUEST);
}
} else if (getConfig().getPublicKeySignatureVerifier() == null) {
event.detail(Details.REASON, "public key unset");
event.error(Errors.INVALID_CONFIG);
throw new ErrorResponseException(Errors.INVALID_CONFIG, "Invalid server config", Response.Status.BAD_REQUEST);
}
JsonWebToken parsedToken = null;
try {
parsedToken = validateToken(subjectToken, true);
} catch (IdentityBrokerException e) {
logger.debug("Unable to validate token for exchange", e);
event.detail(Details.REASON, "token validation failure");
event.error(Errors.INVALID_TOKEN);
throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
}
try {
boolean idTokenType = OAuth2Constants.ID_TOKEN_TYPE.equals(subjectTokenType);
BrokeredIdentityContext context = extractIdentity(null, idTokenType ? null : subjectToken, parsedToken);
if (context == null) {
event.detail(Details.REASON, "Failed to extract identity from token");
event.error(Errors.INVALID_TOKEN);
throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
}
if (idTokenType) {
context.getContextData().put(VALIDATED_ID_TOKEN, subjectToken);
} else {
context.getContextData().put(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN, parsedToken);
}
context.getContextData().put(EXCHANGE_PROVIDER, getConfig().getAlias());
context.setIdp(this);
context.setIdpConfig(getConfig());
return context;
} catch (IOException e) {
logger.debug("Unable to extract identity from identity token", e);
throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token", Response.Status.BAD_REQUEST);
}
}
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class AuthorizationAPITest method testResourceServerAsAudience.
public void testResourceServerAsAudience(String clientId, String resourceServerClientId, String authzConfigFile) throws Exception {
AuthzClient authzClient = getAuthzClient(authzConfigFile);
PermissionRequest request = new PermissionRequest();
request.setResourceId("Resource A");
String accessToken = new OAuthClient().realm("authz-test").clientId(clientId).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
String ticket = authzClient.protection().permission().create(request).getTicket();
// Ticket is opaque to client or resourceServer. The audience should be just an authorization server itself
JsonWebToken ticketDecoded = JsonSerialization.readValue(new JWSInput(ticket).getContent(), JsonWebToken.class);
Assert.assertFalse(ticketDecoded.hasAudience(clientId));
Assert.assertFalse(ticketDecoded.hasAudience(resourceServerClientId));
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
assertEquals(resourceServerClientId, rpt.getAudience()[0]);
}
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class DefaultHostnameTest method assertInitialAccessTokenFromMasterRealm.
private void assertInitialAccessTokenFromMasterRealm(Keycloak testAdminClient, String realm, String expectedBaseUrl) throws JWSInputException, ClientRegistrationException {
ClientInitialAccessCreatePresentation rep = new ClientInitialAccessCreatePresentation();
rep.setCount(1);
rep.setExpiration(10000);
ClientInitialAccessPresentation initialAccess = testAdminClient.realm(realm).clientInitialAccess().create(rep);
JsonWebToken token = new JWSInput(initialAccess.getToken()).readJsonContent(JsonWebToken.class);
assertEquals(expectedBaseUrl + "/realms/" + realm, token.getIssuer());
ClientRegistration clientReg = ClientRegistration.create().url(AUTH_SERVER_ROOT, realm).build();
clientReg.auth(Auth.token(initialAccess.getToken()));
ClientRepresentation client = new ClientRepresentation();
client.setEnabled(true);
ClientRepresentation response = clientReg.create(client);
String registrationAccessToken = response.getRegistrationAccessToken();
JsonWebToken registrationToken = new JWSInput(registrationAccessToken).readJsonContent(JsonWebToken.class);
assertEquals(expectedBaseUrl + "/realms/" + realm, registrationToken.getIssuer());
}
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class FixedHostnameTest method assertInitialAccessTokenFromMasterRealm.
private void assertInitialAccessTokenFromMasterRealm(Keycloak testAdminClient, String realm, String expectedBaseUrl) throws JWSInputException, ClientRegistrationException {
ClientInitialAccessCreatePresentation rep = new ClientInitialAccessCreatePresentation();
rep.setCount(1);
rep.setExpiration(10000);
ClientInitialAccessPresentation initialAccess = testAdminClient.realm(realm).clientInitialAccess().create(rep);
JsonWebToken token = new JWSInput(initialAccess.getToken()).readJsonContent(JsonWebToken.class);
assertEquals(expectedBaseUrl + "/auth/realms/" + realm, token.getIssuer());
ClientRegistration clientReg = ClientRegistration.create().url(authServerUrl, realm).build();
clientReg.auth(Auth.token(initialAccess.getToken()));
ClientRepresentation client = new ClientRepresentation();
client.setEnabled(true);
ClientRepresentation response = clientReg.create(client);
String registrationAccessToken = response.getRegistrationAccessToken();
JsonWebToken registrationToken = new JWSInput(registrationAccessToken).readJsonContent(JsonWebToken.class);
assertEquals(expectedBaseUrl + "/auth/realms/" + realm, registrationToken.getIssuer());
}
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class JWTClientCredentialsProvider method createRequestToken.
protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) {
JsonWebToken reqToken = new JsonWebToken();
reqToken.id(AdapterUtils.generateId());
reqToken.issuer(clientId);
reqToken.subject(clientId);
reqToken.audience(realmInfoUrl);
int now = Time.currentTime();
reqToken.issuedAt(now);
reqToken.expiration(now + this.tokenTimeout);
reqToken.notBefore(now);
return reqToken;
}
Aggregations