Example 26 with JsonWebToken
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class ExternalKeycloakRoleToRoleMapper method applies.
@Override
protected boolean applies(IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {
JsonWebToken token = (JsonWebToken) context.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN);
String[] parseRole = KeycloakModelUtils.parseRole(mapperModel.getConfig().get(EXTERNAL_ROLE));
String externalRoleName = parseRole[1];
String claimName = parseRole[0] == null ? "realm_access.roles" : "resource_access." + parseRole[0] + ".roles";
Object claim = getClaimValue(token, claimName);
return valueEquals(externalRoleName, claim);
}
Also used :
JsonWebToken(org.keycloak.representations.JsonWebToken)
Example 27 with JsonWebToken
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class GoogleIdentityProvider method validateToken.
@Override
protected JsonWebToken validateToken(final String encodedToken, final boolean ignoreAudience) {
JsonWebToken token = super.validateToken(encodedToken, ignoreAudience);
String hostedDomain = ((GoogleIdentityProviderConfig) getConfig()).getHostedDomain();
if (hostedDomain == null) {
return token;
}
Object receivedHdParam = token.getOtherClaims().get(OIDC_PARAMETER_HOSTED_DOMAINS);
if (receivedHdParam == null) {
throw new IdentityBrokerException("Identity token does not contain hosted domain parameter.");
}
if (hostedDomain.equals("*") || hostedDomain.equals(receivedHdParam)) {
return token;
}
throw new IdentityBrokerException("Hosted domain does not match.");
}
Also used :
IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException)
JsonWebToken(org.keycloak.representations.JsonWebToken)
Example 28 with JsonWebToken
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class KeycloakOIDCIdentityProvider method processAccessTokenResponse.
@Override
protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) {
// Don't verify audience on accessToken as it may not be there. It was verified on IDToken already
JsonWebToken access = validateToken(response.getToken(), true);
context.getContextData().put(VALIDATED_ACCESS_TOKEN, access);
}
Also used :
JsonWebToken(org.keycloak.representations.JsonWebToken)
Example 29 with JsonWebToken
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class AbstractOAuth2IdentityProvider method generateToken.
protected JsonWebToken generateToken() {
JsonWebToken jwt = new JsonWebToken();
jwt.id(KeycloakModelUtils.generateId());
jwt.type(OAuth2Constants.JWT);
jwt.issuer(getConfig().getClientId());
jwt.subject(getConfig().getClientId());
jwt.audience(getConfig().getTokenUrl());
int expirationDelay = session.getContext().getRealm().getAccessCodeLifespan();
jwt.expiration(Time.currentTime() + expirationDelay);
jwt.issuedNow();
return jwt;
}
Also used :
JsonWebToken(org.keycloak.representations.JsonWebToken)
AuthorizationEndpoint(org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint)
Example 30 with JsonWebToken
use of org.keycloak.representations.JsonWebToken in project keycloak by keycloak.
the class OIDCJwksClientRegistrationTest method getClientSignedJWT.
private String getClientSignedJWT(String clientId, KeyPair keyPair, final String kid) {
String realmInfoUrl = KeycloakUriBuilder.fromUri(getAuthServerRoot()).path(ServiceUrlConstants.REALM_INFO_PATH).build(REALM_NAME).toString();
// Use token-endpoint as audience as OIDC conformance testsuite is using it too.
JWTClientCredentialsProvider jwtProvider = new JWTClientCredentialsProvider() {
@Override
public String createSignedRequestToken(String clientId, String realmInfoUrl) {
if (KEEP_GENERATED_KID.equals(kid)) {
return super.createSignedRequestToken(clientId, realmInfoUrl);
} else {
JsonWebToken jwt = createRequestToken(clientId, realmInfoUrl);
return new JWSBuilder().kid(kid).jsonContent(jwt).rsa256(keyPair.getPrivate());
}
}
@Override
protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) {
JsonWebToken jwt = super.createRequestToken(clientId, realmInfoUrl);
String tokenEndpointUrl = OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(getAuthServerRoot())).build(REALM_NAME).toString();
jwt.audience(tokenEndpointUrl);
return jwt;
}
};
jwtProvider.setupKeyPair(keyPair);
jwtProvider.setTokenTimeout(10);
return jwtProvider.createSignedRequestToken(clientId, realmInfoUrl);
}
Also used :
JsonWebToken(org.keycloak.representations.JsonWebToken)
JWTClientCredentialsProvider(org.keycloak.adapters.authentication.JWTClientCredentialsProvider)
JWSBuilder(org.keycloak.jose.jws.JWSBuilder)
Aggregations
JsonWebToken (org.keycloak.representations.JsonWebToken)36
Test (org.junit.Test)12
JWSInput (org.keycloak.jose.jws.JWSInput)7
JWSBuilder (org.keycloak.jose.jws.JWSBuilder)5
KeyPair (java.security.KeyPair)4
IdentityBrokerException (org.keycloak.broker.provider.IdentityBrokerException)4
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)4
OAuthClient (org.keycloak.testsuite.util.OAuthClient)4
PublicKey (java.security.PublicKey)3
OAuthErrorException (org.keycloak.OAuthErrorException)3
JWSInputException (org.keycloak.jose.jws.JWSInputException)3
IOException (java.io.IOException)2
PrivateKey (java.security.PrivateKey)2
LinkedList (java.util.LinkedList)2
Response (javax.ws.rs.core.Response)2
NameValuePair (org.apache.http.NameValuePair)2
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)2
BasicNameValuePair (org.apache.http.message.BasicNameValuePair)2
ClientResource (org.keycloak.admin.client.resource.ClientResource)2
BrokeredIdentityContext (org.keycloak.broker.provider.BrokeredIdentityContext)2
