public RSATokenVerifier checkActive(boolean checkActive) { tokenVerifier.checkActive(checkActive); return this; }
private RSATokenVerifier(String tokenString) { this.tokenVerifier = TokenVerifier.create(tokenString, AccessToken.class).withDefaultChecks(); }
public JWSHeader getHeader() throws VerificationException { return tokenVerifier.getHeader(); }
/** * Creates verifier, initializes it from the KeycloakDeployment and adds the publicKey and some default basic checks (activeness and tokenType). Useful if caller wants to add/remove/update * some checks * * @param tokenString * @param deployment * @param withDefaultChecks * @param tokenClass * @param <T> * @return tokenVerifier * @throws VerificationException */ public static <T extends JsonWebToken> TokenVerifier<T> createVerifier(String tokenString, KeycloakDeployment deployment, boolean withDefaultChecks, Class<T> tokenClass) throws VerificationException { TokenVerifier<T> tokenVerifier = TokenVerifier.create(tokenString, tokenClass); if (withDefaultChecks) { tokenVerifier .withDefaultChecks() .realmUrl(deployment.getRealmInfoUrl()); } String kid = tokenVerifier.getHeader().getKeyId(); PublicKey publicKey = getPublicKey(kid, deployment); tokenVerifier.publicKey(publicKey); return tokenVerifier; }
/** * Verify access token and ID token. Typically called after successful tokenResponse is received from Keycloak * * @param accessTokenString * @param idTokenString * @param deployment * @return verified and parsed accessToken and idToken * @throws VerificationException */ public static VerifiedTokens verifyTokens(String accessTokenString, String idTokenString, KeycloakDeployment deployment) throws VerificationException { // Adapters currently do most of the checks including signature etc on the access token TokenVerifier<AccessToken> tokenVerifier = createVerifier(accessTokenString, deployment, true, AccessToken.class); AccessToken accessToken = tokenVerifier.verify().getToken(); if (idTokenString != null) { // Don't verify signature again on IDToken IDToken idToken = TokenVerifier.create(idTokenString, IDToken.class).getToken(); TokenVerifier<IDToken> idTokenVerifier = TokenVerifier.createWithoutSignature(idToken); // Always verify audience and azp on IDToken idTokenVerifier.audience(deployment.getResourceName()); idTokenVerifier.issuedFor(deployment.getResourceName()); idTokenVerifier.verify(); return new VerifiedTokens(accessToken, idToken); } else { return new VerifiedTokens(accessToken, null); } }
.checkActive(false) .verify(); AccessToken accessToken = tokenVerifier.getToken();
/** * Verifies bearer token. Typically called when bearer token (access token) is sent to the service, which wants to verify it. Hence it also checks the audience in the token. * * @param tokenString * @param deployment * @return * @throws VerificationException */ public static AccessToken verifyToken(String tokenString, KeycloakDeployment deployment) throws VerificationException { TokenVerifier<AccessToken> tokenVerifier = createVerifier(tokenString, deployment, true, AccessToken.class); // Verify audience of bearer-token if (deployment.isVerifyTokenAudience()) { tokenVerifier.audience(deployment.getResourceName()); } return tokenVerifier.verify().getToken(); }
public TokenVerifier<T> verify() throws VerificationException { if (getToken() == null) { parse(); } if (jws != null) { verifySignature(); } for (Predicate<? super T> check : checks) { if (! check.test(getToken())) { throw new VerificationException("JWT check failed for check " + check); } } return this; }
public RSATokenVerifier verify() throws VerificationException { tokenVerifier.verify(); return this; }
public RSATokenVerifier realmUrl(String realmUrl) { tokenVerifier.realmUrl(realmUrl); return this; }
public RSATokenVerifier publicKey(PublicKey publicKey) { tokenVerifier.publicKey(publicKey); return this; }
public AccessToken getToken() throws VerificationException { return tokenVerifier.getToken(); }
/** * Creates an instance of {@code TokenVerifier} for the given token. * The token verifier has no checks defined. Note that the checks are only tested when * {@link #verify()} method is invoked. * <p> * <b>NOTE:</b> The returned token verifier cannot verify token signature since * that is not part of the {@link JsonWebToken} object. * @return */ public static <T extends JsonWebToken> TokenVerifier<T> createWithoutSignature(T token) { return new TokenVerifier(token); }
protected JWSInput verifyAdminRequest() throws Exception { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warn("SSL is required for adapter admin action"); facade.getResponse().sendError(403, "ssl required"); return null; } String token = StreamUtil.readString(facade.getRequest().getInputStream()); if (token == null) { log.warn("admin request failed, no token"); facade.getResponse().sendError(403, "no token"); return null; } try { // Check just signature. Other things checked in validateAction TokenVerifier tokenVerifier = AdapterTokenVerifier.createVerifier(token, deployment, false, JsonWebToken.class); tokenVerifier.verify(); return new JWSInput(token); } catch (VerificationException ignore) { log.warn("admin request failed, unable to verify token: " + ignore.getMessage()); if (log.isDebugEnabled()) { log.debug(ignore.getMessage(), ignore); } facade.getResponse().sendError(403, "token failed verification"); return null; } }
/** * Creates an instance of {@code TokenVerifier} from the given string on a JWT of the given class. * The token verifier has no checks defined. Note that the checks are only tested when * {@link #verify()} method is invoked. * @param <T> Type of the token * @param tokenString String representation of JWT * @param clazz Class of the token * @return */ public static <T extends JsonWebToken> TokenVerifier<T> create(String tokenString, Class<T> clazz) { return new TokenVerifier(tokenString, clazz); }
AlgorithmType algorithmType = getHeader().getAlgorithm().getType();