@Override public void reset(KeycloakDeployment deployment) { synchronized (this) { sendRequest(deployment); lastRequestTime = Time.currentTime(); } }
protected Auth bearerAuth(String tokenString) throws VerificationException { AccessToken token = AdapterTokenVerifier.verifyToken(tokenString, deployment); return postTokenVerification(tokenString, token); }
public void updateNotBefore(int notBefore) { this.notBefore = notBefore; getPublicKeyLocator().reset(this); }
AdapterTokenVerifier.VerifiedTokens tokens = AdapterTokenVerifier.verifyTokens(tokenString, idTokenString, deployment); token = tokens.getAccessToken(); idToken = tokens.getIdToken(); log.debug("Token Verification succeeded!"); } catch (VerificationException e) {
try { realmKey = PemUtils.decodePublicKey(realmKeyPem); HardcodedPublicKeyLocator pkLocator = new HardcodedPublicKeyLocator(realmKey); deployment.setPublicKeyLocator(pkLocator); } catch (Exception e) { JWKPublicKeyLocator pkLocator = new JWKPublicKeyLocator(); deployment.setPublicKeyLocator(pkLocator);
AccessToken token = null; try { AdapterTokenVerifier.VerifiedTokens tokens = AdapterTokenVerifier.verifyTokens(tokenString, response.getIdToken(), deployment); token = tokens.getAccessToken(); log.debug("Token Verification succeeded!"); } catch (VerificationException e) {
@Override public PublicKey getPublicKey(String kid, KeycloakDeployment deployment) { int minTimeBetweenRequests = deployment.getMinTimeBetweenJwksRequests(); int publicKeyCacheTtl = deployment.getPublicKeyCacheTtl(); int currentTime = Time.currentTime(); // Check if key is in cache. PublicKey publicKey = lookupCachedKey(publicKeyCacheTtl, currentTime, kid); if (publicKey != null) { return publicKey; } // Check if we are allowed to send request synchronized (this) { currentTime = Time.currentTime(); if (currentTime > lastRequestTime + minTimeBetweenRequests) { sendRequest(deployment); lastRequestTime = currentTime; } else { log.debug("Won't send request to realm jwks url. Last request time was " + lastRequestTime); } return lookupCachedKey(publicKeyCacheTtl, currentTime, kid); } }
/** * Verify access token and ID token. Typically called after successful tokenResponse is received from Keycloak * * @param accessTokenString * @param idTokenString * @param deployment * @return verified and parsed accessToken and idToken * @throws VerificationException */ public static VerifiedTokens verifyTokens(String accessTokenString, String idTokenString, KeycloakDeployment deployment) throws VerificationException { // Adapters currently do most of the checks including signature etc on the access token TokenVerifier<AccessToken> tokenVerifier = createVerifier(accessTokenString, deployment, true, AccessToken.class); AccessToken accessToken = tokenVerifier.verify().getToken(); if (idTokenString != null) { // Don't verify signature again on IDToken IDToken idToken = TokenVerifier.create(idTokenString, IDToken.class).getToken(); TokenVerifier<IDToken> idTokenVerifier = TokenVerifier.createWithoutSignature(idToken); // Always verify audience and azp on IDToken idTokenVerifier.audience(deployment.getResourceName()); idTokenVerifier.issuedFor(deployment.getResourceName()); idTokenVerifier.verify(); return new VerifiedTokens(accessToken, idToken); } else { return new VerifiedTokens(accessToken, null); } }
/** * Finds the keycloak deployment bean and applies a hardcoded public key locator using the * provided public key. */ private void applyHardcodedPublicKey(PublicKey publicKey) { KeycloakDeployment deployment = (KeycloakDeployment)childApplicationContextFactory.getApplicationContext(). getBean(DEPLOYMENT_BEAN_NAME); HardcodedPublicKeyLocator publicKeyLocator = new HardcodedPublicKeyLocator(publicKey); deployment.setPublicKeyLocator(publicKeyLocator); } }
/** * Verifies bearer token. Typically called when bearer token (access token) is sent to the service, which wants to verify it. Hence it also checks the audience in the token. * * @param tokenString * @param deployment * @return * @throws VerificationException */ public static AccessToken verifyToken(String tokenString, KeycloakDeployment deployment) throws VerificationException { TokenVerifier<AccessToken> tokenVerifier = createVerifier(tokenString, deployment, true, AccessToken.class); // Verify audience of bearer-token if (deployment.isVerifyTokenAudience()) { tokenVerifier.audience(deployment.getResourceName()); } return tokenVerifier.verify().getToken(); }
private static PublicKey getPublicKey(String kid, KeycloakDeployment deployment) throws VerificationException { PublicKeyLocator pkLocator = deployment.getPublicKeyLocator(); PublicKey publicKey = pkLocator.getPublicKey(kid, deployment); if (publicKey == null) { log.errorf("Didn't find publicKey for kid: %s", kid); throw new VerificationException("Didn't find publicKey for specified kid"); } return publicKey; }
/** * Creates verifier, initializes it from the KeycloakDeployment and adds the publicKey and some default basic checks (activeness and tokenType). Useful if caller wants to add/remove/update * some checks * * @param tokenString * @param deployment * @param withDefaultChecks * @param tokenClass * @param <T> * @return tokenVerifier * @throws VerificationException */ public static <T extends JsonWebToken> TokenVerifier<T> createVerifier(String tokenString, KeycloakDeployment deployment, boolean withDefaultChecks, Class<T> tokenClass) throws VerificationException { TokenVerifier<T> tokenVerifier = TokenVerifier.create(tokenString, tokenClass); if (withDefaultChecks) { tokenVerifier .withDefaultChecks() .realmUrl(deployment.getRealmInfoUrl()); } String kid = tokenVerifier.getHeader().getKeyId(); PublicKey publicKey = getPublicKey(kid, deployment); tokenVerifier.publicKey(publicKey); return tokenVerifier; }
AdapterTokenVerifier.VerifiedTokens tokens = AdapterTokenVerifier.verifyTokens(tokenResponse.getToken(), tokenResponse.getIdToken(), deployment); return postTokenVerification(tokenResponse.getToken(), tokens.getAccessToken());
token = AdapterTokenVerifier.verifyToken(tokenString, deployment); } catch (VerificationException e) { log.debug("Failed to verify token");
TokenVerifier<AccessToken> tokenVerifier = AdapterTokenVerifier.createVerifier(accessTokenString, deployment, true, AccessToken.class) .checkActive(false) .verify();
@Override public void updateNotBefore(int notBefore) { delegate.setNotBefore(notBefore); getPublicKeyLocator().reset(this); }
return AdapterTokenVerifier.verifyToken(authzResponse.getToken(), deployment);
protected JWSInput verifyAdminRequest() throws Exception { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warn("SSL is required for adapter admin action"); facade.getResponse().sendError(403, "ssl required"); return null; } String token = StreamUtil.readString(facade.getRequest().getInputStream()); if (token == null) { log.warn("admin request failed, no token"); facade.getResponse().sendError(403, "no token"); return null; } try { // Check just signature. Other things checked in validateAction TokenVerifier tokenVerifier = AdapterTokenVerifier.createVerifier(token, deployment, false, JsonWebToken.class); tokenVerifier.verify(); return new JWSInput(token); } catch (VerificationException ignore) { log.warn("admin request failed, unable to verify token: " + ignore.getMessage()); if (log.isDebugEnabled()) { log.debug(ignore.getMessage(), ignore); } facade.getResponse().sendError(403, "token failed verification"); return null; } }