protected AccessToken initToken( RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionModel clientSession) { AccessToken token = new AccessToken(); if (clientSession != null) token.clientSession(clientSession.getId()); token.id(KeycloakModelUtils.generateId()); token.subject(user.getId()); token.audience(client.getClientId()); token.issuedNow(); token.issuedFor(client.getClientId()); token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER)); if (session != null) { token.setSessionState(session.getId()); } if (realm.getAccessTokenLifespan() > 0) { token.expiration(Time.currentTime() + realm.getAccessTokenLifespan()); } Set<String> allowedOrigins = client.getWebOrigins(); if (allowedOrigins != null) { token.setAllowedOrigins(allowedOrigins); } return token; }
public AccessTokenResponseBuilder generateRefreshToken() { if (accessToken == null) { throw new IllegalStateException("accessToken not set"); } refreshToken = new RefreshToken(accessToken); refreshToken.id(KeycloakModelUtils.generateId()); refreshToken.issuedNow(); refreshToken.expiration(Time.currentTime() + realm.getSsoSessionIdleTimeout()); return this; }
public AccessTokenResponse build() { if (accessToken != null) { event.detail(Details.TOKEN_ID, accessToken.getId()); } if (refreshToken != null) { if (event.getEvent().getDetails().containsKey(Details.REFRESH_TOKEN_ID)) { event.detail(Details.UPDATED_REFRESH_TOKEN_ID, refreshToken.getId()); } else { event.detail(Details.REFRESH_TOKEN_ID, refreshToken.getId()); } } AccessTokenResponse res = new AccessTokenResponse(); if (idToken != null) { String encodedToken = new JWSBuilder().jsonContent(idToken).rsa256(realm.getPrivateKey()); res.setIdToken(encodedToken); } if (accessToken != null) { String encodedToken = new JWSBuilder().jsonContent(accessToken).rsa256(realm.getPrivateKey()); res.setToken(encodedToken); res.setTokenType("bearer"); res.setSessionState(accessToken.getSessionState()); if (accessToken.getExpiration() != 0) { res.setExpiresIn(accessToken.getExpiration() - Time.currentTime()); } } if (refreshToken != null) { String encodedToken = new JWSBuilder().jsonContent(refreshToken).rsa256(realm.getPrivateKey()); res.setRefreshToken(encodedToken); if (refreshToken.getExpiration() != 0) { res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime()); } } int notBefore = realm.getNotBefore(); if (client.getNotBefore() > notBefore) notBefore = client.getNotBefore(); res.setNotBeforePolicy(notBefore); return res; }
private void setValue(CredentialEntity credentialEntity, UserCredentialModel cred) { byte[] salt = getSalt(); int hashIterations = 1; PasswordPolicy policy = realm.getPasswordPolicy(); if (policy != null) { hashIterations = policy.getHashIterations(); if (hashIterations == -1) hashIterations = 1; } credentialEntity.setCreatedDate(Time.toMillis(Time.currentTime())); credentialEntity.setValue( new Pbkdf2PasswordEncoder(salt).encode(cred.getValue(), hashIterations)); credentialEntity.setSalt(salt); credentialEntity.setHashIterations(hashIterations); }
public AccessTokenResponseBuilder generateIDToken() { if (accessToken == null) { throw new IllegalStateException("accessToken not set"); } idToken = new IDToken(); idToken.id(KeycloakModelUtils.generateId()); idToken.subject(accessToken.getSubject()); idToken.audience(client.getClientId()); idToken.issuedNow(); idToken.issuedFor(accessToken.getIssuedFor()); idToken.issuer(accessToken.getIssuer()); idToken.setSessionState(accessToken.getSessionState()); if (realm.getAccessTokenLifespan() > 0) { idToken.expiration(Time.currentTime() + realm.getAccessTokenLifespan()); } transformIDToken( session, idToken, realm, client, userSession.getUser(), userSession, clientSession); return this; }
public AccessTokenResponse refreshAccessToken( KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException { RefreshToken refreshToken = verifyRefreshToken(realm, encodedRefreshToken); event .user(refreshToken.getSubject()) .session(refreshToken.getSessionState()) .detail(Details.REFRESH_TOKEN_ID, refreshToken.getId()); TokenValidation validation = validateToken(session, uriInfo, connection, realm, refreshToken, headers); // validate authorizedClient is same as validated client if (!validation.clientSession.getClient().getId().equals(authorizedClient.getId())) { throw new OAuthErrorException( OAuthErrorException.INVALID_GRANT, "Invalid refresh token. Token client and authorized client don't match"); } int currentTime = Time.currentTime(); validation.userSession.setLastSessionRefresh(currentTime); AccessTokenResponse res = responseBuilder( realm, authorizedClient, event, session, validation.userSession, validation.clientSession) .accessToken(validation.newToken) .generateIDToken() .generateRefreshToken() .build(); return res; }
public Response processAccessCode( String scopeParam, String state, String redirect, ClientModel client, UserModel user, UserSessionModel session, String username, boolean rememberMe, String authMethod, Audit audit) { isTotpConfigurationRequired(user); isEmailVerificationRequired(user); boolean isResource = client instanceof ApplicationModel; AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, realm, client, user, session); accessCode.setUsername(username); accessCode.setRememberMe(rememberMe); accessCode.setAuthMethod(authMethod); log.debugv("processAccessCode: isResource: {0}", isResource); log.debugv( "processAccessCode: go to oauth page?: {0}", (!isResource && (accessCode.getRealmRolesRequested().size() > 0 || accessCode.getResourceRolesRequested().size() > 0))); audit.detail(Details.CODE_ID, accessCode.getId()); Set<RequiredAction> requiredActions = user.getRequiredActions(); if (!requiredActions.isEmpty()) { accessCode.setRequiredActions(new HashSet<UserModel.RequiredAction>(requiredActions)); accessCode.setExpiration(Time.currentTime() + realm.getAccessCodeLifespanUserAction()); RequiredAction action = user.getRequiredActions().iterator().next(); if (action.equals(RequiredAction.VERIFY_EMAIL)) { audit .clone() .event(EventType.SEND_VERIFY_EMAIL) .detail(Details.EMAIL, accessCode.getUser().getEmail()) .success(); } return Flows.forms(providerSession, realm, uriInfo) .setAccessCode(accessCode.getId(), accessCode.getCode()) .setUser(user) .createResponse(action); } if (!isResource && (accessCode.getRealmRolesRequested().size() > 0 || accessCode.getResourceRolesRequested().size() > 0)) { accessCode.setExpiration(Time.currentTime() + realm.getAccessCodeLifespanUserAction()); return Flows.forms(providerSession, realm, uriInfo) .setAccessCode(accessCode.getId(), accessCode.getCode()) .setAccessRequest( accessCode.getRealmRolesRequested(), accessCode.getResourceRolesRequested()) .setClient(client) .createOAuthGrant(); } if (redirect != null) { audit.success(); return redirectAccessCode(accessCode, session, state, redirect, rememberMe); } else { return null; } }