protected AccessToken initToken(
RealmModel realm,
ClientModel client,
UserModel user,
UserSessionModel session,
ClientSessionModel clientSession) {
AccessToken token = new AccessToken();
if (clientSession != null) token.clientSession(clientSession.getId());
token.id(KeycloakModelUtils.generateId());
token.subject(user.getId());
token.audience(client.getClientId());
token.issuedNow();
token.issuedFor(client.getClientId());
token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
if (session != null) {
token.setSessionState(session.getId());
}
if (realm.getAccessTokenLifespan() > 0) {
token.expiration(Time.currentTime() + realm.getAccessTokenLifespan());
}
Set<String> allowedOrigins = client.getWebOrigins();
if (allowedOrigins != null) {
token.setAllowedOrigins(allowedOrigins);
}
return token;
}
public AccessTokenResponseBuilder generateRefreshToken() {
if (accessToken == null) {
throw new IllegalStateException("accessToken not set");
}
refreshToken = new RefreshToken(accessToken);
refreshToken.id(KeycloakModelUtils.generateId());
refreshToken.issuedNow();
refreshToken.expiration(Time.currentTime() + realm.getSsoSessionIdleTimeout());
return this;
}
public AccessTokenResponse build() {
if (accessToken != null) {
event.detail(Details.TOKEN_ID, accessToken.getId());
}
if (refreshToken != null) {
if (event.getEvent().getDetails().containsKey(Details.REFRESH_TOKEN_ID)) {
event.detail(Details.UPDATED_REFRESH_TOKEN_ID, refreshToken.getId());
} else {
event.detail(Details.REFRESH_TOKEN_ID, refreshToken.getId());
}
}
AccessTokenResponse res = new AccessTokenResponse();
if (idToken != null) {
String encodedToken = new JWSBuilder().jsonContent(idToken).rsa256(realm.getPrivateKey());
res.setIdToken(encodedToken);
}
if (accessToken != null) {
String encodedToken =
new JWSBuilder().jsonContent(accessToken).rsa256(realm.getPrivateKey());
res.setToken(encodedToken);
res.setTokenType("bearer");
res.setSessionState(accessToken.getSessionState());
if (accessToken.getExpiration() != 0) {
res.setExpiresIn(accessToken.getExpiration() - Time.currentTime());
}
}
if (refreshToken != null) {
String encodedToken =
new JWSBuilder().jsonContent(refreshToken).rsa256(realm.getPrivateKey());
res.setRefreshToken(encodedToken);
if (refreshToken.getExpiration() != 0) {
res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime());
}
}
int notBefore = realm.getNotBefore();
if (client.getNotBefore() > notBefore) notBefore = client.getNotBefore();
res.setNotBeforePolicy(notBefore);
return res;
}
private void setValue(CredentialEntity credentialEntity, UserCredentialModel cred) {
byte[] salt = getSalt();
int hashIterations = 1;
PasswordPolicy policy = realm.getPasswordPolicy();
if (policy != null) {
hashIterations = policy.getHashIterations();
if (hashIterations == -1) hashIterations = 1;
}
credentialEntity.setCreatedDate(Time.toMillis(Time.currentTime()));
credentialEntity.setValue(
new Pbkdf2PasswordEncoder(salt).encode(cred.getValue(), hashIterations));
credentialEntity.setSalt(salt);
credentialEntity.setHashIterations(hashIterations);
}
public AccessTokenResponseBuilder generateIDToken() {
if (accessToken == null) {
throw new IllegalStateException("accessToken not set");
}
idToken = new IDToken();
idToken.id(KeycloakModelUtils.generateId());
idToken.subject(accessToken.getSubject());
idToken.audience(client.getClientId());
idToken.issuedNow();
idToken.issuedFor(accessToken.getIssuedFor());
idToken.issuer(accessToken.getIssuer());
idToken.setSessionState(accessToken.getSessionState());
if (realm.getAccessTokenLifespan() > 0) {
idToken.expiration(Time.currentTime() + realm.getAccessTokenLifespan());
}
transformIDToken(
session, idToken, realm, client, userSession.getUser(), userSession, clientSession);
return this;
}
public AccessTokenResponse refreshAccessToken(
KeycloakSession session,
UriInfo uriInfo,
ClientConnection connection,
RealmModel realm,
ClientModel authorizedClient,
String encodedRefreshToken,
EventBuilder event,
HttpHeaders headers)
throws OAuthErrorException {
RefreshToken refreshToken = verifyRefreshToken(realm, encodedRefreshToken);
event
.user(refreshToken.getSubject())
.session(refreshToken.getSessionState())
.detail(Details.REFRESH_TOKEN_ID, refreshToken.getId());
TokenValidation validation =
validateToken(session, uriInfo, connection, realm, refreshToken, headers);
// validate authorizedClient is same as validated client
if (!validation.clientSession.getClient().getId().equals(authorizedClient.getId())) {
throw new OAuthErrorException(
OAuthErrorException.INVALID_GRANT,
"Invalid refresh token. Token client and authorized client don't match");
}
int currentTime = Time.currentTime();
validation.userSession.setLastSessionRefresh(currentTime);
AccessTokenResponse res =
responseBuilder(
realm,
authorizedClient,
event,
session,
validation.userSession,
validation.clientSession)
.accessToken(validation.newToken)
.generateIDToken()
.generateRefreshToken()
.build();
return res;
}
public Response processAccessCode(
String scopeParam,
String state,
String redirect,
ClientModel client,
UserModel user,
UserSessionModel session,
String username,
boolean rememberMe,
String authMethod,
Audit audit) {
isTotpConfigurationRequired(user);
isEmailVerificationRequired(user);
boolean isResource = client instanceof ApplicationModel;
AccessCodeEntry accessCode =
tokenManager.createAccessCode(scopeParam, state, redirect, realm, client, user, session);
accessCode.setUsername(username);
accessCode.setRememberMe(rememberMe);
accessCode.setAuthMethod(authMethod);
log.debugv("processAccessCode: isResource: {0}", isResource);
log.debugv(
"processAccessCode: go to oauth page?: {0}",
(!isResource
&& (accessCode.getRealmRolesRequested().size() > 0
|| accessCode.getResourceRolesRequested().size() > 0)));
audit.detail(Details.CODE_ID, accessCode.getId());
Set<RequiredAction> requiredActions = user.getRequiredActions();
if (!requiredActions.isEmpty()) {
accessCode.setRequiredActions(new HashSet<UserModel.RequiredAction>(requiredActions));
accessCode.setExpiration(Time.currentTime() + realm.getAccessCodeLifespanUserAction());
RequiredAction action = user.getRequiredActions().iterator().next();
if (action.equals(RequiredAction.VERIFY_EMAIL)) {
audit
.clone()
.event(EventType.SEND_VERIFY_EMAIL)
.detail(Details.EMAIL, accessCode.getUser().getEmail())
.success();
}
return Flows.forms(providerSession, realm, uriInfo)
.setAccessCode(accessCode.getId(), accessCode.getCode())
.setUser(user)
.createResponse(action);
}
if (!isResource
&& (accessCode.getRealmRolesRequested().size() > 0
|| accessCode.getResourceRolesRequested().size() > 0)) {
accessCode.setExpiration(Time.currentTime() + realm.getAccessCodeLifespanUserAction());
return Flows.forms(providerSession, realm, uriInfo)
.setAccessCode(accessCode.getId(), accessCode.getCode())
.setAccessRequest(
accessCode.getRealmRolesRequested(), accessCode.getResourceRolesRequested())
.setClient(client)
.createOAuthGrant();
}
if (redirect != null) {
audit.success();
return redirectAccessCode(accessCode, session, state, redirect, rememberMe);
} else {
return null;
}
}