Esempio n. 1
0
 protected AccessToken initToken(
     RealmModel realm,
     ClientModel client,
     UserModel user,
     UserSessionModel session,
     ClientSessionModel clientSession) {
   AccessToken token = new AccessToken();
   if (clientSession != null) token.clientSession(clientSession.getId());
   token.id(KeycloakModelUtils.generateId());
   token.subject(user.getId());
   token.audience(client.getClientId());
   token.issuedNow();
   token.issuedFor(client.getClientId());
   token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
   if (session != null) {
     token.setSessionState(session.getId());
   }
   if (realm.getAccessTokenLifespan() > 0) {
     token.expiration(Time.currentTime() + realm.getAccessTokenLifespan());
   }
   Set<String> allowedOrigins = client.getWebOrigins();
   if (allowedOrigins != null) {
     token.setAllowedOrigins(allowedOrigins);
   }
   return token;
 }
Esempio n. 2
0
 public AccessTokenResponseBuilder generateRefreshToken() {
   if (accessToken == null) {
     throw new IllegalStateException("accessToken not set");
   }
   refreshToken = new RefreshToken(accessToken);
   refreshToken.id(KeycloakModelUtils.generateId());
   refreshToken.issuedNow();
   refreshToken.expiration(Time.currentTime() + realm.getSsoSessionIdleTimeout());
   return this;
 }
Esempio n. 3
0
    public AccessTokenResponse build() {
      if (accessToken != null) {
        event.detail(Details.TOKEN_ID, accessToken.getId());
      }

      if (refreshToken != null) {
        if (event.getEvent().getDetails().containsKey(Details.REFRESH_TOKEN_ID)) {
          event.detail(Details.UPDATED_REFRESH_TOKEN_ID, refreshToken.getId());
        } else {
          event.detail(Details.REFRESH_TOKEN_ID, refreshToken.getId());
        }
      }

      AccessTokenResponse res = new AccessTokenResponse();
      if (idToken != null) {
        String encodedToken = new JWSBuilder().jsonContent(idToken).rsa256(realm.getPrivateKey());
        res.setIdToken(encodedToken);
      }
      if (accessToken != null) {
        String encodedToken =
            new JWSBuilder().jsonContent(accessToken).rsa256(realm.getPrivateKey());
        res.setToken(encodedToken);
        res.setTokenType("bearer");
        res.setSessionState(accessToken.getSessionState());
        if (accessToken.getExpiration() != 0) {
          res.setExpiresIn(accessToken.getExpiration() - Time.currentTime());
        }
      }
      if (refreshToken != null) {
        String encodedToken =
            new JWSBuilder().jsonContent(refreshToken).rsa256(realm.getPrivateKey());
        res.setRefreshToken(encodedToken);
        if (refreshToken.getExpiration() != 0) {
          res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime());
        }
      }
      int notBefore = realm.getNotBefore();
      if (client.getNotBefore() > notBefore) notBefore = client.getNotBefore();
      res.setNotBeforePolicy(notBefore);
      return res;
    }
Esempio n. 4
0
 private void setValue(CredentialEntity credentialEntity, UserCredentialModel cred) {
   byte[] salt = getSalt();
   int hashIterations = 1;
   PasswordPolicy policy = realm.getPasswordPolicy();
   if (policy != null) {
     hashIterations = policy.getHashIterations();
     if (hashIterations == -1) hashIterations = 1;
   }
   credentialEntity.setCreatedDate(Time.toMillis(Time.currentTime()));
   credentialEntity.setValue(
       new Pbkdf2PasswordEncoder(salt).encode(cred.getValue(), hashIterations));
   credentialEntity.setSalt(salt);
   credentialEntity.setHashIterations(hashIterations);
 }
Esempio n. 5
0
 public AccessTokenResponseBuilder generateIDToken() {
   if (accessToken == null) {
     throw new IllegalStateException("accessToken not set");
   }
   idToken = new IDToken();
   idToken.id(KeycloakModelUtils.generateId());
   idToken.subject(accessToken.getSubject());
   idToken.audience(client.getClientId());
   idToken.issuedNow();
   idToken.issuedFor(accessToken.getIssuedFor());
   idToken.issuer(accessToken.getIssuer());
   idToken.setSessionState(accessToken.getSessionState());
   if (realm.getAccessTokenLifespan() > 0) {
     idToken.expiration(Time.currentTime() + realm.getAccessTokenLifespan());
   }
   transformIDToken(
       session, idToken, realm, client, userSession.getUser(), userSession, clientSession);
   return this;
 }
Esempio n. 6
0
  public AccessTokenResponse refreshAccessToken(
      KeycloakSession session,
      UriInfo uriInfo,
      ClientConnection connection,
      RealmModel realm,
      ClientModel authorizedClient,
      String encodedRefreshToken,
      EventBuilder event,
      HttpHeaders headers)
      throws OAuthErrorException {
    RefreshToken refreshToken = verifyRefreshToken(realm, encodedRefreshToken);

    event
        .user(refreshToken.getSubject())
        .session(refreshToken.getSessionState())
        .detail(Details.REFRESH_TOKEN_ID, refreshToken.getId());

    TokenValidation validation =
        validateToken(session, uriInfo, connection, realm, refreshToken, headers);
    // validate authorizedClient is same as validated client
    if (!validation.clientSession.getClient().getId().equals(authorizedClient.getId())) {
      throw new OAuthErrorException(
          OAuthErrorException.INVALID_GRANT,
          "Invalid refresh token. Token client and authorized client don't match");
    }

    int currentTime = Time.currentTime();
    validation.userSession.setLastSessionRefresh(currentTime);

    AccessTokenResponse res =
        responseBuilder(
                realm,
                authorizedClient,
                event,
                session,
                validation.userSession,
                validation.clientSession)
            .accessToken(validation.newToken)
            .generateIDToken()
            .generateRefreshToken()
            .build();
    return res;
  }
Esempio n. 7
0
  public Response processAccessCode(
      String scopeParam,
      String state,
      String redirect,
      ClientModel client,
      UserModel user,
      UserSessionModel session,
      String username,
      boolean rememberMe,
      String authMethod,
      Audit audit) {
    isTotpConfigurationRequired(user);
    isEmailVerificationRequired(user);

    boolean isResource = client instanceof ApplicationModel;
    AccessCodeEntry accessCode =
        tokenManager.createAccessCode(scopeParam, state, redirect, realm, client, user, session);
    accessCode.setUsername(username);
    accessCode.setRememberMe(rememberMe);
    accessCode.setAuthMethod(authMethod);

    log.debugv("processAccessCode: isResource: {0}", isResource);
    log.debugv(
        "processAccessCode: go to oauth page?: {0}",
        (!isResource
            && (accessCode.getRealmRolesRequested().size() > 0
                || accessCode.getResourceRolesRequested().size() > 0)));

    audit.detail(Details.CODE_ID, accessCode.getId());

    Set<RequiredAction> requiredActions = user.getRequiredActions();
    if (!requiredActions.isEmpty()) {
      accessCode.setRequiredActions(new HashSet<UserModel.RequiredAction>(requiredActions));
      accessCode.setExpiration(Time.currentTime() + realm.getAccessCodeLifespanUserAction());

      RequiredAction action = user.getRequiredActions().iterator().next();
      if (action.equals(RequiredAction.VERIFY_EMAIL)) {
        audit
            .clone()
            .event(EventType.SEND_VERIFY_EMAIL)
            .detail(Details.EMAIL, accessCode.getUser().getEmail())
            .success();
      }

      return Flows.forms(providerSession, realm, uriInfo)
          .setAccessCode(accessCode.getId(), accessCode.getCode())
          .setUser(user)
          .createResponse(action);
    }

    if (!isResource
        && (accessCode.getRealmRolesRequested().size() > 0
            || accessCode.getResourceRolesRequested().size() > 0)) {
      accessCode.setExpiration(Time.currentTime() + realm.getAccessCodeLifespanUserAction());
      return Flows.forms(providerSession, realm, uriInfo)
          .setAccessCode(accessCode.getId(), accessCode.getCode())
          .setAccessRequest(
              accessCode.getRealmRolesRequested(), accessCode.getResourceRolesRequested())
          .setClient(client)
          .createOAuthGrant();
    }

    if (redirect != null) {
      audit.success();
      return redirectAccessCode(accessCode, session, state, redirect, rememberMe);
    } else {
      return null;
    }
  }