org.keycloak.common.VerificationException Java Examples

/**
 * Verifies whether the client denoted by client ID in token's {@code iss} ({@code issuedFor})
 * field both exists and is enabled.
 */
public static <T extends JsonWebToken> void checkIsClientValid(T token, ActionTokenContext<T> context) throws VerificationException {
    String clientId = token.getIssuedFor();
    AuthenticationSessionModel authSession = context.getAuthenticationSession();
    ClientModel client = authSession == null ? null : authSession.getClient();

    try {
        checkIsClientValid(context.getSession(), client);

        if (clientId != null && ! Objects.equals(client.getClientId(), clientId)) {
            throw new ExplainedTokenVerificationException(token, Errors.CLIENT_NOT_FOUND, Messages.UNKNOWN_LOGIN_REQUESTER);
        }
    } catch (ExplainedVerificationException ex) {
        throw new ExplainedTokenVerificationException(token, ex);
    }
}
 

/**
 * Verify access token and ID token. Typically called after successful tokenResponse is received from Keycloak
 *
 * @param accessTokenString
 * @param idTokenString
 * @param deployment
 * @return verified and parsed accessToken and idToken
 * @throws VerificationException
 */
public static VerifiedTokens verifyTokens(String accessTokenString, String idTokenString, KeycloakDeployment deployment) throws VerificationException {
    // Adapters currently do most of the checks including signature etc on the access token
    TokenVerifier<AccessToken> tokenVerifier = createVerifier(accessTokenString, deployment, true, AccessToken.class);
    AccessToken accessToken = tokenVerifier.verify().getToken();

    if (idTokenString != null) {
        // Don't verify signature again on IDToken
        IDToken idToken = TokenVerifier.create(idTokenString, IDToken.class).getToken();
        TokenVerifier<IDToken> idTokenVerifier = TokenVerifier.createWithoutSignature(idToken);

        // Always verify audience and azp on IDToken
        idTokenVerifier.audience(deployment.getResourceName());
        idTokenVerifier.issuedFor(deployment.getResourceName());

        idTokenVerifier.verify();
        return new VerifiedTokens(accessToken, idToken);
    } else {
        return new VerifiedTokens(accessToken, null);
    }
}
 

@Test
public void testNotBeforeBad() {
    token.notBefore(Time.currentTime() + 100);

    String encoded = new JWSBuilder()
            .jsonContent(token)
            .rsa256(idpPair.getPrivate());

    AccessToken v = null;
    try {
        v = verifySkeletonKeyToken(encoded);
        Assert.fail();
    } catch (VerificationException ignored) {
        System.out.println(ignored.getMessage());
    }
}
 

/**
 * Creates a new {@link RefreshableKeycloakSecurityContext} from the given {@link KeycloakDeployment} and {@link AccessTokenResponse}.
 *
 * @param deployment the <code>KeycloakDeployment</code> for which to create a <code>RefreshableKeycloakSecurityContext</code> (required)
 * @param accessTokenResponse the <code>AccessTokenResponse</code> from which to create a RefreshableKeycloakSecurityContext (required)
 *
 * @return a <code>RefreshableKeycloakSecurityContext</code> created from the given <code>accessTokenResponse</code>
 * @throws VerificationException if the given <code>AccessTokenResponse</code> contains an invalid {@link IDToken}
 */
public static RefreshableKeycloakSecurityContext createKeycloakSecurityContext(KeycloakDeployment deployment, AccessTokenResponse accessTokenResponse) throws VerificationException {
    String tokenString = accessTokenResponse.getToken();
    String idTokenString = accessTokenResponse.getIdToken();
    AccessToken accessToken = RSATokenVerifier
            .verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
    IDToken idToken;

    try {
        JWSInput input = new JWSInput(idTokenString);
        idToken = input.readJsonContent(IDToken.class);
    } catch (JWSInputException e) {
        throw new VerificationException("Unable to verify ID token", e);
    }

    // FIXME: does it make sense to pass null for the token store?
    return new RefreshableKeycloakSecurityContext(deployment, null, tokenString, accessToken, idTokenString, idToken, accessTokenResponse.getRefreshToken());
}
 

private Holder<Boolean> doTokenAuth(Holder<Boolean> successStatus, ApiRequest request,
        IPolicyContext context, KeycloakOauthConfigBean config, IPolicyChain<ApiRequest> chain,
        String rawToken) {
    try {
        AccessToken parsedToken = RSATokenVerifier.verifyToken(rawToken, config.getRealmCertificate()
                .getPublicKey(), config.getRealm());

        delegateKerberosTicket(request, config, parsedToken);
        forwardHeaders(request, config, rawToken, parsedToken);
        stripAuthTokens(request, config);
        forwardAuthRoles(context, config, parsedToken);

        RequestMetric metric = context.getAttribute(PolicyContextKeys.REQUEST_METRIC, (RequestMetric) null);
        if (metric != null) {
            metric.setUser(parsedToken.getPreferredUsername());
        }

        return successStatus.setValue(true);
    } catch (VerificationException e) {
        System.out.println(e);
        chain.doFailure(failureFactory.verificationException(context, e));
        return successStatus.setValue(false);
    }
}
 

@Override
public RefreshableKeycloakSecurityContext login(String username, String password) throws VerificationException {

    final MultiValueMap<String,String> body = new LinkedMultiValueMap<>();
    final HttpHeaders headers = new HttpHeaders();

    headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
    body.set("username", username);
    body.set("password", password);
    body.set(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD);

    AccessTokenResponse response = template.postForObject(keycloakDeployment.getTokenUrl(), new HttpEntity<>(body, headers), AccessTokenResponse.class);

    return KeycloakSpringAdapterUtils.createKeycloakSecurityContext(keycloakDeployment, response);
}
 

/**
 * Creates verifier, initializes it from the KeycloakDeployment and adds the publicKey and some default basic checks (activeness and tokenType). Useful if caller wants to add/remove/update
 * some checks
 *
 * @param tokenString
 * @param deployment
 * @param withDefaultChecks
 * @param tokenClass
 * @param <T>
 * @return tokenVerifier
 * @throws VerificationException
 */
public static <T extends JsonWebToken> TokenVerifier<T> createVerifier(String tokenString, KeycloakDeployment deployment, boolean withDefaultChecks, Class<T> tokenClass) throws VerificationException {
    TokenVerifier<T> tokenVerifier = TokenVerifier.create(tokenString, tokenClass);

    if (withDefaultChecks) {
        tokenVerifier
                .withDefaultChecks()
                .realmUrl(deployment.getRealmInfoUrl());
    }

    String kid = tokenVerifier.getHeader().getKeyId();
    PublicKey publicKey = getPublicKey(kid, deployment);
    tokenVerifier.publicKey(publicKey);

    return tokenVerifier;
}
 

private void setTokens(HttpServletRequest req, KeycloakDeployment deployment, AccessTokenResponse tokenResponse) throws IOException, VerificationException {
    String token = tokenResponse.getToken();
    String refreshToken = tokenResponse.getRefreshToken();
    AdapterTokenVerifier.VerifiedTokens parsedTokens = AdapterTokenVerifier.verifyTokens(token, tokenResponse.getIdToken(), deployment);
    AccessToken tokenParsed = parsedTokens.getAccessToken();
    req.getSession().setAttribute(TOKEN, token);
    req.getSession().setAttribute(REFRESH_TOKEN, refreshToken);
    req.getSession().setAttribute(TOKEN_PARSED, tokenParsed);
}
 

public <T extends JsonWebToken> T verifyToken(String token, Class<T> clazz) {
    try {
        TokenVerifier<T> verifier = TokenVerifier.create(token, clazz);
        String kid = verifier.getHeader().getKeyId();
        String algorithm = verifier.getHeader().getAlgorithm().name();
        KeyWrapper key = getRealmPublicKey(realm, algorithm, kid);
        AsymmetricSignatureVerifierContext verifierContext;
        switch (algorithm) {
            case Algorithm.ES256:
            case Algorithm.ES384:
            case Algorithm.ES512:
                verifierContext = new ServerECDSASignatureVerifierContext(key);
                break;
            default:
                verifierContext = new AsymmetricSignatureVerifierContext(key);
        }
        verifier.verifierContext(verifierContext);
        verifier.verify();
        return verifier.getToken();
    } catch (VerificationException e) {
        throw new RuntimeException("Failed to decode token", e);
    }
}
 

private boolean isUserValid(KeycloakSession session, RealmModel realm, AccessToken token, UserSessionModel userSession) {
    UserModel user = userSession.getUser();
    if (user == null) {
        return false;
    }
    if (!user.isEnabled()) {
        return false;
    }
    try {
        TokenVerifier.createWithoutSignature(token)
                .withChecks(NotBeforeCheck.forModel(session ,realm, user))
                .verify();
    } catch (VerificationException e) {
        return false;
    }

    if (token.getIssuedAt() + 1 < userSession.getStarted()) {
        return false;
    }
    return true;
}
 

/**
 * Creates an optional predicate from a predicate that will proceed with check but always pass.
 * @param <T>
 * @param mandatoryPredicate
 * @return
 */
public static <T extends JsonWebToken> Predicate<T> optional(final Predicate<T> mandatoryPredicate) {
    return new Predicate<T>() {
        @Override
        public boolean test(T t) throws VerificationException {
            try {
                if (! mandatoryPredicate.test(t)) {
                    LOG.finer("[optional] predicate failed: " + mandatoryPredicate);
                }

                return true;
            } catch (VerificationException ex) {
                LOG.log(Level.FINER, "[optional] predicate " + mandatoryPredicate + " failed.", ex);
                return true;
            }
        }
    };
}
 

/**
 *  Verifies whether the user given by ID both exists in the current realm. If yes,
 *  it optionally also injects the user using the given function (e.g. into session context).
 */
public static void checkIsUserValid(KeycloakSession session, RealmModel realm, String userId, Consumer<UserModel> userSetter) throws VerificationException {
    UserModel user = userId == null ? null : session.users().getUserById(userId, realm);

    if (user == null) {
        throw new ExplainedVerificationException(Errors.USER_NOT_FOUND, Messages.INVALID_USER);
    }

    if (! user.isEnabled()) {
        throw new ExplainedVerificationException(Errors.USER_DISABLED, Messages.INVALID_USER);
    }

    if (userSetter != null) {
        userSetter.accept(user);
    }
}
 

/**
 * Verifies that the authentication session has not yet been converted to user session, in other words
 * that the user has not yet completed authentication and logged in.
 */
public static <T extends JsonWebToken> void checkNotLoggedInYet(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionId) throws VerificationException {
    if (authSessionId == null) {
        return;
    }

    UserSessionModel userSession = context.getSession().sessions().getUserSession(context.getRealm(), authSessionId);
    boolean hasNoRequiredActions =
      (userSession == null || userSession.getUser().getRequiredActions() == null || userSession.getUser().getRequiredActions().isEmpty())
      &&
      (authSessionFromCookie == null || authSessionFromCookie.getRequiredActions() == null || authSessionFromCookie.getRequiredActions().isEmpty());

    if (userSession != null && hasNoRequiredActions) {
        LoginFormsProvider loginForm = context.getSession().getProvider(LoginFormsProvider.class).setAuthenticationSession(context.getAuthenticationSession())
          .setSuccess(Messages.ALREADY_LOGGED_IN);

        if (context.getSession().getContext().getClient() == null) {
            loginForm.setAttribute(Constants.SKIP_LINK, true);
        }

        throw new LoginActionsServiceException(loginForm.createInfoPage());
    }
}
 

private static KeyWrapper getKey(KeycloakSession session, ClientModel client, JWSInput input) throws VerificationException {
    KeyWrapper key = PublicKeyStorageManager.getClientPublicKeyWrapper(session, client, input);
    if (key == null) {
        throw new VerificationException("Key not found");
    }
    return key;
}
 

@Override
public boolean verify(byte[] data, byte[] signature) throws VerificationException {
    try {
        /*
        Fallback for backwards compatibility of ECDSA signed tokens which were issued in previous versions.
        TODO remove by https://issues.jboss.org/browse/KEYCLOAK-11911
         */
        int expectedSize = ECDSASignatureProvider.ECDSA.valueOf(getAlgorithm()).getSignatureLength();
        byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : ECDSASignatureProvider.concatenatedRSToASN1DER(signature, expectedSize);
        return super.verify(data, derSignature);
    } catch (Exception e) {
        throw new VerificationException("Signing failed", e);
    }
}
 

@Override
public boolean verify(byte[] data, byte[] signature) throws VerificationException {
    try {
        /*
        Fallback for backwards compatibility of ECDSA signed tokens which were issued in previous versions.
        TODO remove by https://issues.jboss.org/browse/KEYCLOAK-11911
         */
        int expectedSize = ECDSASignatureProvider.ECDSA.valueOf(getAlgorithm()).getSignatureLength();
        byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : ECDSASignatureProvider.concatenatedRSToASN1DER(signature, expectedSize);
        return super.verify(data, derSignature);
    } catch (Exception e) {
        throw new VerificationException("Signing failed", e);
    }
}
 

protected JWSInput verifyAdminRequest() throws Exception {
    if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
        log.warn("SSL is required for adapter admin action");
        facade.getResponse().sendError(403, "ssl required");
        return null;
    }
    String token = StreamUtil.readString(facade.getRequest().getInputStream());
    if (token == null) {
        log.warn("admin request failed, no token");
        facade.getResponse().sendError(403, "no token");
        return null;
    }

    try {
        // Check just signature. Other things checked in validateAction
        TokenVerifier tokenVerifier = AdapterTokenVerifier.createVerifier(token, deployment, false, JsonWebToken.class);
        tokenVerifier.verify();
        return new JWSInput(token);
    } catch (VerificationException ignore) {
        log.warn("admin request failed, unable to verify token: "  + ignore.getMessage());
        if (log.isDebugEnabled()) {
            log.debug(ignore.getMessage(), ignore);
        }

        facade.getResponse().sendError(403, "token failed verification");
        return null;
    }
}
 

private void verifyRedirectBindingSignature(String paramKey, KeyLocator keyLocator, String keyId) throws VerificationException {
    String request = facade.getRequest().getQueryParamValue(paramKey);
    String algorithm = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
    String signature = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY);
    String decodedAlgorithm = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);

    if (request == null) {
        throw new VerificationException("SAML Request was null");
    }
    if (algorithm == null) throw new VerificationException("SigAlg was null");
    if (signature == null) throw new VerificationException("Signature was null");

    // Shibboleth doesn't sign the document for redirect binding.
    // todo maybe a flag?

    String relayState = facade.getRequest().getQueryParamValue(GeneralConstants.RELAY_STATE);
    KeycloakUriBuilder builder = KeycloakUriBuilder.fromPath("/")
            .queryParam(paramKey, request);
    if (relayState != null) {
        builder.queryParam(GeneralConstants.RELAY_STATE, relayState);
    }
    builder.queryParam(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, algorithm);
    String rawQuery = builder.build().getRawQuery();

    try {
        //byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature);
        byte[] decodedSignature = Base64.decode(signature);
        byte[] rawQueryBytes = rawQuery.getBytes("UTF-8");

        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.getFromXmlMethod(decodedAlgorithm);

        if (! validateRedirectBindingSignature(signatureAlgorithm, rawQueryBytes, decodedSignature, keyLocator, keyId)) {
            throw new VerificationException("Invalid query param signature");
        }
    } catch (Exception e) {
        throw new VerificationException(e);
    }
}
 

private void parseAccessToken(AccessTokenResponse tokenResponse) throws VerificationException {
    this.tokenResponse = tokenResponse;
    tokenString = tokenResponse.getToken();
    refreshToken = tokenResponse.getRefreshToken();
    idTokenString = tokenResponse.getIdToken();

    AdapterTokenVerifier.VerifiedTokens tokens = AdapterTokenVerifier.verifyTokens(tokenString, idTokenString, deployment);
    token = tokens.getAccessToken();
    idToken = tokens.getIdToken();
}
 

/**
 * Verifies bearer token. Typically called when bearer token (access token) is sent to the service, which wants to verify it. Hence it also checks the audience in the token.
 *
 * @param tokenString
 * @param deployment
 * @return
 * @throws VerificationException
 */
public static AccessToken verifyToken(String tokenString, KeycloakDeployment deployment) throws VerificationException {
    TokenVerifier<AccessToken> tokenVerifier = createVerifier(tokenString, deployment, true, AccessToken.class);

    // Verify audience of bearer-token
    if (deployment.isVerifyTokenAudience()) {
        tokenVerifier.audience(deployment.getResourceName());
    }

    return tokenVerifier.verify().getToken();
}
 

@Test
public void testExpirationGood() throws Exception {
    token.expiration(Time.currentTime() + 100);

    String encoded = new JWSBuilder()
            .jsonContent(token)
            .rsa256(idpPair.getPrivate());

    AccessToken v = null;
    try {
        v = verifySkeletonKeyToken(encoded);
    } catch (VerificationException ignored) {
        throw ignored;
    }
}
 

@Override
public boolean verify(byte[] data, byte[] signature) throws VerificationException {
    try {
        Signature verifier = Signature.getInstance(JavaAlgorithm.getJavaAlgorithm(key.getAlgorithm()));
        verifier.initVerify((PublicKey) key.getPublicKey());
        verifier.update(data);
        return verifier.verify(signature);
    } catch (Exception e) {
        throw new VerificationException("Signing failed", e);
    }
}
 

private Response handleActionTokenVerificationException(ActionTokenContext<?> tokenContext, VerificationException ex, String eventError, String errorMessage) {
    if (tokenContext != null && tokenContext.getAuthenticationSession() != null) {
        new AuthenticationSessionManager(session).removeAuthenticationSession(realm, tokenContext.getAuthenticationSession(), true);
    }

    event
      .detail(Details.REASON, ex == null ? "<unknown>" : ex.getMessage())
      .error(eventError == null ? Errors.INVALID_CODE : eventError);
    return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, errorMessage == null ? Messages.INVALID_CODE : errorMessage);
}
 

private <T extends JsonWebToken> ActionTokenHandler<T> resolveActionTokenHandler(String actionId) throws VerificationException {
    if (actionId == null) {
        throw new VerificationException("Action token operation not set");
    }
    ActionTokenHandler<T> handler = session.getProvider(ActionTokenHandler.class, actionId);

    if (handler == null) {
        throw new VerificationException("Invalid action token operation");
    }
    return handler;
}
 

public static <T extends JsonWebToken & ActionTokenKeyModel> void checkTokenWasNotUsedYet(T token, ActionTokenContext<T> context) throws VerificationException {
    ActionTokenStoreProvider actionTokenStore = context.getSession().getProvider(ActionTokenStoreProvider.class);

    if (actionTokenStore.get(token) != null) {
        throw new ExplainedTokenVerificationException(token, Errors.EXPIRED_CODE, Messages.EXPIRED_ACTION);
    }
}
 

/**
 *  This check verifies that current authentication session is consistent with the one specified in token.
 *  Examples:
 *  <ul>
 *      <li>1. Email from administrator with reset e-mail - token does not contain auth session ID</li>
 *      <li>2. Email from "verify e-mail" step within flow - token contains auth session ID.</li>
 *      <li>3. User clicked the link in an e-mail and gets to a new browser - authentication session cookie is not set</li>
 *      <li>4. User clicked the link in an e-mail while having authentication running - authentication session cookie
 *             is already set in the browser</li>
 *  </ul>
 *
 *  <ul>
 *      <li>For combinations 1 and 3, 1 and 4, and 2 and 3: Requests next step</li>
 *      <li>For combination 2 and 4:
 *          <ul>
 *          <li>If the auth session IDs from token and cookie match, pass</li>
 *          <li>Else if the auth session from cookie was forked and its parent auth session ID
 *              matches that of token, replaces current auth session with that of parent and passes</li>
 *          <li>Else requests restart by throwing RestartFlow exception</li>
 *          </ul>
 *      </li>
 *  </ul>
 *
 *  When the check passes, it also sets the authentication session in token context accordingly.
 *
 *  @param <T>
 */
public static <T extends JsonWebToken> boolean doesAuthenticationSessionFromCookieMatchOneFromToken(
        ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionCompoundIdFromToken) throws VerificationException {
    if (authSessionCompoundIdFromToken == null) {
        return false;
    }


    if (Objects.equals(AuthenticationSessionCompoundId.fromAuthSession(authSessionFromCookie).getEncodedId(), authSessionCompoundIdFromToken)) {
        context.setAuthenticationSession(authSessionFromCookie, false);
        return true;
    }

    // Check if it's forked session. It would have same parent (rootSession) as our browser authenticationSession
    String parentTabId = authSessionFromCookie.getAuthNote(AuthenticationProcessor.FORKED_FROM);
    if (parentTabId == null) {
        return false;
    }


    AuthenticationSessionModel authSessionFromParent = authSessionFromCookie.getParentSession().getAuthenticationSession(authSessionFromCookie.getClient(), parentTabId);
    if (authSessionFromParent == null) {
        return false;
    }

    // It's the correct browser. We won't continue login
    // from the login form (browser flow) but from the token's flow
    // Don't expire KC_RESTART cookie at this point
    LOG.debugf("Switched to forked tab: %s from: %s . Root session: %s", authSessionFromParent.getTabId(), authSessionFromCookie.getTabId(), authSessionFromCookie.getParentSession().getId());

    context.setAuthenticationSession(authSessionFromParent, false);
    context.setExecutionId(authSessionFromParent.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION));

    return true;
}
 

@Override
public boolean test(JsonWebToken t) throws VerificationException {
    if (redirectUri == null) {
        return true;
    }

    ClientModel client = context.getAuthenticationSession().getClient();

    if (RedirectUtils.verifyRedirectUri(context.getSession(), redirectUri, client) == null) {
        throw new ExplainedTokenVerificationException(t, Errors.INVALID_REDIRECT_URI, Messages.INVALID_REDIRECT_URI);
    }

    return true;
}
 

/**
 *  Verifies whether the user given by ID both exists in the current realm. If yes,
 *  it optionally also injects the user using the given function (e.g. into session context).
 */
public static <T extends JsonWebToken & ActionTokenKeyModel> void checkIsUserValid(T token, ActionTokenContext<T> context) throws VerificationException {
    try {
        checkIsUserValid(context.getSession(), context.getRealm(), token.getUserId(), context.getAuthenticationSession()::setAuthenticatedUser);
    } catch (ExplainedVerificationException ex) {
        throw new ExplainedTokenVerificationException(token, ex);
    }
}
 

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    if (deployment == null) {
        deployment = resolver.resolve(null);
    }
    UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
    if (token.getCredentials() == null) {
        throw new AuthenticationCredentialsNotFoundException("");
    }
    try {
        return directGrantAuth(token.getName(), token.getCredentials().toString());
    } catch (VerificationException|IOException e) {
        throw new KeycloakAuthenticationException(e.getMessage(), e);
    }
}
 

@Test
public void testExpirationBad() {
    token.expiration(Time.currentTime() - 100);

    String encoded = new JWSBuilder()
            .jsonContent(token)
            .rsa256(idpPair.getPrivate());

    AccessToken v = null;
    try {
        v = verifySkeletonKeyToken(encoded);
        Assert.fail();
    } catch (VerificationException ignored) {
    }
}