Java Code Examples for org.keycloak.representations.AccessToken#isActive()
The following examples show how to use
org.keycloak.representations.AccessToken#isActive() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: AuthzClientRequestFactory.java From devconf2019-authz with Apache License 2.0 | 6 votes |
|
@Override
protected void postProcessHttpRequest(HttpUriRequest request) {
KeycloakSecurityContext context = this.getKeycloakSecurityContext();
// TODO: Ideally should do it all automatically by some provided adapter/utility
String currentRpt = rptStore.getRpt(context);
if (currentRpt == null) {
// Fallback to access token
currentRpt = context.getTokenString();
} else {
AccessToken parsedRpt = rptStore.getParsedRpt(context);
if (!parsedRpt.isActive(10)) {
// Just delete RPT and use accessToken instead. TODO: Will be good to have some "built-in" way to refresh RPT for clients
log.info("Deleting expired RPT. Will need to obtain new when needed");
rptStore.deleteCurrentRpt(servletRequest);
currentRpt = context.getTokenString();
}
}
request.setHeader(AUTHORIZATION_HEADER, "Bearer " + currentRpt);
}
Example 2
| Source File: AuthenticationManager.java From keycloak with Apache License 2.0 | 4 votes |
|
public static AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType,
boolean isCookie, String tokenString, HttpHeaders headers, Predicate<? super AccessToken>... additionalChecks) {
try {
TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
.withDefaultChecks()
.realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()))
.checkActive(checkActive)
.checkTokenType(checkTokenType)
.withChecks(additionalChecks);
String kid = verifier.getHeader().getKeyId();
String algorithm = verifier.getHeader().getAlgorithm().name();
SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
verifier.verifierContext(signatureVerifier);
AccessToken token = verifier.verify().getToken();
if (checkActive) {
if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
logger.debug("Identity cookie expired");
return null;
}
}
UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
UserModel user = null;
if (userSession != null) {
user = userSession.getUser();
if (user == null || !user.isEnabled()) {
logger.debug("Unknown user in identity token");
return null;
}
int userNotBefore = session.users().getNotBeforeOfUser(realm, user);
if (token.getIssuedAt() < userNotBefore) {
logger.debug("User notBefore newer than token");
return null;
}
}
if (!isSessionValid(realm, userSession)) {
// Check if accessToken was for the offline session.
if (!isCookie) {
UserSessionModel offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState());
if (isOfflineSessionValid(realm, offlineUserSession)) {
user = offlineUserSession.getUser();
return new AuthResult(user, offlineUserSession, token);
}
}
if (userSession != null) backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
logger.debug("User session not active");
return null;
}
session.setAttribute("state_checker", token.getOtherClaims().get("state_checker"));
return new AuthResult(user, userSession, token);
} catch (VerificationException e) {
logger.debugf("Failed to verify identity token: %s", e.getMessage());
}
return null;
}
