Java Code Examples for org.keycloak.representations.AccessToken#setRealmAccess()
The following examples show how to use
org.keycloak.representations.AccessToken#setRealmAccess() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: RoleResolveUtil.java From keycloak with Apache License 2.0 | 6 votes |
|
private static void addToToken(AccessToken token, RoleModel role) {
AccessToken.Access access = null;
if (role.getContainer() instanceof RealmModel) {
access = token.getRealmAccess();
if (token.getRealmAccess() == null) {
access = new AccessToken.Access();
token.setRealmAccess(access);
} else if (token.getRealmAccess().getRoles() != null && token.getRealmAccess().isUserInRole(role.getName()))
return;
} else {
ClientModel app = (ClientModel) role.getContainer();
access = token.getResourceAccess(app.getClientId());
if (access == null) {
access = token.addAccess(app.getClientId());
if (app.isSurrogateAuthRequired()) access.verifyCaller(true);
} else if (access.isUserInRole(role.getName())) return;
}
access.addRole(role.getName());
}
Example 2
| Source File: KeycloakOauthPolicyTest.java From apiman-plugins with Apache License 2.0 | 5 votes |
|
@Before
public void initTest() {
MockitoAnnotations.initMocks(this);
token = new AccessToken();
AccessToken realm = token.type("Bearer").subject("CN=Client").issuer("apiman-realm"); // KC seems to use issuer for realm?
realm.addAccess("apiman-api").addRole("apiman-gateway-user-role").addRole("a-nother-role");
realm.setRealmAccess(new Access().addRole("lets-use-a-realm-role"));
keycloakOauthPolicy = new KeycloakOauthPolicy();
config = new KeycloakOauthConfigBean();
config.setRequireOauth(true);
config.setStripTokens(false);
config.setBlacklistUnsafeTokens(false);
config.setRequireTransportSecurity(false);
forwardRoles = new ForwardRoles();
config.setForwardRoles(forwardRoles);
apiRequest = new ApiRequest();
// Set up components.
// Failure factory
given(mContext.getComponent(IPolicyFailureFactoryComponent.class)).
willReturn(new DefaultPolicyFailureFactoryComponent());
// Data store
given(mContext.getComponent(ISharedStateComponent.class)).
willReturn(new InMemorySharedStateComponent());
}
Example 3
| Source File: KeycloakOauthPolicyLegacyTest.java From apiman-plugins with Apache License 2.0 | 5 votes |
|
@Before
public void initTest() {
MockitoAnnotations.initMocks(this);
token = new AccessToken();
AccessToken realm = token.type("Bearer").subject("CN=Client").issuer("apiman-realm"); // KC seems to use issuer for realm?
realm.addAccess("apiman-api").addRole("apiman-gateway-user-role").addRole("a-nother-role");
realm.setRealmAccess(new Access().addRole("lets-use-a-realm-role"));
keycloakOauthPolicy = new KeycloakOauthPolicy();
config = new KeycloakOauthConfigBean();
config.setRequireOauth(true);
config.setStripTokens(false);
config.setBlacklistUnsafeTokens(false);
config.setRequireTransportSecurity(false);
forwardRoles = new ForwardRoles();
config.setForwardRoles(forwardRoles);
apiRequest = new ApiRequest();
// Set up components.
// Failure factory
given(mContext.getComponent(IPolicyFailureFactoryComponent.class)).
willReturn(new DefaultPolicyFailureFactoryComponent());
// Data store
given(mContext.getComponent(ISharedStateComponent.class)).
willReturn(new InMemorySharedStateComponent());
}
Example 4
| Source File: AbstractUserRoleMappingMapper.java From keycloak with Apache License 2.0 | 5 votes |
|
private static boolean checkAccessToken(IDToken idToken, List<String> path, Object attributeValue) {
if (!(idToken instanceof AccessToken)) {
return false;
}
if (!(attributeValue instanceof Collection)) {
return false;
}
Collection<String> roles = (Collection<String>) attributeValue;
AccessToken token = (AccessToken) idToken;
AccessToken.Access access = null;
if (path.size() == 2 && "realm_access".equals(path.get(0)) && "roles".equals(path.get(1))) {
access = token.getRealmAccess();
if (access == null) {
access = new AccessToken.Access();
token.setRealmAccess(access);
}
} else if (path.size() == 3 && "resource_access".equals(path.get(0)) && "roles".equals(path.get(2))) {
String clientId = path.get(1);
access = token.addAccess(clientId);
} else {
return false;
}
for (String role : roles) {
access.addRole(role);
}
return true;
}
Example 5
| Source File: RoleResolveUtil.java From keycloak with Apache License 2.0 | 5 votes |
|
/**
* Object (possibly null) containing all the user's realm roles. Including user's groups roles. Composite roles are expanded.
* Just the roles, which current client has role-scope-mapping for (or it's clientScopes) are included.
* Current client means the client corresponding to specified clientSessionCtx.
*
* @param session
* @param clientSessionCtx
* @param createIfMissing
* @return can return null (just in case that createIfMissing is false)
*/
public static AccessToken.Access getResolvedRealmRoles(KeycloakSession session, ClientSessionContext clientSessionCtx, boolean createIfMissing) {
AccessToken rolesToken = getAndCacheResolvedRoles(session, clientSessionCtx);
AccessToken.Access access = rolesToken.getRealmAccess();
if (access == null && createIfMissing) {
access = new AccessToken.Access();
rolesToken.setRealmAccess(access);
}
return access;
}
Example 6
| Source File: RPTIntrospectionProvider.java From keycloak with Apache License 2.0 | 4 votes |
|
@Override
public Response introspect(String token) {
LOGGER.debug("Introspecting requesting party token");
try {
AccessToken accessToken = verifyAccessToken(token);
ObjectNode tokenMetadata;
if (accessToken != null) {
AccessToken metadata = new AccessToken();
metadata.id(accessToken.getId());
metadata.setAcr(accessToken.getAcr());
metadata.type(accessToken.getType());
metadata.expiration(accessToken.getExpiration());
metadata.issuedAt(accessToken.getIssuedAt());
metadata.audience(accessToken.getAudience());
metadata.notBefore(accessToken.getNotBefore());
metadata.setRealmAccess(null);
metadata.setResourceAccess(null);
tokenMetadata = JsonSerialization.createObjectNode(metadata);
Authorization authorization = accessToken.getAuthorization();
if (authorization != null) {
Collection permissions;
if (authorization.getPermissions() != null) {
permissions = authorization.getPermissions().stream().map(UmaPermissionRepresentation::new).collect(Collectors.toSet());
} else {
permissions = Collections.emptyList();
}
tokenMetadata.putPOJO("permissions", permissions);
}
} else {
tokenMetadata = JsonSerialization.createObjectNode();
}
tokenMetadata.put("active", accessToken != null);
return Response.ok(JsonSerialization.writeValueAsBytes(tokenMetadata)).type(MediaType.APPLICATION_JSON_TYPE).build();
} catch (Exception e) {
throw new RuntimeException("Error creating token introspection response.", e);
}
}
