Refine search
public static String getPrincipalName(KeycloakDeployment deployment, AccessToken token) { String attr = "sub"; if (deployment.getPrincipalAttribute() != null) attr = deployment.getPrincipalAttribute(); String name = null; if ("sub".equals(attr)) { name = token.getSubject(); } else if ("email".equals(attr)) { name = token.getEmail(); } else if ("preferred_username".equals(attr)) { name = token.getPreferredUsername(); } else if ("name".equals(attr)) { name = token.getName(); } else if ("given_name".equals(attr)) { name = token.getGivenName(); } else if ("family_name".equals(attr)) { name = token.getFamilyName(); } else if ("nickname".equals(attr)) { name = token.getNickName(); } if (name == null) name = token.getSubject(); return name; }
@SuppressWarnings("unchecked") private Object createUserDetails(NativeWebRequest webRequest) { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = (KeycloakPrincipal<RefreshableKeycloakSecurityContext>) webRequest.getUserPrincipal(); AccessToken token = principal.getKeycloakSecurityContext().getToken(); return new UserDetails(token.getId(), token.getGivenName(), token.getFamilyName(), token.getEmail(), token.getRealmAccess().getRoles()); }
/** * Does the resource override the requirement of verifying the caller? * * @param resource * @return */ @JsonIgnore public boolean isVerifyCaller(String resource) { Access access = getResourceAccess(resource); if (access != null && access.getVerifyCaller() != null) return access.getVerifyCaller().booleanValue(); return false; }
AccessToken token = parseToken(id); result.put("realm", token.getAudience()); result.put("subject", token.getSubject()); result.put("issued-at", new Date(token.getIssuedAt())); result.put("name", token.getName()); result.put("given-name", token.getGivenName()); result.put("family-name", token.getFamilyName()); result.put("email", token.getEmail()); AccessToken.Access realmAccess = token.getRealmAccess(); if (realmAccess != null && realmAccess.getRoles() != null) { for (String r : realmAccess.getRoles()) { Map<String, AccessToken.Access> resourceAccess = token.getResourceAccess(); if (resourceAccess != null) { for (Map.Entry<String, AccessToken.Access> e : resourceAccess.entrySet()) {
properties.add(new KeycloakProperty(StandardUserProperties.FIRST_NAME, accessToken.getGivenName())); properties.add(new KeycloakProperty(StandardUserProperties.LAST_NAME, accessToken.getFamilyName())); properties.add(new KeycloakProperty(StandardUserProperties.EMAIL, accessToken.getEmail())); properties.add(new KeycloakProperty(BIRTHDATE, accessToken.getBirthdate())); properties.add(new KeycloakProperty(GENDER, accessToken.getGender())); properties.add(new KeycloakProperty(LOCALE, accessToken.getLocale())); properties.add(new KeycloakProperty(MIDDLE_NAME, accessToken.getMiddleName())); properties.add(new KeycloakProperty(NAME, accessToken.getName())); properties.add(new KeycloakProperty(NICKNAME, accessToken.getNickName())); properties.add(new KeycloakProperty(PHONENUMBER, accessToken.getPhoneNumber())); properties.add(new KeycloakProperty(PICTURE, accessToken.getPicture())); properties.add(new KeycloakProperty(PREFERRED_USERNAME, accessToken.getPreferredUsername())); properties.add(new KeycloakProperty(PROFILE, accessToken.getProfile())); properties.add(new KeycloakProperty(SUBJECT, accessToken.getSubject())); properties.add(new KeycloakProperty(WEBSITE, accessToken.getWebsite())); properties.add(new KeycloakProperty(ZONE_INFO, accessToken.getZoneinfo())); properties.add(new KeycloakProperty(EMAIL_VERIFIED, String.valueOf(accessToken.getEmailVerified()))); properties.add(new KeycloakProperty(PHONENUMBER_VERIFIED, String.valueOf(accessToken.getPhoneNumberVerified()))); AddressClaimSet address = accessToken.getAddress(); if (address != null) { properties.add(new KeycloakProperty(COUNTRY, accessToken.getAddress().getCountry())); properties.add(new KeycloakProperty(FORMATTED_ADDRESS, accessToken.getAddress().getFormattedAddress())); properties.add(new KeycloakProperty(LOCALITY, accessToken.getAddress().getLocality())); properties.add(new KeycloakProperty(POSTAL_CODE, accessToken.getAddress().getPostalCode())); properties.add(new KeycloakProperty(REGION, accessToken.getAddress().getRegion())); properties.add(new KeycloakProperty(STREET_ADDRESS, accessToken.getAddress().getStreetAddress()));
@Override public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object handler) { try { SimpleHttpFacade simpleHttpFacade = new SimpleHttpFacade(httpServletRequest, httpServletResponse); AccessToken accessToken = simpleHttpFacade.getSecurityContext().getToken(); Set<String> resourceRoles = Sets.newHashSet(); AccessToken.Access resourceAccess = accessToken.getResourceAccess() .getOrDefault(keycloakResource, null); if (resourceAccess != null) { resourceRoles = resourceAccess.getRoles(); } locKeycloakLog.save( LocKeycloakLog.LocKeycloakLogDomain.builder() .param(httpServletRequest.getParameterMap().toString()) .createDateTime(LocalDateTime.now()).url(httpServletRequest.getContextPath()) .userName(accessToken.getName()).email(accessToken.getEmail()) .realmRoles(accessToken.getRealmAccess().getRoles()) .resourceRoles(resourceRoles).build()); log.info("keycloak security pre handle {} ({}) in {} access {}", accessToken.getName(), accessToken.getEmail(), accessToken.getAudience()[0], httpServletRequest.getRequestURI()); } catch (Exception e) { log.warn(e.getMessage(), e); } return true; }
auth.setLogoutUrl(((HttpServletRequest) request).getContextPath() + "/logout"); auth.setToken(session.getTokenString()); auth.setTokenRefreshPeriod(expirationToRefreshPeriod(session.getToken().getExpiration())); httpSession.setAttribute(RequestAttributeKeys.AUTH_KEY, auth); if (token != null) { User user = new User(); user.setEmail(token.getEmail()); user.setLogin(token.getPreferredUsername()); user.setName(token.getName()); httpSession.setAttribute(RequestAttributeKeys.USER_KEY, user);
@Override public String getUserName() { return this.auth.getPreferredUsername(); }
/** * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpReq = (HttpServletRequest) request; KeycloakSecurityContext session = getSession(httpReq); if (session != null) { // Fabricate a User object from information in the access token and store it in the security context. AccessToken token = session.getToken(); if (token != null) { User user = new User(); user.setEmail(token.getEmail()); user.setLogin(token.getPreferredUsername()); user.setName(token.getName()); ((SecurityContext) security).setUser(user); ((SecurityContext) security).setToken(session.getTokenString()); } } chain.doFilter(request, response); }
keycloakSession.getTransactionManager().begin(); try { final RealmModel realm = keycloakSession.realms().getRealmByName(hostname); if (realm == null) { LOG.info("Realm " + hostname + " not found"); ClientModel clientModel = realm.getClientByClientId(token.getIssuedFor()); keycloakSession.getTransactionManager().commit(); keycloakSession.close();
/** * Does the realm require verifying the caller? * * @return */ @JsonIgnore public boolean isVerifyCaller() { if (getRealmAccess() != null && getRealmAccess().getVerifyCaller() != null) return getRealmAccess().getVerifyCaller().booleanValue(); return false; }
private Collection<? extends Role> createRoles(final AccessToken accessToken) { Set<String> roleNames = new HashSet<String>(); //Add app roles first, if any AccessToken.Access access = accessToken.getResourceAccess(accessToken.getIssuedFor()); if (access != null && access.getRoles() != null){ roleNames.addAll(access.getRoles()); } //Add realm roles next, if any AccessToken.Access realmAccess = accessToken.getRealmAccess(); if (realmAccess != null && realmAccess.getRoles() != null){ roleNames.addAll(realmAccess.getRoles()); } final List<Role> roles = new ArrayList<Role>(roleNames.size()); for (final String roleName : roleNames) { roles.add(new RoleImpl(roleName)); } return roles; }
public PermissionTicketToken(List<Permission> permissions, String audience, AccessToken accessToken) { if (accessToken != null) { id(TokenIdGenerator.generateId()); subject(accessToken.getSubject()); expiration(accessToken.getExpiration()); notBefore(accessToken.getNotBefore()); issuedAt(accessToken.getIssuedAt()); issuedFor(accessToken.getIssuedFor()); } if (audience != null) { audience(audience); } this.permissions = permissions; }
@Override public String getEmail() { return auth.getEmail(); }
@Produces @CurrentUser @Override public HawkularUser getCurrent() { Principal p = sessionContext.getCallerPrincipal(); if (!(p instanceof KeycloakPrincipal)) { logger.nonAuthRequestWantsPersona(); return null; } KeycloakPrincipal principal = (KeycloakPrincipal) p; String id = principal.getName(); String name = principal.getKeycloakSecurityContext().getToken().getName(); String email = principal.getKeycloakSecurityContext().getToken().getEmail(); HawkularUser user = getOrCreateByIdAndName(id, name); boolean needsUpdate = false; if (!name.equals(user.getName())) { logger.settingUsersName(id, name, user.getName()); user.setName(name); needsUpdate = true; } if (null != email && !email.equals(user.getEmail())) { logger.settingUsersEmail(id, email, user.getEmail()); user.setEmail(email); needsUpdate = true; } if (needsUpdate) { return update(user); } return user; }
public static Set<String> getRolesFromSecurityContext(RefreshableKeycloakSecurityContext session) { Set<String> roles = null; AccessToken accessToken = session.getToken(); if (session.getDeployment().isUseResourceRoleMappings()) { if (log.isTraceEnabled()) { log.trace("useResourceRoleMappings"); } AccessToken.Access access = accessToken.getResourceAccess(session.getDeployment().getResourceName()); if (access != null) roles = access.getRoles(); } else { if (log.isTraceEnabled()) { log.trace("use realm role mappings"); } AccessToken.Access access = accessToken.getRealmAccess(); if (access != null) roles = access.getRoles(); } if (roles == null) roles = Collections.emptySet(); if (log.isTraceEnabled()) { log.trace("Setting roles: "); for (String role : roles) { log.trace(" role: " + role); } } return roles; }
/** * @see io.apiman.manager.api.security.impl.DefaultSecurityContext#getFullName() */ @Override public String getFullName() { HttpServletRequest request = DefaultSecurityContext.servletRequest.get(); org.keycloak.KeycloakSecurityContext session = (org.keycloak.KeycloakSecurityContext) request.getAttribute(org.keycloak.KeycloakSecurityContext.class.getName()); if (session != null) { return session.getToken().getName(); } else { return null; } }
private AccessToken parseToken(String tokenString) throws VerificationException { JWSInput input = new JWSInput(tokenString); AccessToken token; try { token = input.readJsonContent(AccessToken.class); } catch (IOException e) { throw new VerificationException(e); } PublicKey publicKey; try { publicKey = config.getPublicKey(token.getAudience()); } catch (Exception e) { throw new VerificationException("Failed to get public key", e); } boolean verified = false; try { verified = RSAProvider.verify(input, publicKey); } catch (Exception ignore) { } if (!verified) throw new VerificationException("Token signature not validated"); if (token.getSubject() == null) { throw new VerificationException("Token user was null"); } if (!token.isActive()) { throw new VerificationException("Token is not active."); } return token; }
@Override public String createSignupLink(HttpServletRequest request, Principal principal, Provider providerEnum, String redirectUrl) { String provider = providerEnum.name().toLowerCase(); AccessToken token = ((KeycloakAuthenticationToken) principal).getAccount().getKeycloakSecurityContext().getToken(); String clientId = token.getIssuedFor(); String nonce = UUID.randomUUID().toString(); MessageDigest md; try { md = MessageDigest.getInstance("SHA-256"); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); } String input = nonce + token.getSessionState() + clientId + provider; byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); String hash = Base64Url.encode(check); request.getSession().setAttribute("hash", hash); return KeycloakUriBuilder.fromUri(keycloakUrl) .path("/realms/{realm}/broker/{provider}/link") .queryParam("nonce", nonce) .queryParam("hash", hash) .queryParam("client_id", clientId) .queryParam("redirect_uri", getRedirectUrl(request, provider, redirectUrl)).build("fundrequest", provider).toString(); }
public String getTokenString(long minValidity, TimeUnit unit) throws VerificationException, IOException, ServerRequest.HttpFailure { long expires = ((long) token.getExpiration()) * 1000 - unit.toMillis(minValidity); if (expires < System.currentTimeMillis()) { refreshToken(); } return tokenString; }