TokenManager (Keycloak Docs Distribution 10.0.2 API)

java.lang.Object
- org.keycloak.protocol.oidc.TokenManager

```
public class TokenManager
extends Object
```
Stateless object that creates tokens and manages oauth access codes

Version:

$Revision: 1 $

Author:

Bill Burke

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`class`	`TokenManager.AccessTokenResponseBuilder`
`static class`	`TokenManager.NotBeforeCheck`
`class`	`TokenManager.RefreshResult`
`static class`	`TokenManager.TokenValidation`

Constructor Summary

Constructors
Constructor and Description

TokenManager()

Constructors
Constructor and Description
`TokenManager()`

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`static ClientSessionContext`	`attachAuthenticationSession(KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession)`
`boolean`	`checkTokenValidForIntrospection(KeycloakSession session, RealmModel realm, AccessToken token)` Checks if the token is valid.
`AccessToken`	`createClientAccessToken(KeycloakSession session, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionContext clientSessionCtx)`
`static void`	`dettachClientSession(UserSessionProvider sessions, RealmModel realm, AuthenticatedClientSessionModel clientSession)`
`static Set<RoleModel>`	`getAccess(UserModel user, ClientModel client, Set<ClientScopeModel> clientScopes)`
`static Set<ClientScopeModel>`	`getRequestedClientScopes(String scopeParam, ClientModel client)` Return client itself + all default client scopes of client + optional client scopes requested by scope parameter
`protected AccessToken`	`initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionContext clientSessionCtx, javax.ws.rs.core.UriInfo uriInfo)`
`static boolean`	`isValidScope(String scopes, ClientModel client)`
`static Collection<String>`	`parseScopeParameter(String scopeParam)`
`TokenManager.RefreshResult`	`refreshAccessToken(KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, javax.ws.rs.core.HttpHeaders headers, org.jboss.resteasy.spi.HttpRequest request)`
`TokenManager.AccessTokenResponseBuilder`	`responseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx)`
`RefreshToken`	`toRefreshToken(KeycloakSession session, String encodedRefreshToken)`
`AccessToken`	`transformAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)`
`void`	`transformIDToken(KeycloakSession session, IDToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)`
`AccessToken`	`transformUserInfoAccessToken(KeycloakSession session, AccessToken token, UserSessionModel userSession, ClientSessionContext clientSessionCtx)`
`TokenManager.TokenValidation`	`validateToken(KeycloakSession session, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, RealmModel realm, RefreshToken oldToken, javax.ws.rs.core.HttpHeaders headers)`
`static boolean`	`verifyConsentStillAvailable(KeycloakSession session, UserModel user, ClientModel client, Set<ClientScopeModel> requestedClientScopes)`
`IDToken`	`verifyIDToken(KeycloakSession session, RealmModel realm, String encodedIDToken)`
`IDToken`	`verifyIDTokenSignature(KeycloakSession session, String encodedIDToken)`
`RefreshToken`	`verifyRefreshToken(KeycloakSession session, RealmModel realm, ClientModel client, org.jboss.resteasy.spi.HttpRequest request, String encodedRefreshToken, boolean checkExpiration)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail
- TokenManager
```
public TokenManager()
```

Method Detail

validateToken

public TokenManager.TokenValidation validateToken(KeycloakSession session,
                                                  javax.ws.rs.core.UriInfo uriInfo,
                                                  ClientConnection connection,
                                                  RealmModel realm,
                                                  RefreshToken oldToken,
                                                  javax.ws.rs.core.HttpHeaders headers)
                                           throws OAuthErrorException

Throws:: OAuthErrorException

checkTokenValidForIntrospection

public boolean checkTokenValidForIntrospection(KeycloakSession session,
                                               RealmModel realm,
                                               AccessToken token)
                                        throws OAuthErrorException

Checks if the token is valid. Intended usage is for token introspection endpoints as the session last refresh is updated if the token was valid. This is used to keep the session alive when long lived tokens are used.

Parameters:: session -; realm -; token -
Returns:
Throws:: OAuthErrorException

refreshAccessToken

public TokenManager.RefreshResult refreshAccessToken(KeycloakSession session,
                                                     javax.ws.rs.core.UriInfo uriInfo,
                                                     ClientConnection connection,
                                                     RealmModel realm,
                                                     ClientModel authorizedClient,
                                                     String encodedRefreshToken,
                                                     EventBuilder event,
                                                     javax.ws.rs.core.HttpHeaders headers,
                                                     org.jboss.resteasy.spi.HttpRequest request)
                                              throws OAuthErrorException

Throws:: OAuthErrorException

verifyRefreshToken

public RefreshToken verifyRefreshToken(KeycloakSession session,
                                       RealmModel realm,
                                       ClientModel client,
                                       org.jboss.resteasy.spi.HttpRequest request,
                                       String encodedRefreshToken,
                                       boolean checkExpiration)
                                throws OAuthErrorException

Throws:: OAuthErrorException

toRefreshToken

public RefreshToken toRefreshToken(KeycloakSession session,
                                   String encodedRefreshToken)
                            throws JWSInputException,
                                   OAuthErrorException

Throws:: JWSInputException; OAuthErrorException

verifyIDToken

public IDToken verifyIDToken(KeycloakSession session,
                             RealmModel realm,
                             String encodedIDToken)
                      throws OAuthErrorException

Throws:: OAuthErrorException

verifyIDTokenSignature

public IDToken verifyIDTokenSignature(KeycloakSession session,
                                      String encodedIDToken)
                               throws OAuthErrorException

Throws:: OAuthErrorException

createClientAccessToken

public AccessToken createClientAccessToken(KeycloakSession session,
                                           RealmModel realm,
                                           ClientModel client,
                                           UserModel user,
                                           UserSessionModel userSession,
                                           ClientSessionContext clientSessionCtx)

attachAuthenticationSession

public static ClientSessionContext attachAuthenticationSession(KeycloakSession session,
                                                               UserSessionModel userSession,
                                                               AuthenticationSessionModel authSession)

dettachClientSession

public static void dettachClientSession(UserSessionProvider sessions,
                                        RealmModel realm,
                                        AuthenticatedClientSessionModel clientSession)

getAccess

public static Set<RoleModel> getAccess(UserModel user,
                                       ClientModel client,
                                       Set<ClientScopeModel> clientScopes)

getRequestedClientScopes

public static Set<ClientScopeModel> getRequestedClientScopes(String scopeParam,
                                                             ClientModel client)

Return client itself + all default client scopes of client + optional client scopes requested by scope parameter

isValidScope

public static boolean isValidScope(String scopes,
                                   ClientModel client)

parseScopeParameter

public static Collection<String> parseScopeParameter(String scopeParam)

verifyConsentStillAvailable

public static boolean verifyConsentStillAvailable(KeycloakSession session,
                                                  UserModel user,
                                                  ClientModel client,
                                                  Set<ClientScopeModel> requestedClientScopes)

transformAccessToken

public AccessToken transformAccessToken(KeycloakSession session,
                                        AccessToken token,
                                        UserSessionModel userSession,
                                        ClientSessionContext clientSessionCtx)

transformUserInfoAccessToken

public AccessToken transformUserInfoAccessToken(KeycloakSession session,
                                                AccessToken token,
                                                UserSessionModel userSession,
                                                ClientSessionContext clientSessionCtx)

transformIDToken

public void transformIDToken(KeycloakSession session,
                             IDToken token,
                             UserSessionModel userSession,
                             ClientSessionContext clientSessionCtx)

initToken

protected AccessToken initToken(RealmModel realm,
                                ClientModel client,
                                UserModel user,
                                UserSessionModel session,
                                ClientSessionContext clientSessionCtx,
                                javax.ws.rs.core.UriInfo uriInfo)

responseBuilder

public TokenManager.AccessTokenResponseBuilder responseBuilder(RealmModel realm,
                                                               ClientModel client,
                                                               EventBuilder event,
                                                               KeycloakSession session,
                                                               UserSessionModel userSession,
                                                               ClientSessionContext clientSessionCtx)

Class TokenManager