Package org.keycloak.services.util

Class DPoPUtil

java.lang.Object

org.keycloak.services.util.DPoPUtil

public class DPoPUtil
extends Object

Author:

Dmitry Telegin

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	DPoPUtil.DPoPVerificationException
static enum	DPoPUtil.Mode
static class	DPoPUtil.Validator

Field Summary

Fields

Modifier and Type	Field	Description
static final int	DEFAULT_ALLOWED_CLOCK_SKEW
static final int	DEFAULT_PROOF_LIFETIME
static final String	DPOP_BINDING_ONLY_REFRESH_TOKEN_SESSION_ATTRIBUTE
static final String	DPOP_SCHEME
static final String	DPOP_SESSION_ATTRIBUTE
static final String	DPOP_TOKEN_TYPE

Constructor Summary

Constructors

Constructor	Description
DPoPUtil()

Method Summary

Modifier and Type	Method	Description
static List<String>	getDPoPSupportedAlgorithms(KeycloakSession session)
static Stream<Map.Entry<ProtocolMapperModel,ProtocolMapper>>	getTransientProtocolMapper()	creates a protocol mapper that cannot be modified by administration users and that is used to bind AccessTokens to specific DPoP keys.
static void	handleDPoPHeader(KeycloakSession keycloakSession, EventBuilder event, Cors cors, OIDCAdvancedConfigWrapper clientConfig)	If DPoP feature is enabled and either the client requires it or the current request contains a DPoP header, this method validates the proof and stores it in the session.
static boolean	isDPoPToken(org.keycloak.representations.AccessToken refreshToken)
static void	validateBinding(org.keycloak.representations.AccessToken token, org.keycloak.representations.dpop.DPoP dPoP)
static void	validateDPoPJkt(String dpopJkt, KeycloakSession session, EventBuilder event, Cors cors)
static TokenVerifier<org.keycloak.representations.AccessToken>	withDPoPVerifier(TokenVerifier<org.keycloak.representations.AccessToken> verifier, RealmModel realm, DPoPUtil.Validator validator)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_PROOF_LIFETIME

public static final int DEFAULT_PROOF_LIFETIME

See Also:

• Constant Field Values

DEFAULT_ALLOWED_CLOCK_SKEW

public static final int DEFAULT_ALLOWED_CLOCK_SKEW

See Also:

• Constant Field Values

DPOP_TOKEN_TYPE

public static final String DPOP_TOKEN_TYPE

See Also:

• Constant Field Values

DPOP_SCHEME

public static final String DPOP_SCHEME

See Also:

• Constant Field Values

DPOP_SESSION_ATTRIBUTE

public static final String DPOP_SESSION_ATTRIBUTE

See Also:

• Constant Field Values

DPOP_BINDING_ONLY_REFRESH_TOKEN_SESSION_ATTRIBUTE

public static final String DPOP_BINDING_ONLY_REFRESH_TOKEN_SESSION_ATTRIBUTE

See Also:

• Constant Field Values

Constructor Details

DPoPUtil

public DPoPUtil()

Method Details

getTransientProtocolMapper

public static Stream<Map.Entry<ProtocolMapperModel,ProtocolMapper>> getTransientProtocolMapper()

creates a protocol mapper that cannot be modified by administration users and that is used to bind AccessTokens to specific DPoP keys.

NOTE: The binding was solved with a protocol mapper to have generic solution for DPoP on all implemented grantTypes, even custom-implemented grantTypes.

handleDPoPHeader

public static void handleDPoPHeader(KeycloakSession keycloakSession,
 EventBuilder event,
 Cors cors,
 OIDCAdvancedConfigWrapper clientConfig)

If DPoP feature is enabled and either the client requires it or the current request contains a DPoP header, this method validates the proof and stores it in the session.

withDPoPVerifier

public static TokenVerifier<org.keycloak.representations.AccessToken> withDPoPVerifier(TokenVerifier<org.keycloak.representations.AccessToken> verifier,
 RealmModel realm,
 DPoPUtil.Validator validator)

validateBinding

public static void validateBinding(org.keycloak.representations.AccessToken token,
 org.keycloak.representations.dpop.DPoP dPoP)
                            throws VerificationException

Throws:

VerificationException

validateDPoPJkt

public static void validateDPoPJkt(String dpopJkt,
 KeycloakSession session,
 EventBuilder event,
 Cors cors)

isDPoPToken

public static boolean isDPoPToken(org.keycloak.representations.AccessToken refreshToken)

getDPoPSupportedAlgorithms

public static List<String> getDPoPSupportedAlgorithms(KeycloakSession session)