Package org.gcube.common.keycloak

Interface KeycloakClient

    • Method Detail

      • useScopes

        KeycloakClient useScopes​(List<String> scopes)
        Replaces the list of the provided OIDC scopes for the next OIDC token requests
        Parameters:
        scopes - the list of scopes to use in the calls
        Returns:
        the client itself

      • addScopes

        KeycloakClient addScopes​(List<String> scopes)
        Adds the provided OIDC scopes to the list of scopes to use for the next OIDC token requests
        Parameters:
        scopes - the list of scopes to add
        Returns:
        the client itself

      • addDynamicScope

        KeycloakClient addDynamicScope​(String dynamicScope,
                               String value)
        Adds the dynamic scope to the list of scopes to use for the next OIDC token requests
        Parameters:
        dynamicScope - the dynamic scope that will be the prefix
        value - the value of the dynamic scope
        Returns:
        the client itself

      • removeScopes

        KeycloakClient removeScopes​(List<String> scopes)
        Removes the provided OIDC scopes from the list of scopes to use for the next OIDC token requests
        Parameters:
        scopes - the list of scopes to remove
        Returns:
        the client itself

      • removeAllScopes

        KeycloakClient removeAllScopes()
        Removes all the custom OIDC scopes from the list of scopes to use the next OIDC token requests
        Returns:
        the client itself

      • useDynamicScopeInsteadOfCustomHeaderForContextRestricion

        KeycloakClient useDynamicScopeInsteadOfCustomHeaderForContextRestricion​(boolean useDynamicScopeInsteadOfCustomHeaderForContextRestricion)
        Sets a flag to use dynamic scope (D4S_DYNAMIC_SCOPE_NAME = "d4s-context") instead of custom header (D4S_CONTEXT_HEADER_NAME = "x-d4science-context") when an OIDC token with context is used
        Parameters:
        useDynamicScopeInsteadOfCustomHeaderForContextRestricion - use or not use dynamic scope
        Returns:
        the client itself

      • getRealmBaseURL

        URL getRealmBaseURL​(String context)
             throws KeycloakClientException
        Returns the Keycloak base URL for the given context and the default realm (d4science)
        Parameters:
        context - the context where the endpoint is needed (e.g. /gcube for DEV)
        Returns:
        the Keycloak token endpoint URL
        Throws:
        KeycloakClientException - if something goes wrong discovering the endpoint URL

      • getRealmBaseURL

        URL getRealmBaseURL​(String context,
                    String realm)
             throws KeycloakClientException
        Returns the Keycloak base URL for the given context and in the given realm.
        Parameters:
        context - the context where the endpoint is needed (e.g. /gcube for DEV)
        realm - the realm to use to construct the base URL
        Returns:
        the Keycloak token endpoint URL
        Throws:
        KeycloakClientException - if something goes wrong discovering the endpoint URL

      • getTokenEndpointURL

        URL getTokenEndpointURL​(URL realmBaseURL)
                 throws KeycloakClientException
        Constructs the Keycloak token endpoint URL from the realm's base URL.
        Parameters:
        realmBaseURL - the realm's base URL to use
        Returns:
        the Keycloak token endpoint URL
        Throws:
        KeycloakClientException - if something goes wrong discovering the endpoint URL

      • getJWKEndpointURL

        URL getJWKEndpointURL​(URL realmBaseURL)
               throws KeycloakClientException
        Constructs the Keycloak JWK endpoint URL from the realm's base URL.
        Parameters:
        realmBaseURL - the realm's base URL to use
        Returns:
        the Keycloak JWK endpoint URL
        Throws:
        KeycloakClientException - if something goes wrong discovering the endpoint URL

      • getIntrospectionEndpointURL

        URL getIntrospectionEndpointURL​(URL realmBaseURL)
                         throws KeycloakClientException
        Constructs the Keycloak introspection endpoint URL from the realm's base URL.
        Parameters:
        realmBaseURL - the realm's base URL to use
        Returns:
        the Keycloak introspection endpoint URL
        Throws:
        KeycloakClientException - if something goes wrong discovering the endpoint URL

      • computeIntrospectionEndpointURL

        URL computeIntrospectionEndpointURL​(URL tokenEndpointURL)
                             throws KeycloakClientException
        Compute the keycloak introspection endpoint URL starting from the provided token endpoint.
        Parameters:
        tokenEndpointURL - the token endpoint to use in the compute
        Returns:
        the keycloak introspection endpoint URL
        Throws:
        KeycloakClientException - if something goes wrong discovering the endpoint URL

      • getAvatarEndpointURL

        URL getAvatarEndpointURL​(URL realmBaseURL)
                  throws KeycloakClientException
        Constructs the Keycloak avatar endpoint URL from the realm's base URL.
        Parameters:
        realmBaseURL - the realm's base URL to use
        Returns:
        the Keycloak avatar endpoint URL
        Throws:
        KeycloakClientException - if something goes wrong discovering the endpoint URL

      • getRealmJSONWebKeySet

        JSONWebKeySet getRealmJSONWebKeySet​(URL jwkURL)
                             throws KeycloakClientException
        Loads the actual JWK from the Keycloak server
        Parameters:
        jwkURL - the server's jwk URL to use
        Returns:
        an object with JWK details
        Throws:
        KeycloakClientException - if something goes wrong getting JWK info

      • queryOIDCToken

        TokenResponse queryOIDCToken​(String context,
                             String clientId,
                             String clientSecret)
                      throws KeycloakClientException
        Queries an OIDC token from the context's Keycloak server, by using provided clientId and client secret.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCToken

        TokenResponse queryOIDCToken​(String context,
                             String clientId,
                             String clientSecret,
                             Map<String,​String> extraHeaders)
                      throws KeycloakClientException
        Queries an OIDC token from the context's Keycloak server, by using provided clientId and client secret.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCToken

        TokenResponse queryOIDCToken​(URL tokenURL,
                             String clientId,
                             String clientSecret)
                      throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided clientId and client secret.
        Parameters:
        tokenURL - the token endpoint URL of the Keycloak server
        clientId - the client id
        clientSecret - the client secret
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCToken

        TokenResponse queryOIDCToken​(URL tokenURL,
                             String clientId,
                             String clientSecret,
                             Map<String,​String> extraHeaders)
                      throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided clientId and client secret. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        tokenURL - the token endpoint URL of the Keycloak server
        clientId - the client id
        clientSecret - the client secret
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCToken

        TokenResponse queryOIDCToken​(String context,
                             String authorization)
                      throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided authorization.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCToken

        TokenResponse queryOIDCToken​(String context,
                             String authorization,
                             Map<String,​String> extraHeaders)
                      throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided authorization. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCToken

        TokenResponse queryOIDCToken​(URL tokenURL,
                             String authorization)
                      throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided authorization.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCToken

        TokenResponse queryOIDCToken​(URL tokenURL,
                             String authorization,
                             Map<String,​String> extraHeaders)
                      throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided authorization. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenWithContext

        TokenResponse queryOIDCTokenWithContext​(String context,
                                        String clientId,
                                        String clientSecret,
                                        String audience)
                                 throws KeycloakClientException
        Queries an OIDC token from the context's Keycloak server, by using provided clientId and client secret, reducing the audience to the requested one. The implementation uses the custom x-d4science-context HTTP header that the proper mapper on Keycloak uses to reduce the audience
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenWithContext

        TokenResponse queryOIDCTokenWithContext​(String context,
                                        String clientId,
                                        String clientSecret,
                                        String audience,
                                        Map<String,​String> extraHeaders)
                                 throws KeycloakClientException
        Queries an OIDC token from the context's Keycloak server, by using provided clientId and client secret, reducing the audience to the requested one. Optionally extra HTTP headers can be provided to be used in the call. The implementation uses the custom x-d4science-context HTTP header that the proper mapper on Keycloak uses to reduce the audience
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenWithContext

        TokenResponse queryOIDCTokenWithContext​(URL tokenURL,
                                        String clientId,
                                        String clientSecret,
                                        String audience)
                                 throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided clientId and client secret, reducing the audience to the requested one. The implementation uses the custom x-d4science-context HTTP header that the proper mapper on Keycloak uses to reduce the audience
        Parameters:
        tokenURL - the token endpoint URL of the Keycloak server
        clientId - the client id
        clientSecret - the client secret
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenWithContext

        TokenResponse queryOIDCTokenWithContext​(URL tokenURL,
                                        String clientId,
                                        String clientSecret,
                                        String audience,
                                        Map<String,​String> extraHeaders)
                                 throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided clientId and client secret, reducing the audience to the requested one. Optionally extra HTTP headers can be provided to be used in the call. The implementation uses the custom x-d4science-context HTTP header that the proper mapper on Keycloak uses to reduce the audience
        Parameters:
        tokenURL - the token endpoint URL of the Keycloak server
        clientId - the client id
        clientSecret - the client secret
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenWithContext

        TokenResponse queryOIDCTokenWithContext​(String context,
                                        String authorization,
                                        String audience)
                                 throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided authorization, reducing the audience to the requested one.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenWithContext

        TokenResponse queryOIDCTokenWithContext​(String context,
                                        String authorization,
                                        String audience,
                                        Map<String,​String> extraHeaders)
                                 throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided authorization, reducing the audience to the requested one. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenWithContext

        TokenResponse queryOIDCTokenWithContext​(URL tokenURL,
                                        String authorization,
                                        String audience)
                                 throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided authorization, reducing the audience to the requested one.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenWithContext

        TokenResponse queryOIDCTokenWithContext​(URL tokenURL,
                                        String authorization,
                                        String audience,
                                        Map<String,​String> extraHeaders)
                                 throws KeycloakClientException
        Queries an OIDC token from the Keycloak server, by using provided authorization, reducing the audience to the requested one. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUser

        TokenResponse queryOIDCTokenOfUser​(String context,
                                   String clientId,
                                   String clientSecret,
                                   String username,
                                   String password)
                            throws KeycloakClientException
        Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        username - the user's username
        password - the user's password
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUser

        TokenResponse queryOIDCTokenOfUser​(String context,
                                   String clientId,
                                   String clientSecret,
                                   String username,
                                   String password,
                                   Map<String,​String> extraHeaders)
                            throws KeycloakClientException
        Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        username - the user's username
        password - the user's password
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUserWithContext

        TokenResponse queryOIDCTokenOfUserWithContext​(String context,
                                              String authorization,
                                              String username,
                                              String password,
                                              String audience)
                                       throws KeycloakClientException
        Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        username - the user's username
        password - the user's password
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUserWithContext

        TokenResponse queryOIDCTokenOfUserWithContext​(String context,
                                              String clientId,
                                              String clientSecret,
                                              String username,
                                              String password,
                                              String audience)
                                       throws KeycloakClientException
        Queries an OIDC token for a specific user from the Keycloak server, by using provided clientId and client secret and user's username and password, reducing the audience to the requested one. The implementation uses the custom x-d4science-context HTTP header that the proper mapper on Keycloak uses to reduce the audience
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        username - the user's username
        password - the user's password
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUserWithContext

        TokenResponse queryOIDCTokenOfUserWithContext​(String context,
                                              String clientId,
                                              String clientSecret,
                                              String username,
                                              String password,
                                              String audience,
                                              Map<String,​String> extraHeaders)
                                       throws KeycloakClientException
        Queries an OIDC token for a specific user from the Keycloak server, by using provided clientId and client secret and user's username and password, reducing the audience to the requested one. Optionally extra HTTP headers can be provided to be used in the call. The implementation uses the custom x-d4science-context HTTP header that the proper mapper on Keycloak uses to reduce the audience
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        username - the user's username
        password - the user's password
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUserWithContext

        TokenResponse queryOIDCTokenOfUserWithContext​(URL tokenURL,
                                              String clientId,
                                              String clientSecret,
                                              String username,
                                              String password,
                                              String audience)
                                       throws KeycloakClientException
        Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password, reducing the audience to the requested one. The implementation uses the custom x-d4science-context HTTP header that the proper mapper on Keycloak uses to reduce the audience
        Parameters:
        tokenURL - the token endpoint URL of the Keycloak server
        clientId - the client id
        clientSecret - the client secret
        username - the user's username
        password - the user's password
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUserWithContext

        TokenResponse queryOIDCTokenOfUserWithContext​(URL tokenURL,
                                              String clientId,
                                              String clientSecret,
                                              String username,
                                              String password,
                                              String audience,
                                              Map<String,​String> extraHeaders)
                                       throws KeycloakClientException
        Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password, , reducing the audience to the requested one. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        tokenURL - the token endpoint URL of the Keycloak server
        clientId - the client id
        clientSecret - the client secret
        username - the user's username
        password - the user's password
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUserWithContext

        TokenResponse queryOIDCTokenOfUserWithContext​(String context,
                                              String authorization,
                                              String username,
                                              String password,
                                              String audience,
                                              Map<String,​String> extraHeaders)
                                       throws KeycloakClientException
        Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        username - the user's username
        password - the user's password
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUserWithContext

        TokenResponse queryOIDCTokenOfUserWithContext​(URL tokenURL,
                                              String authorization,
                                              String username,
                                              String password,
                                              String audience)
                                       throws KeycloakClientException
        Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        username - the user's username
        password - the user's password
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryOIDCTokenOfUserWithContext

        TokenResponse queryOIDCTokenOfUserWithContext​(URL tokenURL,
                                              String authorization,
                                              String username,
                                              String password,
                                              String audience,
                                              Map<String,​String> extraHeaders)
                                       throws KeycloakClientException
        Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password. Optionally extra HTTP headers can be provided to be used in the call.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        username - the user's username
        password - the user's password
        audience - an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
        extraHeaders - extra HTTP headers to add to the request
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryUMAToken

        TokenResponse queryUMAToken​(String context,
                            String authorization,
                            String audience,
                            List<String> permissions)
                     throws KeycloakClientException
        Queries an UMA token from the Keycloak server, by using provided authorization, for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        audience - the audience (context) where to request the issuing of the ticket (URLEncoded)
        permissions - a list of permissions, can be null
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryUMAToken

        TokenResponse queryUMAToken​(URL tokenURL,
                            String authorization,
                            String audience,
                            List<String> permissions)
                     throws KeycloakClientException
        Queries an UMA token from the Keycloak server, by using provided authorization, for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        authorization - the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
        audience - the audience (context) where to request the issuing of the ticket (URLEncoded)
        permissions - a list of permissions, can be null
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryUMAToken

        TokenResponse queryUMAToken​(String context,
                            TokenResponse oidcTokenResponse,
                            String audience,
                            List<String> permissions)
                     throws KeycloakClientException
        Queries an UMA token from the Keycloak server, by using access-token provided by the TokenResponse object for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        oidcTokenResponse - the previously issued token as TokenResponse object
        audience - the audience (context) where to request the issuing of the ticket
        permissions - a list of permissions, can be null
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryUMAToken

        TokenResponse queryUMAToken​(URL tokenURL,
                            TokenResponse oidcTokenResponse,
                            String audience,
                            List<String> permissions)
                     throws KeycloakClientException
        Queries an UMA token from the Keycloak server, by using access-token provided by the TokenResponse object for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        oidcTokenResponse - the previously issued token as TokenResponse object
        audience - the audience (context) where to request the issuing of the ticket
        permissions - a list of permissions, can be null
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryUMAToken

        TokenResponse queryUMAToken​(String context,
                            String clientId,
                            String clientSecret,
                            String audience,
                            List<String> permissions)
                     throws KeycloakClientException
        Queries an UMA token from the Keycloak server, by using provided clientId and client secret for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the client id
        clientSecret - the client secret
        audience - the audience (context) where to request the issuing of the ticket
        permissions - a list of permissions, can be null
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • queryUMAToken

        TokenResponse queryUMAToken​(URL tokenURL,
                            String clientId,
                            String clientSecret,
                            String audience,
                            List<String> permissions)
                     throws KeycloakClientException
        Queries an UMA token from the Keycloak server, by using provided clientId and client secret for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
        Parameters:
        tokenURL - the token endpoint URL of the Keycloak server
        clientId - the client id
        clientSecret - the client secret
        audience - the audience (context) where to request the issuing of the ticket
        permissions - a list of permissions, can be null
        Returns:
        the issued token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the query

      • refreshToken

        TokenResponse refreshToken​(String context,
                           TokenResponse tokenResponse)
                    throws KeycloakClientException
        Refreshes a previously issued token from the Keycloak server using the refresh token JWT encoded string in the token response object. Client id will be read from "issued for" access token's claim and client secret will be not sent.
        NOTE: For public clients types only.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        tokenResponse - the previously issued token as TokenResponse object
        Returns:
        the refreshed token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the refresh query

      • refreshToken

        TokenResponse refreshToken​(URL tokenURL,
                           TokenResponse tokenResponse)
                    throws KeycloakClientException
        Refreshes a previously issued token from the Keycloak server using the refresh token JWT encoded string in the token response object. Client id will be read from "issued for" access token's claim and client secret will be not sent.
        NOTE: For public clients types only.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        tokenResponse - the previously issued token as TokenResponse object
        Returns:
        the refreshed token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the refresh query

      • refreshToken

        TokenResponse refreshToken​(String context,
                           String clientId,
                           String clientSecret,
                           TokenResponse tokenResponse)
                    throws KeycloakClientException
        Refreshes a previously issued token from the Keycloak server using the refresh token JWT encoded string in the token response object and the provided client id and secret.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the requestor client id, may be null and in this case will be take from the access token "issued for" claim
        clientSecret - the requestor client secret, may be null for non-confidential clients
        tokenResponse - the previously issued token as TokenResponse object
        Returns:
        the refreshed token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the refresh query

      • refreshToken

        TokenResponse refreshToken​(URL tokenURL,
                           String clientId,
                           String clientSecret,
                           TokenResponse tokenResponse)
                    throws KeycloakClientException
        Refreshes a previously issued token from the Keycloak server using the refresh token JWT encoded string in the token response object and the provided client id and secret.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        clientId - the requestor client id, may be null and in this case will be take from the access token "issued for" claim
        clientSecret - the requestor client secret, may be null for non-confidential clients
        tokenResponse - the previously issued token as TokenResponse object
        Returns:
        the refreshed token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the refresh query

      • refreshToken

        TokenResponse refreshToken​(String context,
                           String clientId,
                           String clientSecret,
                           String refreshTokenJWTString)
                    throws KeycloakClientException
        Refreshes a previously issued token from the Keycloak server by using the client id and secret and the refresh token JWT encoded string obtained with the access token in the previous token response.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the requestor client id
        clientSecret - the requestor client secret, may be null for non-confidential clients
        refreshTokenJWTString - the previously issued refresh token JWT string
        Returns:
        the refreshed token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the refresh query

      • refreshToken

        TokenResponse refreshToken​(URL tokenURL,
                           String clientId,
                           String clientSecret,
                           String refreshTokenJWTString)
                    throws KeycloakClientException
        Refreshes a previously issued token from the Keycloak server by using the client id and secret and the refresh token JWT encoded string obtained with the access token in the previous token response.
        Parameters:
        tokenURL - the token endpoint URL of the OIDC server
        clientId - the requestor client id
        clientSecret - the requestor client secret, may be null for non-confidential clients
        refreshTokenJWTString - the previously issued refresh token JWT string
        Returns:
        the refreshed token as TokenResponse object
        Throws:
        KeycloakClientException - if something goes wrong performing the refresh query

      • exchangeTokenForAccessToken

        TokenResponse exchangeTokenForAccessToken​(String context,
                                          String oidcAccessToken,
                                          String clientId,
                                          String clientSecret,
                                          String audience)
                                   throws KeycloakClientException
        Exchanges a token for another access token for a specific client and a specific audience
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        oidcAccessToken - the original access token to exchange
        clientId - the authorized client's id
        clientSecret - the authorized client's secret
        audience - the requested token audience
        Returns:
        the exchanged token response
        Throws:
        KeycloakClientException - if an error occurs during the exchange

      • exchangeTokenForAccessToken

        TokenResponse exchangeTokenForAccessToken​(URL tokenURL,
                                          String oidcAccessToken,
                                          String clientId,
                                          String clientSecret,
                                          String audience)
                                   throws KeycloakClientException
        Exchanges a token for another access token for a specific client and a specific audience
        Parameters:
        tokenURL - the token endpoint URL
        oidcAccessToken - the original access token to exchange
        clientId - the authorized client's id
        clientSecret - the authorized client's secret
        audience - the requested token audience
        Returns:
        the exchanged token response
        Throws:
        KeycloakClientException - if an error occurs during the exchange

      • exchangeTokenForRefreshToken

        TokenResponse exchangeTokenForRefreshToken​(String context,
                                           String oidcAccessToken,
                                           String clientId,
                                           String clientSecret,
                                           String audience)
                                    throws KeycloakClientException
        Exchanges a token for another access and a refresh tokens for a specific client and a specific audience
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        oidcAccessToken - the original access token to exchange
        clientId - the authorized client's id
        clientSecret - the authorized client's secret
        audience - the requested token audience
        Returns:
        the exchanged token response
        Throws:
        KeycloakClientException - if an error occurs during the exchange

      • exchangeTokenForRefreshToken

        TokenResponse exchangeTokenForRefreshToken​(URL tokenURL,
                                           String oidcAccessToken,
                                           String clientId,
                                           String clientSecret,
                                           String audience)
                                    throws KeycloakClientException
        Exchanges a token for another access and a refresh tokens for a specific client and a specific audience
        Parameters:
        tokenURL - the token endpoint URL
        oidcAccessToken - the original access token to exchange
        clientId - the authorized client's id
        clientSecret - the authorized client's secret
        audience - the requested token audience
        Returns:
        the exchanged token response
        Throws:
        KeycloakClientException - if an error occurs during the exchange

      • exchangeTokenForOfflineToken

        TokenResponse exchangeTokenForOfflineToken​(String context,
                                           String oidcAccessToken,
                                           String clientId,
                                           String clientSecret,
                                           String audience)
                                    throws IllegalArgumentException,
                                           KeycloakClientException
        Exchanges a token for another access and an offline refresh tokens for a specific client and a specific audience The refresh token will be of the offline type only if the original token has the offline_access within its scopes
        Parameters:
        context - the token endpoint URL
        oidcAccessToken - the original access token to exchange
        clientId - the authorized client's id
        clientSecret - the authorized client's secret
        audience - the requested token audience
        Returns:
        the exchanged token response
        Throws:
        IllegalArgumentException - if the original token does'nt contains the offline_access scope within its scopes or if is impossible to parse the access token as JSON
        KeycloakClientException - if an error occurs during the exchange

      • exchangeTokenForOfflineToken

        TokenResponse exchangeTokenForOfflineToken​(URL tokenURL,
                                           String oidcAccessToken,
                                           String clientId,
                                           String clientSecret,
                                           String audience)
                                    throws IllegalArgumentException,
                                           KeycloakClientException
        Exchanges a token for another access and an offline refresh tokens for a specific client and a specific audience The refresh token will be of the offline type only if the original token has the scope offline_access within its scopes
        Parameters:
        tokenURL - the token endpoint URL
        oidcAccessToken - the original access token to exchange
        clientId - the authorized client's id
        clientSecret - the authorized client's secret
        audience - the requested token audience
        Returns:
        the exchanged token response
        Throws:
        IllegalArgumentException - if the original token does'nt contains the offline_access scope within its scopes or if is impossible to parse the access token as JSON
        KeycloakClientException - if an error occurs during the exchange

      • introspectAccessToken

        TokenIntrospectionResponse introspectAccessToken​(String context,
                                                 String clientId,
                                                 String clientSecret,
                                                 String accessTokenJWTString)
                                          throws KeycloakClientException
        Introspects an access token against the Keycloak server.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the requestor client id
        clientSecret - the requestor client secret
        accessTokenJWTString - the access token to verify
        Returns:
        a TokenIntrospectionResponse object with the introspection results; in particular, the active field represents the token validity
        Throws:
        KeycloakClientException - if something goes wrong performing the verification

      • introspectAccessToken

        TokenIntrospectionResponse introspectAccessToken​(URL introspectionURL,
                                                 String clientId,
                                                 String clientSecret,
                                                 String accessTokenJWTString)
                                          throws KeycloakClientException
        Introspects an access token against the Keycloak server.
        Parameters:
        introspectionURL - the introspection endpoint URL of the Keycloak server
        clientId - the requestor client id
        clientSecret - the requestor client secret
        accessTokenJWTString - the access token to verify
        Returns:
        a TokenIntrospectionResponse object with the introspection results; in particular, the active field represents the token validity
        Throws:
        KeycloakClientException - if something goes wrong performing the verification

      • isAccessTokenVerified

        boolean isAccessTokenVerified​(String context,
                              String clientId,
                              String clientSecret,
                              String accessTokenJWTString)
                       throws KeycloakClientException
        Verifies an access token against the Keycloak server.
        Parameters:
        context - the context where the Keycloak's is needed (e.g. /gcube for DEV)
        clientId - the requestor client id
        clientSecret - the requestor client secret
        accessTokenJWTString - the access token to verify
        Returns:
        true if the token is active, false otherwise
        Throws:
        KeycloakClientException - if something goes wrong performing the verification

      • isAccessTokenVerified

        boolean isAccessTokenVerified​(URL introspectionURL,
                              String clientId,
                              String clientSecret,
                              String accessTokenJWTString)
                       throws KeycloakClientException
        Verifies an access token against the Keycloak server.
        Parameters:
        introspectionURL - the introspection endpoint URL of the Keycloak server
        clientId - the requestor client id
        clientSecret - the requestor client secret
        accessTokenJWTString - the access token to verify
        Returns:
        true if the token is active, false otherwise
        Throws:
        KeycloakClientException - if something goes wrong performing the verification

      • getAvatarData

        byte[] getAvatarData​(String context,
                     TokenResponse tokenResponse)
              throws KeycloakClientException
        Retrieves the user's avatar image data from Keycloak server.
        Parameters:
        context - the context used to compute the server endpoint in the correct environment
        tokenResponse - the token response where to get the bearer token for the authorization header.
        Returns:
        the avatar's data bytes
        Throws:
        KeycloakClientException - if something goes wrong in the request

      • getAvatarData

        byte[] getAvatarData​(URL avatarURL,
                     TokenResponse tokenResponse)
              throws KeycloakClientException
        Retrieves the user's avatar image data from Keycloak server.
        Parameters:
        avatarURL - the server's avatar endpoint URL
        tokenResponse - the token response where to get the bearer token for the authorization header.
        Returns:
        the avatar's data bytes
        Throws:
        KeycloakClientException - if something goes wrong in the request

      • getAvatarData

        byte[] getAvatarData​(URL avatarURL,
                     String authorization)
              throws KeycloakClientException
        Retrieves the user's avatar image data from Keycloak server.
        Parameters:
        avatarURL - the server's avatar endpoint URL
        authorization - the string to user as authorization header (e.g. 'bearer xxxx')
        Returns:
        the avatar's data bytes
        Throws:
        KeycloakClientException - if something goes wrong in the request