diff --git a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
index 2596e07..5cd2ea5 100644
--- a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
+++ b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
@@ -737,6 +737,20 @@ public class DefaultKeycloakClient implements KeycloakClient {
OFFLINE_ACCESS_SCOPE);
}
+ /**
+ * Queries from the OIDC server an exchanged token by using provided access token, for the given audience (context),
+ * in URLEncoded form or not,
+ *
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
+ * @param oidcAccessToken the auth token (the access token URLEncoded by the "Bearer " string)
+ * @param clientId the client id
+ * @param clientSecret the client secret
+ * @param audience the audience (context) where to request the issuing of the ticket (URLEncoded)
+ * @param requestedTokenType the token type (e.g. refresh)
+ * @param scope the scope, optional can be null
+ * @return the issued exchanged token
+ * @throws KeycloakClientException if an error occurs, inspect the exception for details
+ */
protected TokenResponse exchangeToken(URL tokenURL, String oidcAccessToken, String clientId, String clientSecret,
String audience, String requestedTokenType, String scope) throws KeycloakClientException {
@@ -768,18 +782,6 @@ public class DefaultKeycloakClient implements KeycloakClient {
return performRequest(tokenURL, null, params);
}
- /**
- * Queries from the OIDC server an exchanged token by using provided access token, for the given audience (context),
- * in URLEncoded form or not, and optionally a list of permissions.
- *
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
- * @param authorization the auth token (the access token URLEncoded by the "Bearer " string)
- * @param audience the audience (context) where to request the issuing of the ticket (URLEncoded)
- * @param permissions a list of permissions, can be null
- * @return the issued token
- * @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
- */
-
@Override
public TokenIntrospectionResponse introspectAccessToken(String context, String clientId, String clientSecret,
String accessTokenJWTString) throws KeycloakClientException {
diff --git a/src/main/java/org/gcube/common/keycloak/KeycloakClient.java b/src/main/java/org/gcube/common/keycloak/KeycloakClient.java
index 082cc8a..33703eb 100644
--- a/src/main/java/org/gcube/common/keycloak/KeycloakClient.java
+++ b/src/main/java/org/gcube/common/keycloak/KeycloakClient.java
@@ -92,7 +92,7 @@ public interface KeycloakClient {
*
* @param realmURL the realm URL
* @return the configured realm info
- * @throws KeycloakClientException
+ * @throws KeycloakClientException if something goes wrong getting realm info
*/
PublishedRealmRepresentation getRealmInfo(URL realmURL) throws KeycloakClientException;
@@ -149,7 +149,6 @@ public interface KeycloakClient {
* Queries an OIDC token from the Keycloak server, by using provided authorization.
*
* @param context the context where the Keycloak's is needed (e.g. /gcube for DEV)
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @return the issued token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the query
@@ -161,7 +160,6 @@ public interface KeycloakClient {
* Optionally extra HTTP headers can be provided to be used in the call.
*
* @param context the context where the Keycloak's is needed (e.g. /gcube for DEV)
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param extraHeaders extra HTTP headers to add to the request
* @return the issued token as {@link TokenResponse} object
@@ -172,7 +170,7 @@ public interface KeycloakClient {
/**
* Queries an OIDC token from the Keycloak server, by using provided authorization.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @return the issued token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the query
@@ -183,7 +181,7 @@ public interface KeycloakClient {
* Queries an OIDC token from the Keycloak server, by using provided authorization.
* Optionally extra HTTP headers can be provided to be used in the call.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param extraHeaders extra HTTP headers to add to the request
* @return the issued token as {@link TokenResponse} object
@@ -259,7 +257,6 @@ public interface KeycloakClient {
* Queries an OIDC token from the Keycloak server, by using provided authorization, reducing the audience to the requested one.
*
* @param context the context where the Keycloak's is needed (e.g. /gcube for DEV)
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param audience an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
* @return the issued token as {@link TokenResponse} object
@@ -273,7 +270,6 @@ public interface KeycloakClient {
* Optionally extra HTTP headers can be provided to be used in the call.
*
* @param context the context where the Keycloak's is needed (e.g. /gcube for DEV)
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param audience an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
* @param extraHeaders extra HTTP headers to add to the request
@@ -286,7 +282,7 @@ public interface KeycloakClient {
/**
* Queries an OIDC token from the Keycloak server, by using provided authorization, reducing the audience to the requested one.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param audience an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
* @return the issued token as {@link TokenResponse} object
@@ -299,7 +295,7 @@ public interface KeycloakClient {
* Queries an OIDC token from the Keycloak server, by using provided authorization, reducing the audience to the requested one.
* Optionally extra HTTP headers can be provided to be used in the call.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param audience an optional parameter to shrink the token's audience to the requested one (e.g. a specific context), by leveraging on the custom HTTP header and corresponding mapper on Keycloak
* @param extraHeaders extra HTTP headers to add to the request
@@ -358,7 +354,7 @@ public interface KeycloakClient {
*
* The implementation uses the custom X-D4Science-Context HTTP header that the proper mapper on Keycloak uses to reduce the audience
*
- * @param tokenURL the token endpoint {@link URL} of the Keycloak server
+ * @param context the context where the Keycloak's is needed (e.g. /gcube for DEV)
* @param clientId the client id
* @param clientSecret the client secret
* @param username the user's username
@@ -376,7 +372,7 @@ public interface KeycloakClient {
*
* The implementation uses the custom X-D4Science-Context HTTP header that the proper mapper on Keycloak uses to reduce the audience
*
- * @param tokenURL the token endpoint {@link URL} of the Keycloak server
+ * @param context the context where the Keycloak's is needed (e.g. /gcube for DEV)
* @param clientId the client id
* @param clientSecret the client secret
* @param username the user's username
@@ -442,7 +438,7 @@ public interface KeycloakClient {
/**
* Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param username the user's username
* @param password the user's password
@@ -457,7 +453,7 @@ public interface KeycloakClient {
* Queries an OIDC token for a specific user from the context's Keycloak server, by using provided clientId and client secret and user's username and password.
* Optionally extra HTTP headers can be provided to be used in the call.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param username the user's username
* @param password the user's password
@@ -487,7 +483,7 @@ public interface KeycloakClient {
* Queries an UMA token from the Keycloak server, by using provided authorization, for the given audience (context),
* in URLEncoded form or not, and optionally a list of permissions.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param authorization the authorization to be set as header (e.g. a "Basic ...." auth or an encoded JWT access token preceded by the "Bearer " string)
* @param audience the audience (context) where to request the issuing of the ticket (URLEncoded)
* @param permissions a list of permissions, can be null
@@ -502,7 +498,7 @@ public interface KeycloakClient {
* for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
*
* @param context the context where the Keycloak's is needed (e.g. /gcube for DEV)
- * @param tokenResponse the previously issued token as {@link TokenResponse} object
+ * @param oidcTokenResponse the previously issued token as {@link TokenResponse} object
* @param audience the audience (context) where to request the issuing of the ticket
* @param permissions a list of permissions, can be null
* @return the issued token as {@link TokenResponse} object
@@ -515,8 +511,8 @@ public interface KeycloakClient {
* Queries an UMA token from the Keycloak server, by using access-token provided by the {@link TokenResponse} object
* for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
- * @param tokenResponse the previously issued token as {@link TokenResponse} object
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
+ * @param oidcTokenResponse the previously issued token as {@link TokenResponse} object
* @param audience the audience (context) where to request the issuing of the ticket
* @param permissions a list of permissions, can be null
* @return the issued token as {@link TokenResponse} object
@@ -576,7 +572,7 @@ public interface KeycloakClient {
* Client id will be read from "issued for" access token's claim and client secret will be not sent.
*
NOTE: For public clients types only.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param tokenResponse the previously issued token as {@link TokenResponse} object
* @return the refreshed token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the refresh query
@@ -601,7 +597,7 @@ public interface KeycloakClient {
* Refreshes a previously issued token from the Keycloak server using the refresh token JWT encoded string in the
* token response object and the provided client id and secret.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param clientId the requestor client id, may be null and in this case will be take from the access token "issued for" claim
* @param clientSecret the requestor client secret, may be null for non-confidential clients
* @param tokenResponse the previously issued token as {@link TokenResponse} object
@@ -629,7 +625,7 @@ public interface KeycloakClient {
* Refreshes a previously issued token from the Keycloak server by using the client id and secret
* and the refresh token JWT encoded string obtained with the access token in the previous token response.
*
- * @param tokenUrl the token endpoint {@link URL} of the OIDC server
+ * @param tokenURL the token endpoint {@link URL} of the OIDC server
* @param clientId the requestor client id
* @param clientSecret the requestor client secret, may be null for non-confidential clients
* @param refreshTokenJWTString the previously issued refresh token JWT string
diff --git a/src/main/java/org/gcube/common/keycloak/model/JsonWebToken.java b/src/main/java/org/gcube/common/keycloak/model/JsonWebToken.java
index cdda20b..820e555 100644
--- a/src/main/java/org/gcube/common/keycloak/model/JsonWebToken.java
+++ b/src/main/java/org/gcube/common/keycloak/model/JsonWebToken.java
@@ -83,7 +83,7 @@ public class JsonWebToken implements Serializable {
/**
* Tests that the token is not expired and is not-before.
*
- * @return
+ * @return true if is not expired and is not-before
*/
@JsonIgnore
public boolean isActive() {
@@ -101,6 +101,7 @@ public class JsonWebToken implements Serializable {
/**
* Set issuedAt to the current time
+ * @return the token itself
*/
@JsonIgnore
public JsonWebToken issuedNow() {
@@ -186,7 +187,7 @@ public class JsonWebToken implements Serializable {
/**
* OAuth client the token was issued for.
*
- * @return
+ * @return the issued for vale
*/
public String getIssuedFor() {
return issuedFor;
@@ -200,7 +201,7 @@ public class JsonWebToken implements Serializable {
/**
* This is a map of any other claims and data that might be in the IDToken. Could be custom claims set up by the auth server
*
- * @return
+ * @return the object's other claims
*/
@JsonAnyGetter
public Map getOtherClaims() {
diff --git a/src/main/java/org/gcube/common/keycloak/model/ModelUtils.java b/src/main/java/org/gcube/common/keycloak/model/ModelUtils.java
index 967084a..405d816 100644
--- a/src/main/java/org/gcube/common/keycloak/model/ModelUtils.java
+++ b/src/main/java/org/gcube/common/keycloak/model/ModelUtils.java
@@ -87,9 +87,8 @@ public class ModelUtils {
*
* @param token the base64 JWT token string
* @param publicKey the realm's public key on server
- * @param keyAlgorithm the public key algorithm
* @return true if the token is valid, false otherwise
- * @throws RuntimeException if an error occurs constructing the verifier
+ * @throws Exception if an error occurs constructing the verifier
*/
public static boolean isValid(String token, PublicKey publicKey) throws Exception {
return isValid(token, publicKey, true);
@@ -99,9 +98,10 @@ public class ModelUtils {
* Verifies the token validity
*
* @param token the base64 JWT token string
- * @param algorithm the algorithm to use for verification
+ * @param publicKey the public key to use for verification
* @param checkExpiration if false token expiration check is disabled
* @return true if the token is valid, false otherwise
+ * @throws Exception if an error occurs constructing the verifier
*/
public static boolean isValid(String token, PublicKey publicKey, boolean checkExpiration) throws Exception {
JwtParser jwtParser = Jwts.parser().verifyWith(publicKey).build();
diff --git a/src/main/java/org/gcube/common/keycloak/model/UserInfo.java b/src/main/java/org/gcube/common/keycloak/model/UserInfo.java
index 4f1ea83..55d5a8d 100644
--- a/src/main/java/org/gcube/common/keycloak/model/UserInfo.java
+++ b/src/main/java/org/gcube/common/keycloak/model/UserInfo.java
@@ -311,7 +311,7 @@ public class UserInfo {
/**
* This is a map of any other claims and data that might be in the UserInfo. Could be custom claims set up by the auth server
*
- * @return
+ * @return the object's other claims
*/
@JsonAnyGetter
public Map getOtherClaims() {
diff --git a/src/main/java/org/gcube/common/keycloak/model/util/Time.java b/src/main/java/org/gcube/common/keycloak/model/util/Time.java
index 71b266e..1425ab3 100644
--- a/src/main/java/org/gcube/common/keycloak/model/util/Time.java
+++ b/src/main/java/org/gcube/common/keycloak/model/util/Time.java
@@ -26,7 +26,7 @@ public class Time {
private static int offset;
/**
- * Returns current time in seconds adjusted by adding {@link #offset) seconds.
+ * Returns current time in seconds adjusted by adding {@link #offset} seconds.
* @return see description
*/
public static int currentTime() {
@@ -34,7 +34,7 @@ public class Time {
}
/**
- * Returns current time in milliseconds adjusted by adding {@link #offset) seconds.
+ * Returns current time in milliseconds adjusted by adding {@link #offset} seconds.
* @return see description
*/
public static long currentTimeMillis() {