KEYCLOAK-5102 Action token SPI documentation

This commit is contained in:
Hynek Mlnarik 2017-07-18 12:21:31 +02:00
parent b945767fc1
commit 08997d3944
2 changed files with 119 additions and 0 deletions

View file

@ -11,6 +11,7 @@
.. link:server_development/topics/providers.adoc[Service Provider Interfaces (SPI)] .. link:server_development/topics/providers.adoc[Service Provider Interfaces (SPI)]
.. link:server_development/topics/extensions.adoc[Extending Server] .. link:server_development/topics/extensions.adoc[Extending Server]
.. link:server_development/topics/auth-spi.adoc[Authentication SPI] .. link:server_development/topics/auth-spi.adoc[Authentication SPI]
.. link:server_development/topics/action-token-spi.adoc[Action Token SPI]
.. link:server_development/topics/events.adoc[Event Listener SPI] .. link:server_development/topics/events.adoc[Event Listener SPI]
{% endif %} {% endif %}
.. link:server_development/topics/user-storage.adoc[User Storage SPI] .. link:server_development/topics/user-storage.adoc[User Storage SPI]

View file

@ -0,0 +1,118 @@
[[_action_token_spi]]
== Action Token SPI
An action token is a special instance of Json Web Token (JWT) that permits its bearer to perform some actions, e. g. to
reset a password or validate e-mail address. They are usually sent to users in form of a link that points to an endpoint
processing action tokens for a particular realm.
{{book.project.name}} offers four basic token types allowing the bearer to:
* Reset credentials
* Confirm e-mail address
* Execute required action(s)
* Confirm linking of an account with account in external identity provider
In addition to that, it is possible to implement any functionality that initiates or modifies authentication session
using action token SPI, details of which are described in the text below.
[[_action_token_anatomy]]
=== Anatomy of Action Token
Action token is a standard Json Web Token signed with active realm key where the payload contains several fields:
* `typ` - Identification of the action (e.g. `verify-email`)
* `iat` and `exp` - Times of token validity
* `sub` - ID of the user
* `azp` - Client name
* `iss` - Issuer - URL of the issuing realm
* `aud` - Audience - list containing URL of the issuing realm
* `asid` - ID of the authentication session (_optional_)
* `nonce` - Random nonce to guarantee uniqueness of use if the operation can only be executed once (_optional_)
In addition, an action token can contain any number of custom fields serializable into JSON.
=== Action Token Processing
When an action token is passed to a {{book.project.name}} endpoint
`_KEYCLOAK_ROOT_/auth/realms/master/login-actions/action-token` via `key` parameter, it is validated and a proper action
token handler is executed. The processing always takes place in a context of an authentication session, either a fresh
one or the action token service joins an existing authentication session (details are described below). The action token
handler can perform actions prescribed by the token (often it alters the authentication session) and results into a HTTP
response (e.g. it can continue in authentication or display an information/error page). These steps are detailed below.
1. *Basic action token validation.* Signature and time validity is checked, and action token handler is determined based
on `typ` field.
2. [[determining-auth-sess]]*Determining authentication session.* If the action token URL was opened in browser with
existing authentication session, and the token contains authentication session ID matching the authentication session
from the browser, action token validation and handling will attach this ongoing authentication session. Otherwise,
action token handler creates a fresh authentication session that replaces any other authentication session present at
that time in the browser.
3. *Token validations specific for token type.* Action token endpoint logic validates that the user (`sub` field) and
client (`azp`) from the token exist, are valid and not disabled. Then it validates all custom validations defined in the
action token handler. Furthermore, token handler can request this token be single-use. Already used tokens would then be
rejected by action token endpoint logic.
4. *Performing the action.* After all these validations, action token handler code is called that performs the actual
action according to parameters in the token.
5. *Invalidation of single-Use tokens.* If the token is set to single-use, once the authentication flow finishes, the
action token is invalidated.
=== Implement Your Own Action Token and its Handler
==== How to Create an Action Token
As action token is just a signed JWT with few mandatory fields (see <<_action_token_anatomy,Anatomy of action token>>
above), it can be serialized and signed as such using Keycloak's `JWSBuilder` class. This way has been already
implemented in `serialize(session, realm, uriInfo)` method of `org.keycloak.authentication.actiontoken.DefaultActionToken`
and can be leveraged by implementors by using that class for tokens instead of plain `JsonWebToken`.
==== Packaging Classes and Deployment
To plug your own action token and its handler, you need to implement few interfaces on server side:
* `org.keycloak.authentication.actiontoken.ActionTokenHandler` - actual handler of action token for a particular
action (i.e. for a given value of `typ` token field).
+
The central method in that interface is `handleToken(token, context)` which defines actual operation executed upon
receiving the action token. Usually it is some alteration of authentication session notes but generally it can be
arbitrary. This method is only called if all verifiers (including those defined in `getVerifiers(context)`) have
succeeded, and it is guaranteed that the `token` would be of the class returned by `getTokenClass()` method.
+
To be able to determine whether the action token was issued for the current authentication session as described in
<<determining-auth-sess,Item 2 above>>, method for extracting authentication session ID has to be declared in
`getAuthenticationSessionIdFromToken(token, context)` method. The implementation in `DefaultActionToken` returns the
value of `asid` field from the token if it is defined. Note that you can override that method to return current
authentication session ID regardless of the token - that way you can create tokens that would step into the ongoing
authentication flow before any authentication flow would be started.
+
If the authentication session from the token does not match the current one, the action token handler would be asked to
start a fresh one by calling `startFreshAuthenticationSession(token, context)`. It can throw a `VerificationException`
(or better its more descriptive variant `ExplainedTokenVerificationException`) to signal that would be forbidden.
+
The token handler also determines via method `canUseTokenRepeatedly(token, context)` whether the token would be
invalidated after it is used and authentication completes. Note that if you would have a flow utilizing multiple action
token, only the last token would be invalidated. In that case, you should use
`org.keycloak.models.ActionTokenStoreProvider` in action token handler to invalidate the used tokens manually.
+
Default implementation of most of the `ActionTokenHandler` methods is the
`org.keycloak.authentication.actiontoken.AbstractActionTokenHander` abstract class in `keycloak-services` module. The
only method that needs to be implemented is `handleToken(token, context)` that performs the actual action.
* `org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory` - factory that instantiates action token
handler. Implementations have to override `getId()` to return value that must match precisely the value of `typ`
field in the action token.
+
Note that you have to register the custom `ActionTokenHandlerFactory` implementation as explained in the
<<_providers,Service Provider Interfaces>> section of this guide.
* If the action token you are implementing contains any custom fields that should be serializabled to JSON fields, you
should consider implementing a descendant of `org.keycloak.representations.JsonWebToken` class that would implement
`org.keycloak.models.ActionTokenKeyModel` interface. In that case, you can take advantage of the existing
`org.keycloak.authentication.actiontoken.DefaultActionToken` class as it already satisfies both these conditions,
and either use it directly or implement its child, the fields of which can be annotated with appropriate Jackson
annotations, e.g. `com.fasterxml.jackson.annotation.JsonProperty` to serialize them to JSON.