tessl/maven-org-keycloak--keycloak-core
Core Keycloak library providing fundamental authentication and authorization functionality
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-keycloak--keycloak-core@26.2.0index.mddocs/
Keycloak Core
Keycloak Core is the fundamental library for authentication and authorization in the Keycloak identity and access management ecosystem. It provides comprehensive JWT token handling, cryptographic operations, OAuth2/OpenID Connect protocol support, and extensive data representation classes for identity management operations.
Package Information
- Package Name: keycloak-core
- Package Type: maven
- Language: Java
- Installation:
<dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-core</artifactId> <version>26.2.5</version> </dependency>
Core Imports
import org.keycloak.Config;
import org.keycloak.TokenVerifier;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.AuthorizationContext;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.Algorithm;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.util.TokenUtil;Basic Usage
import org.keycloak.TokenVerifier;
import org.keycloak.representations.AccessToken;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.exceptions.TokenVerificationException;
// Basic token verification
try {
AccessToken token = TokenVerifier.create(tokenString, AccessToken.class)
.withDefaultChecks()
.publicKey(publicKey)
.verify()
.getToken();
String subject = token.getSubject();
String issuer = token.getIssuer();
boolean isActive = token.isActive();
// Access roles and permissions
AccessToken.Access realmAccess = token.getRealmAccess();
if (realmAccess != null && realmAccess.isUserInRole("admin")) {
// Handle admin access
}
} catch (TokenVerificationException e) {
// Handle verification failure
}
// Configuration management
Config.Scope authScope = Config.scope("authentication");
String defaultProvider = authScope.get("defaultProvider", "password");Architecture
Keycloak Core is built around several key architectural components:
- Token System: Comprehensive JWT implementation with specialized token types for different OAuth2/OIDC flows
- Cryptographic Layer: Pluggable signature and encryption providers supporting RSA, ECDSA, EdDSA, and HMAC algorithms
- JOSE Implementation: Complete JSON Object Signing and Encryption support including JWS, JWE, and JWK specifications
- Representation Layer: Extensive data transfer objects for identity management, authorization policies, and configuration
- Configuration System: Hierarchical configuration management with scoped property access
- Verification Framework: Flexible token validation system with pluggable verification predicates
Capabilities
Token Management
Core JWT token creation, validation, and processing with support for access tokens, ID tokens, refresh tokens, and specialized Keycloak token types.
public class TokenVerifier<T extends JsonWebToken> {
public static <T extends JsonWebToken> TokenVerifier<T> create(String tokenString, Class<T> clazz);
public TokenVerifier<T> withDefaultChecks();
public TokenVerifier<T> publicKey(PublicKey publicKey);
public TokenVerifier<T> secretKey(SecretKey secretKey);
public TokenVerifier<T> audience(String... audience);
public T verify() throws TokenVerificationException;
}Cryptographic Operations
Comprehensive cryptographic support for signing, verification, key management, and algorithm abstraction with support for modern cryptographic standards.
public interface SignatureSignerContext {
byte[] sign(byte[] data) throws SignatureException;
String getAlgorithm();
String getKid();
}
public interface SignatureVerifierContext {
boolean verify(byte[] data, byte[] signature) throws SignatureException;
String getAlgorithm();
String getKid();
}
public class KeyWrapper {
public String getKid();
public String getAlgorithm();
public KeyType getType();
public KeyUse getUse();
public KeyStatus getStatus();
public PublicKey getPublicKey();
public SecretKey getSecretKey();
}JOSE Implementation
Complete JSON Object Signing and Encryption implementation including JWS (JSON Web Signature), JWE (JSON Web Encryption), and JWK (JSON Web Key) support.
public class JWSInput {
public JWSHeader getHeader();
public byte[] getContent();
public <T> T readJsonContent(Class<T> type) throws IOException;
public String getEncodedSignatureInput();
public byte[] getSignature();
}
public class JSONWebKeySet {
public List<JWK> getKeys();
public JWK getKeyByKid(String kid);
}Token Representations
Comprehensive token representation classes for OAuth2/OpenID Connect tokens with Keycloak extensions for roles, permissions, and authorization.
public class AccessToken extends JsonWebToken {
public String getScope();
public String getSessionState();
public Access getRealmAccess();
public Map<String, Access> getResourceAccess();
public Authorization getAuthorization();
public static class Access {
public Set<String> getRoles();
public boolean isUserInRole(String role);
}
}
public class IDToken extends JsonWebToken {
public String getName();
public String getGivenName();
public String getFamilyName();
public String getPreferredUsername();
public String getEmail();
public Boolean getEmailVerified();
public AddressClaimSet getAddress();
}Identity Management Representations
Extensive data transfer objects for user management, realm configuration, client settings, roles, groups, and authorization policies.
public class UserRepresentation extends AbstractUserRepresentation {
public String getId();
public String getUsername();
public String getEmail();
public String getFirstName();
public String getLastName();
public Boolean isEnabled();
public Boolean isEmailVerified();
public List<String> getGroups();
public List<String> getRealmRoles();
public Map<String, Object> getAttributes();
}
public class RealmRepresentation {
public String getId();
public String getRealm();
public String getDisplayName();
public Boolean isEnabled();
public List<UserRepresentation> getUsers();
public List<ClientRepresentation> getClients();
public List<RoleRepresentation> getRoles();
}Configuration Management
Hierarchical configuration system with scoped property access, type-safe configuration retrieval, and extensible provider architecture.
public class Config {
public static void init();
public static Scope scope(String... scope);
public static String getProvider(String spi);
public static String getAdminRealm();
public interface Scope {
String get(String key);
String get(String key, String defaultValue);
String[] getArray(String key);
Integer getInt(String key);
Integer getInt(String key, Integer defaultValue);
Long getLong(String key);
Long getLong(String key, Long defaultValue);
Boolean getBoolean(String key);
Boolean getBoolean(String key, Boolean defaultValue);
}
}Security Context
Runtime security context management providing access to authentication state, token information, and authorization decisions.
public class KeycloakSecurityContext {
public AccessToken getToken();
public String getTokenString();
public IDToken getIdToken();
public String getIdTokenString();
public RefreshToken getRefreshToken();
public AuthorizationContext getAuthorizationContext();
public String getRealm();
}
public class AuthorizationContext {
public boolean hasPermission(String resource, String scope);
public boolean hasResourcePermission(String resource);
public boolean hasScopePermission(String scope);
public Collection<Permission> getPermissions();
public boolean isGranted();
}Utility Functions
Essential utility functions for token processing, JSON serialization, basic authentication, and common operations.
public class TokenUtil {
public static void attachOIDCScope(MultivaluedMap<String, String> queryParams,
MultivaluedMap<String, String> formParams);
public static boolean isOIDCRequest(String scope);
public static boolean isOfflineTokenRequested(String scope);
public static boolean hasScope(String scopes, String targetScope);
public static RefreshToken getRefreshToken(String refreshToken);
public static boolean isOfflineToken(RefreshToken refreshToken);
// JWE encoding/decoding methods
public static String jweDirectEncode(Object input, String encryptionAlg,
String contentEncAlg, SecretKey encryptionKey);
public static <T> T jweDirectVerifyAndDecode(String jweStr, SecretKey encryptionKey);
}
public class JsonSerialization {
public static String writeValueAsString(Object obj) throws IOException;
public static byte[] writeValueAsBytes(Object obj) throws IOException;
public static <T> T readValue(String json, Class<T> type) throws IOException;
public static <T> T readValue(byte[] json, Class<T> type) throws IOException;
}Types
Core Enums
public enum TokenCategory {
INTERNAL, ACCESS, ID, ADMIN, USERINFO, LOGOUT, AUTHORIZATION_RESPONSE
}
public enum KeyType {
EC, RSA, OCT, OKP
}
public enum KeyUse {
SIG, ENC
}
public enum KeyStatus {
ACTIVE, PASSIVE, DISABLED
}Exception Types
public class TokenVerificationException extends Exception {
public TokenVerificationException(String message);
public TokenVerificationException(String message, Throwable cause);
}
public class TokenNotActiveException extends TokenVerificationException {
public TokenNotActiveException(JsonWebToken token, String message);
}
public class TokenSignatureInvalidException extends TokenVerificationException {
public TokenSignatureInvalidException(JsonWebToken token, String message);
}
public class SignatureException extends Exception {
public SignatureException(String message, Throwable cause);
}Principal and Context Types
public class KeycloakPrincipal<T extends KeycloakSecurityContext> implements Principal {
public String getName();
public T getKeycloakSecurityContext();
}
public abstract class AbstractOAuthClient {
// OAuth client base implementation
}