Doxx

keycloak-auth-utils

Token

constructor
Token()

Option name Type Description
token String The JSON Web Token formatted token string.
clientId String Optional clientId if this is an `access_token`.

Construct a token.

Based on a JSON Web Token string, construct a token object. Optionally
if a clientId is provided, the token may be tested for roles with
hasRole().

function Token(token, clientId) {

  this.token = token;
  this.clientId = clientId;

  if ( token ) {
    try {
      var parts = token.split('.');
      this.header = JSON.parse( new Buffer( parts[0], 'base64' ).toString() );
      this.content = JSON.parse( new Buffer( parts[1], 'base64' ).toString() );
      this.signature = new Buffer( parts[2], 'base64' );
      this.signed = parts[0] + '.' + parts[1];
    } catch (err) {
      this.content = {
        expiresAt: 0
      };
    }
  }
}

isExpired

method
Token.prototype.isExpired() ->boolean

Determine if this token is expired.

Token.prototype.isExpired = function() {
  if ( ( this.content.exp * 1000 ) < Date.now() ) {
    return true;
  }
};

hasRole

method
Token.prototype.hasRole() ->boolean

Option name Type Description
name String The role name specifier.

Determine if this token has an associated role.

This method is only functional if the token is constructed
with a clientId parameter.

The parameter matches a role specification using the following rules:

  • If the name contains no colons, then the name is taken as the entire
    name of a role within the current application, as specified via
    clientId.
  • If the name starts with the literal realm:, the subsequent portion
    is taken as the name of a realm-level role.
  • Otherwise, the name is split at the colon, with the first portion being
    taken as the name of an arbitrary application, and the subsequent portion
    as the name of a role with that app.
Token.prototype.hasRole = function(name) {
  if ( ! this.clientId ) {
    return false;
  }

  var parts = name.split(':');

  if ( parts.length == 1 ) {
    return this.hasApplicationRole( this.clientId, parts[0] );
  }

  if ( parts[0] == 'realm' ) {
    return this.hasRealmRole( parts[1] );
  }

  return this.hasApplicationRole( parts[0], parts[1] );
};

hasApplicationRole

method
Token.prototype.hasApplicationRole() ->boolean

Option name Type Description
appName String The identifier of the application to test.
roleName String The name of the role within that application to test.

Determine if this token has an associated specific application role.

Even if clientId is not set, this method may be used to explicitly test
roles for any given application.

Token.prototype.hasApplicationRole = function(appName, roleName) {
  var appRoles = this.content.resource_access[appName];

  if ( ! appRoles ) {
    return false;
  }

  return ( appRoles.roles.indexOf( roleName ) >= 0 );
};

hasRealmRole

method
Token.prototype.hasRealmRole() ->boolean

Option name Type Description
appName String The identifier of the application to test.
roleName String The name of the role within that application to test.

Determine if this token has an associated specific realm-level role.

Even if clientId is not set, this method may be used to explicitly test
roles for the realm.

Token.prototype.hasRealmRole = function(roleName) {
  return ( this.content.realm_access.roles.indexOf( roleName ) >= 0 );
};

module.exports = Token;