org.keycloak.protocol.oidc.endpoints.LogoutEndpoint クラス

org.keycloak.protocol.oidc.endpoints.LogoutEndpoint 連携図

公開メンバ関数
	LogoutEndpoint (TokenManager tokenManager, RealmModel realm, EventBuilder event)
Response	logout (@QueryParam(OIDCLoginProtocol.REDIRECT_URI_PARAM) String redirectUri, @QueryParam("id_token_hint") String encodedIdToken, @QueryParam("post_logout_redirect_uri") String postLogoutRedirectUri, @QueryParam("state") String state)
Response	logoutToken ()

非公開メンバ関数
void	logout (UserSessionModel userSession, boolean offline)
ClientModel	authorizeClient ()
void	checkSsl ()

非公開変数類
KeycloakSession	session
ClientConnection	clientConnection
HttpRequest	request
HttpHeaders	headers
TokenManager	tokenManager
RealmModel	realm
EventBuilder	event

静的非公開変数類
static final Logger	logger = Logger.getLogger(LogoutEndpoint.class)

詳解

著者

Stian Thorgersen

構築子と解体子

LogoutEndpoint()

org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.LogoutEndpoint ( TokenManager  tokenManager, RealmModel  realm, EventBuilder  event  )

inline

                                                                                           {
        this.tokenManager = tokenManager;
        this.realm = realm;
        this.event = event;
    }

関数詳解

authorizeClient()

ClientModel org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.authorizeClient ( )

inlineprivate

                                          {
        ClientModel client = AuthorizeClientUtil.authorizeClient(session, event).getClient();

        if (client.isBearerOnly()) {
            throw new ErrorResponseException("invalid_client", "Bearer-only not allowed", Response.Status.BAD_REQUEST);
        }

        return client;
    }

checkSsl()

void org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.checkSsl ( )

inlineprivate

                            {
        if (!session.getContext().getUri().getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
            throw new ErrorResponseException("invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }

logout() [1/2]

Response org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout ( @QueryParam(OIDCLoginProtocol.REDIRECT_URI_PARAM) String  redirectUri, @QueryParam("id_token_hint") String  encodedIdToken, @QueryParam("post_logout_redirect_uri") String  postLogoutRedirectUri, @QueryParam("state") String  state  )

inline

Logout user session. User must be logged in via a session cookie.

引数

redirectUri

戻り値

                                                              {
        String redirect = postLogoutRedirectUri != null ? postLogoutRedirectUri : redirectUri;

        if (redirect != null) {
            String validatedUri = RedirectUtils.verifyRealmRedirectUri(session.getContext().getUri(), redirect, realm);
            if (validatedUri == null) {
                event.event(EventType.LOGOUT);
                event.detail(Details.REDIRECT_URI, redirect);
                event.error(Errors.INVALID_REDIRECT_URI);
                return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI);
            }
            redirect = validatedUri;
        }

        UserSessionModel userSession = null;
        if (encodedIdToken != null) {
            try {
                IDToken idToken = tokenManager.verifyIDTokenSignature(session, encodedIdToken);
                userSession = session.sessions().getUserSession(realm, idToken.getSessionState());
            } catch (OAuthErrorException e) {
                event.event(EventType.LOGOUT);
                event.error(Errors.INVALID_TOKEN);
                return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.SESSION_NOT_ACTIVE);
            }
        }

        // authenticate identity cookie, but ignore an access token timeout as we're logging out anyways.
        AuthenticationManager.AuthResult authResult = AuthenticationManager.authenticateIdentityCookie(session, realm, false);
        if (authResult != null) {
            userSession = userSession != null ? userSession : authResult.getSession();
            if (redirect != null) userSession.setNote(OIDCLoginProtocol.LOGOUT_REDIRECT_URI, redirect);
            if (state != null) userSession.setNote(OIDCLoginProtocol.LOGOUT_STATE_PARAM, state);
            userSession.setNote(AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL, OIDCLoginProtocol.LOGIN_PROTOCOL);
            logger.debug("Initiating OIDC browser logout");
            Response response =  AuthenticationManager.browserLogout(session, realm, authResult.getSession(), session.getContext().getUri(), clientConnection, headers);
            logger.debug("finishing OIDC browser logout");
            return response;
        } else if (userSession != null) { // non browser logout
            event.event(EventType.LOGOUT);
            AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers, true);
            event.user(userSession.getUser()).session(userSession).success();
        }

        if (redirect != null) {
            UriBuilder uriBuilder = UriBuilder.fromUri(redirect);
            if (state != null) uriBuilder.queryParam(OIDCLoginProtocol.STATE_PARAM, state);
            return Response.status(302).location(uriBuilder.build()).build();
        } else {
            return Response.ok().build();
        }
    }

logout() [2/2]

void org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout ( UserSessionModel  userSession, boolean  offline  )

inlineprivate

                                                                       {
        AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers, true, offline);
        event.user(userSession.getUser()).session(userSession).success();
    }

logoutToken()

Response org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logoutToken ( )

inline

Logout a session via a non-browser invocation. Similar signature to refresh token except there is no grant_type. You must pass in the refresh token and authenticate the client if it is not public.

If the client is a confidential client you must include the client-id and secret in an Basic Auth Authorization header.

If the client is a public client, then you must include a "client_id" form parameter.

returns 204 if successful, 400 if not with a json error response.

戻り値

                                  {
        MultivaluedMap<String, String> form = request.getDecodedFormParameters();
        checkSsl();

        event.event(EventType.LOGOUT);

        ClientModel client = authorizeClient();
        String refreshToken = form.getFirst(OAuth2Constants.REFRESH_TOKEN);
        if (refreshToken == null) {
            event.error(Errors.INVALID_TOKEN);
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "No refresh token", Response.Status.BAD_REQUEST);
        }

        RefreshToken token = null;
        try {
            // KEYCLOAK-6771 Certificate Bound Token
            token = tokenManager.verifyRefreshToken(session, realm, client, request, refreshToken, false);

            boolean offline = TokenUtil.TOKEN_TYPE_OFFLINE.equals(token.getType());

            UserSessionModel userSessionModel;
            if (offline) {
                UserSessionManager sessionManager = new UserSessionManager(session);
                userSessionModel = sessionManager.findOfflineUserSession(realm, token.getSessionState());
            } else {
                userSessionModel = session.sessions().getUserSession(realm, token.getSessionState());
            }

            if (userSessionModel != null) {
                logout(userSessionModel, offline);
            }
        } catch (OAuthErrorException e) {
            // KEYCLOAK-6771 Certificate Bound Token
            if (MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC.equals(e.getDescription())) {
                event.error(Errors.NOT_ALLOWED);
                throw new ErrorResponseException(e.getError(), e.getDescription(), Response.Status.UNAUTHORIZED);
            } else {
                event.error(Errors.INVALID_TOKEN);
                throw new ErrorResponseException(e.getError(), e.getDescription(), Response.Status.BAD_REQUEST);
            }
        }

        return Cors.add(request, Response.noContent()).auth().allowedOrigins(session.getContext().getUri(), client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
    }

メンバ詳解

clientConnection

ClientConnection org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.clientConnection

private

event

EventBuilder org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.event

private

headers

HttpHeaders org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.headers

private

logger

final Logger org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logger = Logger.getLogger(LogoutEndpoint.class)

staticprivate

realm

RealmModel org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.realm

private

request

HttpRequest org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.request

private

session

KeycloakSession org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.session

private

tokenManager

TokenManager org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.tokenManager

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java