org.keycloak.services.resources.IdentityBrokerService の継承関係図
org.keycloak.services.resources.IdentityBrokerService 連携図
クラス | |
| class | ParsedCodeContext |
公開メンバ関数 | |
| IdentityBrokerService (RealmModel realmModel) | |
| void | init () |
| Response | clientIntiatedAccountLinkingPreflight (@PathParam("provider_id") String providerId) |
| Response | clientInitiatedAccountLinking (@PathParam("provider_id") String providerId, @QueryParam("redirect_uri") String redirectUri, @QueryParam("client_id") String clientId, @QueryParam("nonce") String nonce, @QueryParam("hash") String hash) |
| Response | performPostLogin (@PathParam("provider_id") String providerId, @QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId) |
| Response | performLogin (@PathParam("provider_id") String providerId, @QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId) |
| Object | getEndpoint (@PathParam("provider_id") String providerId) |
| Response | retrieveTokenPreflight () |
| Response | retrieveToken (@PathParam("provider_id") String providerId) |
| Response | authenticated (BrokeredIdentityContext context) |
| Response | validateUser (AuthenticationSessionModel authSession, UserModel user, RealmModel realm) |
| Response | afterFirstBrokerLogin (@QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId) |
| Response | afterPostBrokerLoginFlow (@QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId) |
| Response | cancelled (String code) |
| Response | error (String code, String message) |
静的公開メンバ関数 | |
| static IdentityProvider | getIdentityProvider (KeycloakSession session, RealmModel realm, String alias) |
| static IdentityProviderFactory | getIdentityProviderFactory (KeycloakSession session, IdentityProviderModel model) |
限定公開メンバ関数 | |
| Response | browserAuthentication (AuthenticationSessionModel authSession, String errorMessage) |
非公開メンバ関数 | |
| void | checkRealm () |
| ClientModel | checkClient (String clientId) |
| boolean | canReadBrokerToken (AccessToken token) |
| Response | getToken (String providerId, boolean forceRetrieval) |
| Response | afterFirstBrokerLogin (ClientSessionCode< AuthenticationSessionModel > clientSessionCode) |
| Response | finishOrRedirectToPostBrokerLogin (AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel > clientSessionCode) |
| Response | afterPostBrokerLoginFlowSuccess (AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel > clientSessionCode) |
| Response | finishBrokerAuthentication (BrokeredIdentityContext context, UserModel federatedUser, AuthenticationSessionModel authSession, String providerId) |
| boolean | shouldPerformAccountLinking (AuthenticationSessionModel authSession, UserSessionModel userSession, String providerId) |
| Response | performAccountLinking (AuthenticationSessionModel authSession, UserSessionModel userSession, BrokeredIdentityContext context, FederatedIdentityModel newModel, UserModel federatedUser) |
| Response | redirectToErrorWhenLinkingFailed (AuthenticationSessionModel authSession, String message, Object... parameters) |
| void | updateFederatedIdentity (BrokeredIdentityContext context, UserModel federatedUser) |
| void | updateToken (BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel) |
| ParsedCodeContext | parseEncodedSessionCode (String encodedCode) |
| ParsedCodeContext | parseSessionCode (String code, String clientId, String tabId) |
| ParsedCodeContext | samlIdpInitiatedSSO (final String clientUrlName) |
| Response | checkAccountManagementFailedLinking (AuthenticationSessionModel authSession, String error, Object... parameters) |
| AuthenticationRequest | createAuthenticationRequest (String providerId, ClientSessionCode< AuthenticationSessionModel > clientSessionCode) |
| String | getRedirectUri (String providerId) |
| Response | redirectToErrorPage (AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters) |
| Response | redirectToErrorPage (Response.Status status, String message, Object ... parameters) |
| Response | redirectToErrorPage (AuthenticationSessionModel authSession, Response.Status status, String message, Throwable throwable, Object ... parameters) |
| Response | redirectToAccountErrorPage (AuthenticationSessionModel authSession, String message, Object ... parameters) |
| Response | badRequest (String message) |
| Response | forbidden (String message) |
| IdentityProviderModel | getIdentityProviderConfig (String providerId) |
| Response | corsResponse (Response response, ClientModel clientModel) |
| void | fireErrorEvent (String message, Throwable throwable) |
| void | fireErrorEvent (String message) |
| boolean | isDebugEnabled () |
| void | rollback () |
非公開変数類 | |
| final RealmModel | realmModel |
| KeycloakSession | session |
| ClientConnection | clientConnection |
| HttpRequest | request |
| HttpHeaders | headers |
| EventBuilder | event |
静的非公開変数類 | |
| static final String | LINKING_IDENTITY_PROVIDER = "LINKING_IDENTITY_PROVIDER" |
| static final Logger | logger = Logger.getLogger(IdentityBrokerService.class) |
詳解
構築子と解体子
◆ IdentityBrokerService()
|
inline |
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
関数詳解
◆ afterFirstBrokerLogin() [1/2]
|
inline |
Response afterFirstBrokerLogin(@QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId)
Definition: IdentityBrokerService.java:598
ParsedCodeContext parseSessionCode(String code, String clientId, String tabId)
Definition: IdentityBrokerService.java:988
◆ afterFirstBrokerLogin() [2/2]
|
inlineprivate |
615 SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
626 String authProvider = authSession.getAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS);
628 throw new IdentityBrokerException("Invalid request. Not found the flag that first-broker-login flow was finished");
636 throw new IdentityBrokerException("Couldn't found authenticated federatedUser in authentication session");
645 throw new IdentityBrokerException("Client 'broker' not available. Maybe realm has not migrated to support the broker token exchange service");
652 FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(context.getIdpConfig().getAlias(), context.getId(),
657 String isRegisteredNewUser = authSession.getAuthNote(AbstractIdpAuthenticator.BROKER_REGISTERED_NEW_USER);
660 logger.debugf("Registered new user '%s' after first login with identity provider '%s'. Identity provider username is '%s' . ", federatedUser.getUsername(), providerId, context.getUsername());
663 Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(providerId);
667 IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
672 if (context.getIdpConfig().isTrustEmail() && !Validation.isBlank(federatedUser.getEmail()) && !Boolean.parseBoolean(authSession.getAuthNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) {
673 logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", federatedUser.getUsername(), context.getIdpConfig().getAlias());
683 logger.debugf("Linked existing keycloak user '%s' with identity provider '%s' . Identity provider username is '%s' .", federatedUser.getUsername(), providerId, context.getUsername());
694 return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
ClientModel getClientByClientId(String clientId)
KeycloakSessionFactory getKeycloakSessionFactory()
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
void addFederatedIdentity(RealmModel realm, UserModel user, FederatedIdentityModel socialLink)
Response finishOrRedirectToPostBrokerLogin(AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Definition: IdentityBrokerService.java:699
Set< IdentityProviderMapperModel > getIdentityProviderMappersByAlias(String brokerAlias)
KeycloakSession session
Definition: IdentityBrokerService.java:130
void updateFederatedIdentity(BrokeredIdentityContext context, UserModel federatedUser)
Definition: IdentityBrokerService.java:951
< T extends Provider > ProviderFactory< T > getProviderFactory(Class< T > clazz)
static final Logger logger
Definition: IdentityBrokerService.java:125
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
UserProvider users()
◆ afterPostBrokerLoginFlow()
|
inline |
736 AuthenticationSessionModel authenticationSession = parsedCode.clientSessionCode.getClientSession();
739 SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
741 throw new IdentityBrokerException("Not found serialized context in clientSession. Note " + PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT + " was null");
745 String wasFirstBrokerLoginNote = authenticationSession.getAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN);
749 String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + context.getIdpConfig().getAlias();
752 throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished");
759 return afterPostBrokerLoginFlowSuccess(authenticationSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode);
761 return redirectToErrorPage(authenticationSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
KeycloakSession session
Definition: IdentityBrokerService.java:130
ParsedCodeContext parseSessionCode(String code, String clientId, String tabId)
Definition: IdentityBrokerService.java:988
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
Response afterPostBrokerLoginFlowSuccess(AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Definition: IdentityBrokerService.java:765
◆ afterPostBrokerLoginFlowSuccess()
|
inlineprivate |
773 boolean firstBrokerLoginInProgress = (authSession.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null);
775 logger.debugf("Reauthenticated with broker '%s' when linking user '%s' with other broker", context.getIdpConfig().getAlias(), federatedUser.getUsername());
777 UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, authSession);
779 return redirectToErrorPage(authSession, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername());
782 SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
783 authSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, serializedCtx.getIdentityProviderId());
Response finishBrokerAuthentication(BrokeredIdentityContext context, UserModel federatedUser, AuthenticationSessionModel authSession, String providerId)
Definition: IdentityBrokerService.java:793
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
Response afterFirstBrokerLogin(@QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId)
Definition: IdentityBrokerService.java:598
KeycloakSession session
Definition: IdentityBrokerService.java:130
static final Logger logger
Definition: IdentityBrokerService.java:125
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
◆ authenticated()
|
inline |
489 parsedCode = samlIdpInitiatedSSO((String) context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID));
512 Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
516 IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
521 FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(providerId, context.getId(),
529 UserModel federatedUser = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel);
531 // Check if federatedUser is already authenticated (this means linking social into existing federatedUser account)
532 UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authenticationSession);
534 return performAccountLinking(authenticationSession, userSession, context, federatedIdentityModel, federatedUser);
539 logger.debugf("Federated user not found for provider '%s' and broker username '%s' . Redirecting to flow for firstBrokerLogin", providerId, context.getUsername());
543 if (this.realmModel.isRegistrationEmailAsUsername() && !Validation.isBlank(context.getEmail())) {
554 // Redirect to firstBrokerLogin after successful login and ensure that previous authentication state removed
555 AuthenticationProcessor.resetFlow(authenticationSession, LoginActionsService.FIRST_BROKER_LOGIN_PATH);
558 ctx.saveToAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
575 return finishOrRedirectToPostBrokerLogin(authenticationSession, context, false, parsedCode.clientSessionCode);
Response response
Definition: IdentityBrokerService.java:1246
KeycloakContext getContext()
boolean shouldPerformAccountLinking(AuthenticationSessionModel authSession, UserSessionModel userSession, String providerId)
Definition: IdentityBrokerService.java:855
KeycloakSessionFactory getKeycloakSessionFactory()
ParsedCodeContext samlIdpInitiatedSSO(final String clientUrlName)
Definition: IdentityBrokerService.java:1033
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
boolean isRegistrationEmailAsUsername()
Response finishOrRedirectToPostBrokerLogin(AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Definition: IdentityBrokerService.java:699
Set< IdentityProviderMapperModel > getIdentityProviderMappersByAlias(String brokerAlias)
KeycloakSession session
Definition: IdentityBrokerService.java:130
Response validateUser(AuthenticationSessionModel authSession, UserModel user, RealmModel realm)
Definition: IdentityBrokerService.java:580
void updateFederatedIdentity(BrokeredIdentityContext context, UserModel federatedUser)
Definition: IdentityBrokerService.java:951
KeycloakUriInfo getUri()
< T extends Provider > ProviderFactory< T > getProviderFactory(Class< T > clazz)
UserModel getUserByFederatedIdentity(FederatedIdentityModel socialLink, RealmModel realm)
String getName()
static final Logger logger
Definition: IdentityBrokerService.java:125
boolean isDebugEnabled()
Definition: IdentityBrokerService.java:1233
ParsedCodeContext parseEncodedSessionCode(String encodedCode)
Definition: IdentityBrokerService.java:980
void setClient(ClientModel client)
Response performAccountLinking(AuthenticationSessionModel authSession, UserSessionModel userSession, BrokeredIdentityContext context, FederatedIdentityModel newModel, UserModel federatedUser)
Definition: IdentityBrokerService.java:878
UserProvider users()
◆ badRequest()
|
inlineprivate |
void fireErrorEvent(String message, Throwable throwable)
Definition: IdentityBrokerService.java:1202
◆ browserAuthentication()
|
inlineprotected |
1139 if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage));
KeycloakContext getContext()
ClientConnection clientConnection
Definition: IdentityBrokerService.java:133
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
KeycloakUriInfo getUri()
EventBuilder event
Definition: IdentityBrokerService.java:141
HttpRequest request
Definition: IdentityBrokerService.java:136
◆ cancelled()
|
inline |
830 Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.CONSENT_DENIED);
Response checkAccountManagementFailedLinking(AuthenticationSessionModel authSession, String error, Object... parameters)
Definition: IdentityBrokerService.java:1053
Response browserAuthentication(AuthenticationSessionModel authSession, String errorMessage)
Definition: IdentityBrokerService.java:1124
ParsedCodeContext parseEncodedSessionCode(String encodedCode)
Definition: IdentityBrokerService.java:980
◆ canReadBrokerToken()
|
inlineprivate |
◆ checkAccountManagementFailedLinking()
|
inlineprivate |
1054 UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authSession);
1055 if (userSession != null && authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) {
Response error(String code, String message)
Definition: IdentityBrokerService.java:839
Response redirectToAccountErrorPage(AuthenticationSessionModel authSession, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1108
KeycloakSession session
Definition: IdentityBrokerService.java:130
◆ checkClient()
|
inlineprivate |
165 throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
ClientModel getClientByClientId(String clientId)
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
◆ checkRealm()
|
inlineprivate |
boolean isEnabled()
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
◆ clientInitiatedAccountLinking()
|
inline |
209 redirectUri = RedirectUtils.verifyRedirectUri(session.getContext().getUri(), redirectUri, realmModel, client);
223 AuthenticationManager.AuthResult cookieResult = AuthenticationManager.authenticateIdentityCookie(session, realmModel, true);
240 for (AuthenticatedClientSessionModel cs : cookieResult.getSession().getAuthenticatedClientSessions().values()) {
247 throw new ErrorPageException(session, Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST);
264 ClientModel accountService = this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
269 ClientSessionContext ctx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession);
285 IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId);
299 // Auth session with ID corresponding to our userSession may already exists in some rare cases (EG. if some client tried to login in another browser tab with "prompt=login")
300 RootAuthenticationSessionModel rootAuthSession = session.authenticationSessions().getRootAuthenticationSession(realmModel, userSession.getId());
302 rootAuthSession = session.authenticationSessions().createRootAuthenticationSession(userSession.getId(), realmModel);
308 new AuthenticationSessionManager(session).setAuthSessionCookie(userSession.getId(), realmModel);
310 ClientSessionCode<AuthenticationSessionModel> clientSessionCode = new ClientSessionCode<>(session, realmModel, authSession);
316 authSession.setAuthNote(LINKING_IDENTITY_PROVIDER, cookieResult.getSession().getId() + clientId + providerId);
323 Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode));
327 logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response);
332 return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId);
334 return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId);
337 return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST);
KeycloakContext getContext()
AuthenticationSessionProvider authenticationSessions()
void setAction(String action)
void checkRealm()
Definition: IdentityBrokerService.java:155
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
AuthenticationRequest createAuthenticationRequest(String providerId, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Definition: IdentityBrokerService.java:1068
RootAuthenticationSessionModel getRootAuthenticationSession(RealmModel realm, String authenticationSessionId)
AuthenticationSessionModel createAuthenticationSession(ClientModel client)
RootAuthenticationSessionModel createRootAuthenticationSession(RealmModel realm)
KeycloakSession session
Definition: IdentityBrokerService.java:130
KeycloakUriInfo getUri()
static IdentityProvider getIdentityProvider(KeycloakSession session, RealmModel realm, String alias)
Definition: IdentityBrokerService.java:1160
static final Logger logger
Definition: IdentityBrokerService.java:125
static final String LINKING_IDENTITY_PROVIDER
Definition: IdentityBrokerService.java:123
ClientModel checkClient(String clientId)
Definition: IdentityBrokerService.java:162
boolean isDebugEnabled()
Definition: IdentityBrokerService.java:1233
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
◆ clientIntiatedAccountLinkingPreflight()
|
inline |
◆ corsResponse()
|
inlineprivate |
1199 return Cors.add(this.request, Response.fromResponse(response)).auth().allowedOrigins(session.getContext().getUri(), clientModel).build();
KeycloakContext getContext()
KeycloakSession session
Definition: IdentityBrokerService.java:130
KeycloakUriInfo getUri()
HttpRequest request
Definition: IdentityBrokerService.java:136
◆ createAuthenticationRequest()
|
inlineprivate |
1075 encodedState = IdentityBrokerState.decoded(relayState, authSession.getClient().getClientId(), authSession.getTabId());
1078 return new AuthenticationRequest(this.session, this.realmModel, authSession, this.request, this.session.getContext().getUri(), encodedState, getRedirectUri(providerId));
KeycloakContext getContext()
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
String getRedirectUri(String providerId)
Definition: IdentityBrokerService.java:1081
KeycloakSession session
Definition: IdentityBrokerService.java:130
KeycloakUriInfo getUri()
HttpRequest request
Definition: IdentityBrokerService.java:136
◆ error()
|
inline |
846 Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), message);
Response checkAccountManagementFailedLinking(AuthenticationSessionModel authSession, String error, Object... parameters)
Definition: IdentityBrokerService.java:1053
Response browserAuthentication(AuthenticationSessionModel authSession, String errorMessage)
Definition: IdentityBrokerService.java:1124
ParsedCodeContext parseEncodedSessionCode(String encodedCode)
Definition: IdentityBrokerService.java:980
◆ finishBrokerAuthentication()
|
inlineprivate |
794 authSession.setAuthNote(AuthenticationProcessor.BROKER_SESSION_ID, context.getBrokerSessionId());
812 String nextRequiredAction = AuthenticationManager.nextRequiredAction(session, authSession, clientConnection, request, session.getContext().getUri(), event);
814 return AuthenticationManager.redirectToRequiredActions(session, realmModel, authSession, session.getContext().getUri(), nextRequiredAction);
816 event.detail(Details.CODE_ID, authSession.getParentSession().getId()); // todo This should be set elsewhere. find out why tests fail. Don't know where this is supposed to be set
817 return AuthenticationManager.finishedRequiredActions(session, authSession, null, clientConnection, request, session.getContext().getUri(), event);
KeycloakContext getContext()
ClientConnection clientConnection
Definition: IdentityBrokerService.java:133
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
KeycloakUriInfo getUri()
EventBuilder event
Definition: IdentityBrokerService.java:141
HttpRequest request
Definition: IdentityBrokerService.java:136
static final Logger logger
Definition: IdentityBrokerService.java:125
boolean isDebugEnabled()
Definition: IdentityBrokerService.java:1233
◆ finishOrRedirectToPostBrokerLogin()
|
inlineprivate |
703 logger.debugf("Skip redirect to postBrokerLogin flow. PostBrokerLogin flow not set for identityProvider '%s'.", context.getIdpConfig().getAlias());
704 return afterPostBrokerLoginFlowSuccess(authSession, context, wasFirstBrokerLogin, clientSessionCode);
707 logger.debugf("Redirect to postBrokerLogin flow after authentication with identityProvider '%s'.", context.getIdpConfig().getAlias());
712 ctx.saveToAuthenticationSession(authSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
714 authSession.setAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN, String.valueOf(wasFirstBrokerLogin));
KeycloakContext getContext()
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
KeycloakUriInfo getUri()
String getName()
static final Logger logger
Definition: IdentityBrokerService.java:125
Response afterPostBrokerLoginFlowSuccess(AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Definition: IdentityBrokerService.java:765
◆ fireErrorEvent() [1/2]
|
inlineprivate |
boolean isActive()
KeycloakTransactionManager getTransactionManager()
void rollback()
Definition: IdentityBrokerService.java:1237
KeycloakSession session
Definition: IdentityBrokerService.java:130
EventBuilder event
Definition: IdentityBrokerService.java:141
void commit()
static final Logger logger
Definition: IdentityBrokerService.java:125
void begin()
◆ fireErrorEvent() [2/2]
|
inlineprivate |
void fireErrorEvent(String message, Throwable throwable)
Definition: IdentityBrokerService.java:1202
◆ forbidden()
|
inlineprivate |
void fireErrorEvent(String message, Throwable throwable)
Definition: IdentityBrokerService.java:1202
◆ getEndpoint()
|
inline |
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
EventBuilder event
Definition: IdentityBrokerService.java:141
static IdentityProvider getIdentityProvider(KeycloakSession session, RealmModel realm, String alias)
Definition: IdentityBrokerService.java:1160
◆ getIdentityProvider()
|
inlinestatic |
1164 IdentityProviderFactory providerFactory = getIdentityProviderFactory(session, identityProviderModel);
1167 throw new IdentityBrokerException("Could not find factory for identity provider [" + alias + "].");
static IdentityProviderFactory getIdentityProviderFactory(KeycloakSession session, IdentityProviderModel model)
Definition: IdentityBrokerService.java:1176
KeycloakSession session
Definition: IdentityBrokerService.java:130
◆ getIdentityProviderConfig()
|
inlineprivate |
◆ getIdentityProviderFactory()
|
inlinestatic |
1177 Map<String, IdentityProviderFactory> availableProviders = new HashMap<String, IdentityProviderFactory>();
1180 allProviders.addAll(session.getKeycloakSessionFactory().getProviderFactories(IdentityProvider.class));
1181 allProviders.addAll(session.getKeycloakSessionFactory().getProviderFactories(SocialIdentityProvider.class));
List< ProviderFactory > getProviderFactories(Class<? extends Provider > clazz)
KeycloakSessionFactory getKeycloakSessionFactory()
KeycloakSession session
Definition: IdentityBrokerService.java:130
◆ getRedirectUri()
|
inlineprivate |
1082 return Urls.identityProviderAuthnResponse(this.session.getContext().getUri().getBaseUri(), providerId, this.realmModel.getName()).toString();
KeycloakContext getContext()
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
KeycloakUriInfo getUri()
String getName()
◆ getToken()
|
inlineprivate |
435 AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(this.session, this.realmModel, this.session.getContext().getUri(), this.clientConnection, this.request.getHttpHeaders());
450 return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), clientModel);
454 return corsResponse(forbidden("Client [" + clientModel.getClientId() + "] not authorized to retrieve tokens from identity provider [" + providerId + "]."), clientModel);
462 FederatedIdentityModel identity = this.session.users().getFederatedIdentity(authResult.getUser(), providerId, this.realmModel);
465 return corsResponse(badRequest("User [" + authResult.getUser().getId() + "] is not associated with identity provider [" + providerId + "]."), clientModel);
473 return corsResponse(badRequest("Identity Provider [" + providerId + "] does not support this operation."), clientModel);
478 return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.COULD_NOT_OBTAIN_TOKEN, e, providerId);
480 return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e, providerId);
ClientModel getClientByClientId(String clientId)
KeycloakContext getContext()
Response badRequest(String message)
Definition: IdentityBrokerService.java:1150
FederatedIdentityModel getFederatedIdentity(UserModel user, String socialProvider, RealmModel realm)
IdentityProviderModel getIdentityProviderConfig(String providerId)
Definition: IdentityBrokerService.java:1190
ClientConnection clientConnection
Definition: IdentityBrokerService.java:133
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
Response corsResponse(Response response, ClientModel clientModel)
Definition: IdentityBrokerService.java:1198
KeycloakSession session
Definition: IdentityBrokerService.java:130
Response forbidden(String message)
Definition: IdentityBrokerService.java:1155
KeycloakUriInfo getUri()
static IdentityProvider getIdentityProvider(KeycloakSession session, RealmModel realm, String alias)
Definition: IdentityBrokerService.java:1160
HttpRequest request
Definition: IdentityBrokerService.java:136
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
void setClient(ClientModel client)
boolean canReadBrokerToken(AccessToken token)
Definition: IdentityBrokerService.java:424
UserProvider users()
◆ init()
|
inline |
152 this.event = new EventBuilder(realmModel, session, clientConnection).event(EventType.IDENTITY_PROVIDER_LOGIN);
ClientConnection clientConnection
Definition: IdentityBrokerService.java:133
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
◆ isDebugEnabled()
|
inlineprivate |
static final Logger logger
Definition: IdentityBrokerService.java:125
◆ parseEncodedSessionCode()
|
inlineprivate |
ParsedCodeContext parseSessionCode(String code, String clientId, String tabId)
Definition: IdentityBrokerService.java:988
◆ parseSessionCode()
|
inlineprivate |
990 logger.debugf("Invalid request. Authorization code, clientId or tabId was null. Code=%s, clientId=%s, tabID=%s", code, clientId, tabId);
991 Response staleCodeError = redirectToErrorPage(Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
995 SessionCodeChecks checks = new SessionCodeChecks(realmModel, session.getContext().getUri(), request, clientConnection, session, event, null, code, null, clientId, tabId, LoginActionsService.AUTHENTICATE_PATH);
997 if (!checks.verifyActiveAndValidAction(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
1002 Response accountManagementFailedLinking = checkAccountManagementFailedLinking(authSession, Messages.STALE_CODE_ACCOUNT);
1009 errorResponse = BrowserHistoryHelper.getInstance().saveResponseAndRedirect(session, authSession, errorResponse, true, request);
KeycloakContext getContext()
ClientConnection clientConnection
Definition: IdentityBrokerService.java:133
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
Response checkAccountManagementFailedLinking(AuthenticationSessionModel authSession, String error, Object... parameters)
Definition: IdentityBrokerService.java:1053
KeycloakSession session
Definition: IdentityBrokerService.java:130
KeycloakUriInfo getUri()
EventBuilder event
Definition: IdentityBrokerService.java:141
HttpRequest request
Definition: IdentityBrokerService.java:136
static final Logger logger
Definition: IdentityBrokerService.java:125
boolean isDebugEnabled()
Definition: IdentityBrokerService.java:1233
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
◆ performAccountLinking()
|
inlineprivate |
879 logger.debugf("Will try to link identity provider [%s] to user [%s]", context.getIdpConfig().getAlias(), userSession.getUser().getUsername());
889 return redirectToErrorWhenLinkingFailed(authSession, Messages.IDENTITY_PROVIDER_ALREADY_LINKED, context.getIdpConfig().getAlias());
892 if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.MANAGE_ACCOUNT))) {
893 return redirectToErrorPage(authSession, Response.Status.FORBIDDEN, Messages.INSUFFICIENT_PERMISSION);
904 FederatedIdentityModel oldModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel);
908 logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias());
921 logger.debugf("Linking account [%s] from identity provider [%s] to user [%s].", newModel, context.getIdpConfig().getAlias(), authenticatedUser);
930 // we do this to make sure that the parent IDP is logged out when this user session is complete.
931 // But for the case when userSession was previously authenticated with broker1 and now is linked to another broker2, we shouldn't override broker1 notes with the broker2 for sure.
938 return Response.status(302).location(UriBuilder.fromUri(authSession.getRedirectUri()).build()).build();
FederatedIdentityModel getFederatedIdentity(UserModel user, String socialProvider, RealmModel realm)
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
void addFederatedIdentity(RealmModel realm, UserModel user, FederatedIdentityModel socialLink)
void updateFederatedIdentity(RealmModel realm, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel)
KeycloakSession session
Definition: IdentityBrokerService.java:130
static final Logger logger
Definition: IdentityBrokerService.java:125
boolean isDebugEnabled()
Definition: IdentityBrokerService.java:1233
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
Response redirectToErrorWhenLinkingFailed(AuthenticationSessionModel authSession, String message, Object... parameters)
Definition: IdentityBrokerService.java:942
UserProvider users()
◆ performLogin()
|
inline |
371 IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId);
376 throw new IdentityBrokerException("Identity Provider [" + providerId + "] is not allowed to perform a login.");
379 IdentityProviderFactory providerFactory = getIdentityProviderFactory(session, identityProviderModel);
383 Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode));
387 logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response);
392 return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId);
394 return redirectToErrorPage(Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId);
397 return redirectToErrorPage(Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST);
static IdentityProviderFactory getIdentityProviderFactory(KeycloakSession session, IdentityProviderModel model)
Definition: IdentityBrokerService.java:1176
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
AuthenticationRequest createAuthenticationRequest(String providerId, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Definition: IdentityBrokerService.java:1068
KeycloakSession session
Definition: IdentityBrokerService.java:130
ParsedCodeContext parseSessionCode(String code, String clientId, String tabId)
Definition: IdentityBrokerService.java:988
IdentityProviderModel getIdentityProviderByAlias(String alias)
static final Logger logger
Definition: IdentityBrokerService.java:125
boolean isDebugEnabled()
Definition: IdentityBrokerService.java:1233
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
◆ performPostLogin()
|
inline |
Response performLogin(@PathParam("provider_id") String providerId, @QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId)
Definition: IdentityBrokerService.java:354
◆ redirectToAccountErrorPage()
|
inlineprivate |
1114 authSession.setAuthNote(AccountFormService.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, serializedError);
1119 URI accountServiceUri = UriBuilder.fromUri(authSession.getRedirectUri()).queryParam(Constants.TAB_ID, authSession.getTabId()).build();
void fireErrorEvent(String message, Throwable throwable)
Definition: IdentityBrokerService.java:1202
◆ redirectToErrorPage() [1/3]
|
inlineprivate |
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
◆ redirectToErrorPage() [2/3]
|
inlineprivate |
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
◆ redirectToErrorPage() [3/3]
|
inlineprivate |
KeycloakSession session
Definition: IdentityBrokerService.java:130
void fireErrorEvent(String message, Throwable throwable)
Definition: IdentityBrokerService.java:1202
◆ redirectToErrorWhenLinkingFailed()
|
inlineprivate |
943 if (authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) {
946 return redirectToErrorPage(authSession, Response.Status.BAD_REQUEST, message, parameters); // Should rather redirect to app instead and display error here?
Response redirectToAccountErrorPage(AuthenticationSessionModel authSession, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1108
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
◆ retrieveToken()
|
inline |
Response getToken(String providerId, boolean forceRetrieval)
Definition: IdentityBrokerService.java:430
◆ retrieveTokenPreflight()
|
inline |
HttpRequest request
Definition: IdentityBrokerService.java:136
◆ rollback()
|
inlineprivate |
boolean isActive()
KeycloakTransactionManager getTransactionManager()
KeycloakSession session
Definition: IdentityBrokerService.java:130
void rollback()
◆ samlIdpInitiatedSSO()
|
inlineprivate |
If there is a client whose SAML IDP-initiated SSO URL name is set to the given
clientUrlName
, creates a fresh client session for that client and returns a ParsedCodeContext object with that session. Otherwise returns "client not found" response.
- 引数
-
clientUrlName
- 戻り値
- see description
1037 .filter(c -> Objects.equals(c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME), clientUrlName))
1042 return ParsedCodeContext.response(redirectToErrorPage(Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND));
1045 LoginProtocolFactory factory = (LoginProtocolFactory) session.getKeycloakSessionFactory().getProviderFactory(LoginProtocol.class, SamlProtocol.LOGIN_PROTOCOL);
1048 AuthenticationSessionModel authSession = samlService.getOrCreateLoginSessionForIdpInitiatedSso(session, realmModel, oClient.get(), null);
1050 return ParsedCodeContext.clientSessionCode(new ClientSessionCode<>(session, this.realmModel, authSession));
KeycloakSessionFactory getKeycloakSessionFactory()
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
KeycloakSession session
Definition: IdentityBrokerService.java:130
EventBuilder event
Definition: IdentityBrokerService.java:141
< T extends Provider > ProviderFactory< T > getProviderFactory(Class< T > clazz)
Response redirectToErrorPage(AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Definition: IdentityBrokerService.java:1085
List< ClientModel > getClients()
◆ shouldPerformAccountLinking()
|
inlineprivate |
873 throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.BROKER_LINKING_SESSION_EXPIRED);
KeycloakSession session
Definition: IdentityBrokerService.java:130
static final String LINKING_IDENTITY_PROVIDER
Definition: IdentityBrokerService.java:123
◆ updateFederatedIdentity()
|
inlineprivate |
952 FederatedIdentityModel federatedIdentityModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel);
957 Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
961 IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
FederatedIdentityModel getFederatedIdentity(UserModel user, String socialProvider, RealmModel realm)
void updateToken(BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel)
Definition: IdentityBrokerService.java:968
KeycloakSessionFactory getKeycloakSessionFactory()
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
Set< IdentityProviderMapperModel > getIdentityProviderMappersByAlias(String brokerAlias)
KeycloakSession session
Definition: IdentityBrokerService.java:130
< T extends Provider > ProviderFactory< T > getProviderFactory(Class< T > clazz)
UserProvider users()
◆ updateToken()
|
inlineprivate |
969 if (context.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(context.getToken(), federatedIdentityModel.getToken())) {
972 this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel);
975 logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias());
final RealmModel realmModel
Definition: IdentityBrokerService.java:127
void updateFederatedIdentity(RealmModel realm, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel)
KeycloakSession session
Definition: IdentityBrokerService.java:130
static final Logger logger
Definition: IdentityBrokerService.java:125
boolean isDebugEnabled()
Definition: IdentityBrokerService.java:1233
UserProvider users()
◆ validateUser()
|
inline |
583 return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.ACCOUNT_DISABLED);
586 if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) {
588 return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.ACCOUNT_DISABLED);
KeycloakSession session
Definition: IdentityBrokerService.java:130
< T extends Provider > T getProvider(Class< T > clazz)
メンバ詳解
◆ clientConnection
|
private |
◆ event
|
private |
◆ headers
|
private |
◆ LINKING_IDENTITY_PROVIDER
|
staticprivate |
◆ logger
|
staticprivate |
◆ realmModel
|
private |
◆ request
|
private |
◆ session
|
private |
このクラス詳解は次のファイルから抽出されました:
- D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
