org.keycloak.services.resources.SessionCodeChecks 連携図

公開メンバ関数
	SessionCodeChecks (RealmModel realm, UriInfo uriInfo, HttpRequest request, ClientConnection clientConnection, KeycloakSession session, EventBuilder event, String authSessionId, String code, String execution, String clientId, String tabId, String flowPath)

AuthenticationSessionModel	getAuthenticationSession ()

Response	getResponse ()

ClientSessionCode< AuthenticationSessionModel >	getClientCode ()

boolean	isActionRequest ()

AuthenticationSessionModel	initialVerifyAuthSession ()

boolean	initialVerify ()

boolean	verifyActiveAndValidAction (String expectedAction, ClientSessionCode.ActionType actionType)

boolean	verifyRequiredAction (String executedAction)

非公開メンバ関数
boolean	failed ()

boolean	checkSsl ()

boolean	isActionActive (ClientSessionCode.ActionType actionType)

Response	restartAuthenticationSessionFromCookie (RootAuthenticationSessionModel existingRootSession)

Response	redirectToRequiredActions (String action)

URI	getLastExecutionUrl (String flowPath, String executionId, String tabId)

Response	showPageExpired (AuthenticationSessionModel authSession)

非公開変数類
AuthenticationSessionModel	authSession

ClientSessionCode< AuthenticationSessionModel >	clientCode

Response	response

boolean	actionRequest

final RealmModel	realm

final UriInfo	uriInfo

final HttpRequest	request

final ClientConnection	clientConnection

final KeycloakSession	session

final EventBuilder	event

final String	code

final String	execution

final String	clientId

final String	tabId

final String	flowPath

final String	authSessionId

静的非公開変数類
static final Logger	logger = Logger.getLogger(SessionCodeChecks.class)

詳解

構築子と解体子

◆ SessionCodeChecks()

org.keycloak.services.resources.SessionCodeChecks.SessionCodeChecks	(	RealmModel	realm,
		UriInfo	uriInfo,
		HttpRequest	request,
		ClientConnection	clientConnection,
		KeycloakSession	session,
		EventBuilder	event,
		String	authSessionId,
		String	code,
		String	execution,
		String	clientId,
		String	tabId,
		String	flowPath
	)

inline

                                                                                                                                   {
         this.realm = realm;
         this.uriInfo = uriInfo;
         this.request = request;
         this.clientConnection = clientConnection;
         this.session = session;
         this.event = event;
 
         this.code = code;
         this.execution = execution;
         this.clientId = clientId;
         this.tabId = tabId;
         this.flowPath = flowPath;
         this.authSessionId = authSessionId;
     }

関数詳解

◆ checkSsl()

boolean org.keycloak.services.resources.SessionCodeChecks.checkSsl ( )

inlineprivate

                                {
         if (uriInfo.getBaseUri().getScheme().equals("https")) {
             return true;
         } else {
             return !realm.getSslRequired().isRequired(clientConnection);
         }
     }

◆ failed()

boolean org.keycloak.services.resources.SessionCodeChecks.failed ( )

inlineprivate

                              {
         return response != null;
     }

◆ getAuthenticationSession()

AuthenticationSessionModel org.keycloak.services.resources.SessionCodeChecks.getAuthenticationSession ( )

inline

                                                                  {
         return authSession;
     }

◆ getClientCode()

ClientSessionCode<AuthenticationSessionModel> org.keycloak.services.resources.SessionCodeChecks.getClientCode ( )

inline

                                                                          {
         return clientCode;
     }

◆ getLastExecutionUrl()

URI org.keycloak.services.resources.SessionCodeChecks.getLastExecutionUrl	(	String	flowPath,
		String	executionId,
		String	tabId
	)

inlineprivate

                                                                                        {
         return new AuthenticationFlowURLHelper(session, realm, uriInfo)
                 .getLastExecutionUrl(flowPath, executionId, clientId, tabId);
     }

◆ getResponse()

Response org.keycloak.services.resources.SessionCodeChecks.getResponse ( )

inline

                                   {
         return response;
     }

◆ initialVerify()

boolean org.keycloak.services.resources.SessionCodeChecks.initialVerify ( )

inline

                                    {
         // Basic realm checks and authenticationSession retrieve
         authSession = initialVerifyAuthSession();
         if (authSession == null) {
             return false;
         }
 
         // Check cached response from previous action request
         response = BrowserHistoryHelper.getInstance().loadSavedResponse(session, authSession);
         if (response != null) {
             return false;
         }
 
         // Client checks
         event.detail(Details.CODE_ID, authSession.getParentSession().getId());
         ClientModel client = authSession.getClient();
         if (client == null) {
             event.error(Errors.CLIENT_NOT_FOUND);
             response = ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.UNKNOWN_LOGIN_REQUESTER);
             clientCode.removeExpiredClientSession();
             return false;
         }
 
         event.client(client);
         session.getContext().setClient(client);
 
         if (!client.isEnabled()) {
             event.error(Errors.CLIENT_DISABLED);
             response = ErrorPage.error(session,authSession, Response.Status.BAD_REQUEST, Messages.LOGIN_REQUESTER_NOT_ENABLED);
             clientCode.removeExpiredClientSession();
             return false;
         }
 
 
         // Check if it's action or not
         if (code == null) {
             String lastExecFromSession = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
             String lastFlow = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH);
 
             // Check if we transitted between flows (eg. clicking "register" on login screen)
             if (execution==null && !flowPath.equals(lastFlow)) {
                 logger.debugf("Transition between flows! Current flow: %s, Previous flow: %s", flowPath, lastFlow);
 
                 // Don't allow moving to different flow if I am on requiredActions already
                 if (AuthenticationSessionModel.Action.AUTHENTICATE.name().equals(authSession.getAction())) {
                     authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath);
                     authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
                     lastExecFromSession = null;
                 }
             }
 
             if (execution == null || execution.equals(lastExecFromSession)) {
                 // Allow refresh of previous page
                 clientCode = new ClientSessionCode<>(session, realm, authSession);
                 actionRequest = false;
 
                 // Allow refresh, but rewrite browser history
                 if (execution == null && lastExecFromSession != null) {
                     logger.debugf("Parameter 'execution' is not in the request, but flow wasn't changed. Will update browser history");
                     request.setAttribute(BrowserHistoryHelper.SHOULD_UPDATE_BROWSER_HISTORY, true);
                 }
 
                 return true;
             } else {
                 response = showPageExpired(authSession);
                 return false;
             }
         } else {
             ClientSessionCode.ParseResult<AuthenticationSessionModel> result = ClientSessionCode.parseResult(code, tabId, session, realm, client, event, authSession);
             clientCode = result.getCode();
             if (clientCode == null) {
 
                 // In case that is replayed action, but sent to the same FORM like actual FORM, we just re-render the page
                 if (ObjectUtil.isEqualOrBothNull(execution, authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION))) {
                     String latestFlowPath = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH);
                     URI redirectUri = getLastExecutionUrl(latestFlowPath, execution, tabId);
 
                     logger.debugf("Invalid action code, but execution matches. So just redirecting to %s", redirectUri);
                     authSession.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, Messages.EXPIRED_ACTION);
                     response = Response.status(Response.Status.FOUND).location(redirectUri).build();
                 } else {
                     response = showPageExpired(authSession);
                 }
                 return false;
             }
 
 
             actionRequest = true;
             if (execution != null) {
                 authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, execution);
             }
             return true;
         }
     }

◆ initialVerifyAuthSession()

AuthenticationSessionModel org.keycloak.services.resources.SessionCodeChecks.initialVerifyAuthSession ( )

inline

                                                                  {
         // Basic realm checks
         if (!checkSsl()) {
             event.error(Errors.SSL_REQUIRED);
             response = ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED);
             return null;
         }
         if (!realm.isEnabled()) {
             event.error(Errors.REALM_DISABLED);
             response = ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED);
             return null;
         }
 
         // Setup client to be shown on error/info page based on "client_id" parameter
         logger.debugf("Will use client '%s' in back-to-application link", clientId);
         ClientModel client = null;
         if (clientId != null) {
             client = realm.getClientByClientId(clientId);
         }
         if (client != null) {
             session.getContext().setClient(client);
         }
 
 
         // object retrieve
         AuthenticationSessionManager authSessionManager = new AuthenticationSessionManager(session);
         AuthenticationSessionModel authSession = null;
         if (authSessionId != null) authSession = authSessionManager.getAuthenticationSessionByIdAndClient(realm, authSessionId, client, tabId);
         AuthenticationSessionModel authSessionCookie = authSessionManager.getCurrentAuthenticationSession(realm, client, tabId);
 
         if (authSession != null && authSessionCookie != null && !authSession.getParentSession().getId().equals(authSessionCookie.getParentSession().getId())) {
             event.detail(Details.REASON, "cookie does not match auth_session query parameter");
             event.error(Errors.INVALID_CODE);
             response = ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_CODE);
             return null;
 
         }
 
         if (authSession != null) {
             session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession);
             return authSession;
         }
 
         if (authSessionCookie != null) {
             session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSessionCookie);
             return authSessionCookie;
 
         }
 
         // See if we are already authenticated and userSession with same ID exists.
         UserSessionModel userSession = authSessionManager.getUserSessionFromAuthCookie(realm);
 
         if (userSession != null) {
             LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
                     .setSuccess(Messages.ALREADY_LOGGED_IN);
 
             if (client == null) {
                 loginForm.setAttribute(Constants.SKIP_LINK, true);
             }
 
             response = loginForm.createInfoPage();
             return null;
         }
 
         // Otherwise just try to restart from the cookie
         RootAuthenticationSessionModel existingRootAuthSession = authSessionManager.getCurrentRootAuthenticationSession(realm);
         response = restartAuthenticationSessionFromCookie(existingRootAuthSession);
         return null;
     }

◆ isActionActive()

boolean org.keycloak.services.resources.SessionCodeChecks.isActionActive ( ClientSessionCode.ActionType actionType )

inlineprivate

                                                                             {
         if (!clientCode.isActionActive(actionType)) {
             event.clone().error(Errors.EXPIRED_CODE);
 
             AuthenticationProcessor.resetFlow(authSession, LoginActionsService.AUTHENTICATE_PATH);
 
             authSession.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, Messages.LOGIN_TIMEOUT);
 
             URI redirectUri = getLastExecutionUrl(LoginActionsService.AUTHENTICATE_PATH, null, tabId);
             logger.debugf("Flow restart after timeout. Redirecting to %s", redirectUri);
             response = Response.status(Response.Status.FOUND).location(redirectUri).build();
             return false;
         }
         return true;
     }

◆ isActionRequest()

boolean org.keycloak.services.resources.SessionCodeChecks.isActionRequest ( )

inline

                                      {
         return actionRequest;
     }

◆ redirectToRequiredActions()

Response org.keycloak.services.resources.SessionCodeChecks.redirectToRequiredActions ( String action )

inlineprivate

                                                               {
         UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo)
                 .path(LoginActionsService.REQUIRED_ACTION);
 
         if (action != null) {
             uriBuilder.queryParam(Constants.EXECUTION, action);
         }
 
         ClientModel client = authSession.getClient();
         uriBuilder.queryParam(Constants.CLIENT_ID, client.getClientId());
         uriBuilder.queryParam(Constants.TAB_ID, authSession.getTabId());
 
         URI redirect = uriBuilder.build(realm.getName());
         return Response.status(302).location(redirect).build();
     }

◆ restartAuthenticationSessionFromCookie()

Response org.keycloak.services.resources.SessionCodeChecks.restartAuthenticationSessionFromCookie ( RootAuthenticationSessionModel existingRootSession )

inlineprivate

                                                                                                                 {
         logger.debug("Authentication session not found. Trying to restart from cookie.");
         AuthenticationSessionModel authSession = null;
 
         try {
             authSession = RestartLoginCookie.restartSession(session, realm, existingRootSession, clientId);
         } catch (Exception e) {
             ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e);
         }
 
         if (authSession != null) {
 
             event.clone();
             event.detail(Details.RESTART_AFTER_TIMEOUT, "true");
             event.error(Errors.EXPIRED_CODE);
 
             String warningMessage = Messages.LOGIN_TIMEOUT;
             authSession.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, warningMessage);
 
             String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
             if (flowPath == null) {
                 flowPath = LoginActionsService.AUTHENTICATE_PATH;
             }
 
             URI redirectUri = getLastExecutionUrl(flowPath, null, authSession.getTabId());
             logger.debugf("Authentication session restart from cookie succeeded. Redirecting to %s", redirectUri);
             return Response.status(Response.Status.FOUND).location(redirectUri).build();
         } else {
             // Finally need to show error as all the fallbacks failed
             event.error(Errors.INVALID_CODE);
             return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.INVALID_CODE);
         }
     }

◆ showPageExpired()

Response org.keycloak.services.resources.SessionCodeChecks.showPageExpired ( AuthenticationSessionModel authSession )

inlineprivate

                                                                              {
         return new AuthenticationFlowURLHelper(session, realm, uriInfo)
                 .showPageExpired(authSession);
     }

◆ verifyActiveAndValidAction()

boolean org.keycloak.services.resources.SessionCodeChecks.verifyActiveAndValidAction	(	String	expectedAction,
		ClientSessionCode.ActionType	actionType
	)

inline

                                                                                                               {
         if (failed()) {
             return false;
         }
 
         if (!isActionActive(actionType)) {
             return false;
         }
 
         if (!clientCode.isValidAction(expectedAction)) {
             AuthenticationSessionModel authSession = getAuthenticationSession();
             if (AuthenticationSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) {
                 logger.debugf("Incorrect action '%s' . User authenticated already.", authSession.getAction());
                 response = showPageExpired(authSession);
                 return false;
             } else {
                 logger.errorf("Bad action. Expected action '%s', current action '%s'", expectedAction, authSession.getAction());
                 response = ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.EXPIRED_CODE);
                 return false;
             }
         }
 
         return true;
     }

◆ verifyRequiredAction()

boolean org.keycloak.services.resources.SessionCodeChecks.verifyRequiredAction ( String executedAction )

inline

                                                                {
         if (failed()) {
             return false;
         }
 
         if (!clientCode.isValidAction(AuthenticationSessionModel.Action.REQUIRED_ACTIONS.name())) {
             logger.debugf("Expected required action, but session action is '%s' . Showing expired page now.", authSession.getAction());
             event.error(Errors.INVALID_CODE);
 
             response = showPageExpired(authSession);
 
             return false;
         }
 
         if (!isActionActive(ClientSessionCode.ActionType.USER)) {
             return false;
         }
 
         if (actionRequest) {
             String currentRequiredAction = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
             if (executedAction == null || !executedAction.equals(currentRequiredAction)) {
                 logger.debug("required action doesn't match current required action");
                 response = redirectToRequiredActions(currentRequiredAction);
                 return false;
             }
         }
         return true;
     }

メンバ詳解

◆ actionRequest

boolean org.keycloak.services.resources.SessionCodeChecks.actionRequest

private

◆ authSession

AuthenticationSessionModel org.keycloak.services.resources.SessionCodeChecks.authSession

private

◆ authSessionId

final String org.keycloak.services.resources.SessionCodeChecks.authSessionId

private

◆ clientCode

ClientSessionCode<AuthenticationSessionModel> org.keycloak.services.resources.SessionCodeChecks.clientCode

private

◆ clientConnection

final ClientConnection org.keycloak.services.resources.SessionCodeChecks.clientConnection

private

◆ clientId

final String org.keycloak.services.resources.SessionCodeChecks.clientId

private

◆ code

final String org.keycloak.services.resources.SessionCodeChecks.code

private

◆ event

final EventBuilder org.keycloak.services.resources.SessionCodeChecks.event

private

◆ execution

final String org.keycloak.services.resources.SessionCodeChecks.execution

private

◆ flowPath

final String org.keycloak.services.resources.SessionCodeChecks.flowPath

private

◆ logger

final Logger org.keycloak.services.resources.SessionCodeChecks.logger = Logger.getLogger(SessionCodeChecks.class)

staticprivate

◆ realm

final RealmModel org.keycloak.services.resources.SessionCodeChecks.realm

private

◆ request

final HttpRequest org.keycloak.services.resources.SessionCodeChecks.request

private

◆ response

Response org.keycloak.services.resources.SessionCodeChecks.response

private

◆ session

final KeycloakSession org.keycloak.services.resources.SessionCodeChecks.session

private

◆ tabId

final String org.keycloak.services.resources.SessionCodeChecks.tabId

private

◆ uriInfo

final UriInfo org.keycloak.services.resources.SessionCodeChecks.uriInfo

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java

公開メンバ関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ SessionCodeChecks()

関数詳解

◆ checkSsl()

◆ failed()

◆ getAuthenticationSession()

◆ getClientCode()

◆ getLastExecutionUrl()

◆ getResponse()

◆ initialVerify()

◆ initialVerifyAuthSession()

◆ isActionActive()

◆ isActionRequest()

◆ redirectToRequiredActions()

◆ restartAuthenticationSessionFromCookie()

◆ showPageExpired()

◆ verifyActiveAndValidAction()

◆ verifyRequiredAction()

メンバ詳解

◆ actionRequest

◆ authSession

◆ authSessionId

◆ clientCode

◆ clientConnection

◆ clientId

◆ code

◆ event

◆ execution

◆ flowPath

◆ logger

◆ realm

◆ request

◆ response

◆ session

◆ tabId

◆ uriInfo