org.keycloak.services.resources.account.AccountFormService の継承関係図

org.keycloak.services.resources.account.AccountFormService 連携図

クラス
enum	AccountSocialAction

公開メンバ関数
	AccountFormService (RealmModel realm, ClientModel client, EventBuilder event)

void	init ()

Response	accountPage ()

Response	totpPage ()

Response	passwordPage ()

Response	federatedIdentityPage ()

Response	logPage ()

Response	sessionsPage ()

Response	applicationsPage ()

Response	processAccountUpdate (final MultivaluedMap< String, String > formData)

Response	processSessionsLogout (final MultivaluedMap< String, String > formData)

Response	processRevokeGrant (final MultivaluedMap< String, String > formData)

Response	processTotpUpdate (final MultivaluedMap< String, String > formData)

Response	processPasswordUpdate (final MultivaluedMap< String, String > formData)

Response	processFederatedIdentityUpdate (final MultivaluedMap< String, String > formData)

Response	resourcesPage (@QueryParam("resource_id") String resourceId)

Response	resourceDetailPage (@PathParam("resource_id") String resourceId)

Response	grantPermission (@PathParam("resource_id") String resourceId, @FormParam("action") String action, @FormParam("permission_id") String[] permissionId, @FormParam("requester") String requester)

Response	shareResource (@PathParam("resource_id") String resourceId, @FormParam("user_id") String[] userIds, @FormParam("scope_id") String[] scopes)

Response	processResourceActions (@FormParam("resource_id") String[] resourceIds, @FormParam("action") String action)

Response	loginRedirect (@QueryParam("code") String code, @QueryParam("state") String state, @QueryParam("error") String error, @QueryParam("path") String path, @QueryParam("referrer") String referrer, @Context HttpHeaders headers)

静的公開メンバ関数
static UriBuilder	accountServiceBaseUrl (UriInfo uriInfo)

static UriBuilder	accountServiceApplicationPage (UriInfo uriInfo)

static UriBuilder	totpUrl (UriBuilder base)

static UriBuilder	passwordUrl (UriBuilder base)

static UriBuilder	loginRedirectUrl (UriBuilder base)

static boolean	isPasswordSet (KeycloakSession session, RealmModel realm, UserModel user)

静的公開変数類
static final String	ACCOUNT_MGMT_FORWARDED_ERROR_NOTE = "ACCOUNT_MGMT_FORWARDED_ERROR"

限定公開メンバ関数
Set< String >	getValidPaths ()

URI	getBaseRedirectUri ()

Response	login (String path)

限定公開変数類
final ClientModel	client

RealmModel	realm

HttpHeaders	headers

ClientConnection	clientConnection

String	stateChecker

KeycloakSession	session

HttpRequest	request

Auth	auth

静的関数
	[static initializer]

非公開メンバ関数
Response	forwardToPage (String path, AccountPages page)

void	setReferrerOnPage ()

String []	getReferrer ()

void	updateUsername (String username, UserModel user, KeycloakSession session)

void	updateEmail (String email, UserModel user, KeycloakSession session, EventBuilder event)

void	csrfCheck (final MultivaluedMap< String, String > formData)

非公開変数類
final AppAuthManager	authManager

EventBuilder	event

AccountProvider	account

EventStoreProvider	eventStore

静的非公開変数類
static final Logger	logger = Logger.getLogger(AccountFormService.class)

static Set< String >	VALID_PATHS = new HashSet<String>()

詳解

著者: Stian Thorgersen

構築子と解体子

◆ AccountFormService()

org.keycloak.services.resources.account.AccountFormService.AccountFormService	(	RealmModel	realm,
		ClientModel	client,
		EventBuilder	event
	)

inline

                                                                                         {
         super(realm, client);
         this.event = event;
         this.authManager = new AppAuthManager();
     }

関数詳解

◆ [static initializer]()

org.keycloak.services.resources.account.AccountFormService.[static initializer] ( )

inlinestaticpackage

◆ accountPage()

Response org.keycloak.services.resources.account.AccountFormService.accountPage ( )

inline

Get account information.

戻り値

                                   {
         return forwardToPage(null, AccountPages.ACCOUNT);
     }

◆ accountServiceApplicationPage()

static UriBuilder org.keycloak.services.resources.account.AccountFormService.accountServiceApplicationPage ( UriInfo uriInfo )

inlinestatic

                                                                             {
         return accountServiceBaseUrl(uriInfo).path(AccountFormService.class, "applicationsPage");
     }

◆ accountServiceBaseUrl()

static UriBuilder org.keycloak.services.resources.account.AccountFormService.accountServiceBaseUrl ( UriInfo uriInfo )

inlinestatic

                                                                     {
         UriBuilder base = uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(RealmsResource.class, "getAccountService");
         return base;
     }

◆ applicationsPage()

Response org.keycloak.services.resources.account.AccountFormService.applicationsPage ( )

inline

                                        {
         return forwardToPage("applications", AccountPages.APPLICATIONS);
     }

◆ csrfCheck()

void org.keycloak.services.resources.account.AccountFormService.csrfCheck ( final MultivaluedMap< String, String > formData )

inlineprivate

                                                                           {
         String formStateChecker = formData.getFirst("stateChecker");
         if (formStateChecker == null || !formStateChecker.equals(this.stateChecker)) {
             throw new ForbiddenException();
         }
     }

◆ federatedIdentityPage()

Response org.keycloak.services.resources.account.AccountFormService.federatedIdentityPage ( )

inline

                                             {
         return forwardToPage("identity", AccountPages.FEDERATED_IDENTITY);
     }

◆ forwardToPage()

Response org.keycloak.services.resources.account.AccountFormService.forwardToPage	(	String	path,
		AccountPages	page
	)

inlineprivate

                                                                    {
         if (auth != null) {
             try {
                 auth.require(AccountRoles.MANAGE_ACCOUNT);
             } catch (ForbiddenException e) {
                 return session.getProvider(LoginFormsProvider.class).setError(Messages.NO_ACCESS).createErrorPage(Response.Status.FORBIDDEN);
             }
 
             setReferrerOnPage();
 
             UserSessionModel userSession = auth.getSession();
 
             String tabId = request.getUri().getQueryParameters().getFirst(org.keycloak.models.Constants.TAB_ID);
             if (tabId != null) {
                 AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getAuthenticationSessionByIdAndClient(realm, userSession.getId(), client, tabId);
                 if (authSession != null) {
                     String forwardedError = authSession.getAuthNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE);
                     if (forwardedError != null) {
                         try {
                             FormMessage errorMessage = JsonSerialization.readValue(forwardedError, FormMessage.class);
                             account.setError(Response.Status.INTERNAL_SERVER_ERROR, errorMessage.getMessage(), errorMessage.getParameters());
                             authSession.removeAuthNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE);
                         } catch (IOException ioe) {
                             throw new RuntimeException(ioe);
                         }
                     }
                 }
             }
 
             return account.createResponse(page);
         } else {
             return login(path);
         }
     }

◆ getBaseRedirectUri()

URI org.keycloak.services.resources.account.AccountFormService.getBaseRedirectUri ( )

inlineprotected

                                        {
         return Urls.accountBase(session.getContext().getUri().getBaseUri()).path("/").build(realm.getName());
     }

◆ getReferrer()

String [] org.keycloak.services.resources.account.AccountFormService.getReferrer ( )

inlineprivate

                                    {
         String referrer = session.getContext().getUri().getQueryParameters().getFirst("referrer");
         if (referrer == null) {
             return null;
         }
 
         String referrerUri = session.getContext().getUri().getQueryParameters().getFirst("referrer_uri");
 
         ClientModel referrerClient = realm.getClientByClientId(referrer);
         if (referrerClient != null) {
             if (referrerUri != null) {
                 referrerUri = RedirectUtils.verifyRedirectUri(session.getContext().getUri(), referrerUri, realm, referrerClient);
             } else {
                 referrerUri = ResolveRelative.resolveRelativeUri(session.getContext().getUri().getRequestUri(), client.getRootUrl(), referrerClient.getBaseUrl());
             }
 
             if (referrerUri != null) {
                 String referrerName = referrerClient.getName();
                 if (Validation.isBlank(referrerName)) {
                     referrerName = referrer;
                 }
                 return new String[]{referrerName, referrerUri};
             }
         } else if (referrerUri != null) {
             referrerClient = realm.getClientByClientId(referrer);
             if (client != null) {
                 referrerUri = RedirectUtils.verifyRedirectUri(session.getContext().getUri(), referrerUri, realm, referrerClient);
 
                 if (referrerUri != null) {
                     return new String[]{referrer, referrerUri};
                 }
             }
         }
 
         return null;
     }

◆ getValidPaths()

Set<String> org.keycloak.services.resources.account.AccountFormService.getValidPaths ( )

inlineprotected

                                           {
         return AccountFormService.VALID_PATHS;
     }

◆ grantPermission()

Response org.keycloak.services.resources.account.AccountFormService.grantPermission	(	@PathParam("resource_id") String	resourceId,
		@FormParam("action") String	action,
		@FormParam("permission_id") String []	permissionId,
		@FormParam("requester") String	requester
	)

inline

                                                                                                                                                                                                                   {
         AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
         PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
         Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null);
 
         if (resource == null) {
             return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
         }
 
         if (action == null) {
             return ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST);
         }
 
         boolean isGrant = "grant".equals(action);
         boolean isDeny = "deny".equals(action);
         boolean isRevoke = "revoke".equals(action);
         boolean isRevokePolicy = "revokePolicy".equals(action);
         boolean isRevokePolicyAll = "revokePolicyAll".equals(action);
 
         if (isRevokePolicy || isRevokePolicyAll) {
             List<String> ids = new ArrayList(Arrays.asList(permissionId));
             Iterator<String> iterator = ids.iterator();
             PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
             Policy policy = null;
 
             while (iterator.hasNext()) {
                 String id = iterator.next();
 
                 if (!id.contains(":")) {
                     policy = policyStore.findById(id, client.getId());
                     iterator.remove();
                     break;
                 }
             }
 
             Set<Scope> scopesToKeep = new HashSet<>();
 
             if (isRevokePolicyAll) {
                 for (Scope scope : policy.getScopes()) {
                     policy.removeScope(scope);
                 }
             } else {
                 for (String id : ids) {
                     scopesToKeep.add(authorization.getStoreFactory().getScopeStore().findById(id.split(":")[1], client.getId()));
                 }
 
                 for (Scope scope : policy.getScopes()) {
                     if (!scopesToKeep.contains(scope)) {
                         policy.removeScope(scope);
                     }
                 }
             }
 
             if (policy.getScopes().isEmpty()) {
                 for (Policy associated : policy.getAssociatedPolicies()) {
                     policyStore.delete(associated.getId());
                 }
 
                 policyStore.delete(policy.getId());
             }
         } else {
             Map<String, String> filters = new HashMap<>();
 
             filters.put(PermissionTicket.RESOURCE, resource.getId());
             filters.put(PermissionTicket.REQUESTER, session.users().getUserByUsername(requester, realm).getId());
 
             if (isRevoke) {
                 filters.put(PermissionTicket.GRANTED, Boolean.TRUE.toString());
             } else {
                 filters.put(PermissionTicket.GRANTED, Boolean.FALSE.toString());
             }
 
             List<PermissionTicket> tickets = ticketStore.find(filters, resource.getResourceServer().getId(), -1, -1);
             Iterator<PermissionTicket> iterator = tickets.iterator();
 
             while (iterator.hasNext()) {
                 PermissionTicket ticket = iterator.next();
 
                 if (isGrant) {
                     if (permissionId != null && permissionId.length > 0 && !Arrays.asList(permissionId).contains(ticket.getId())) {
                         continue;
                     }
                 }
 
                 if (isGrant && !ticket.isGranted()) {
                     ticket.setGrantedTimestamp(System.currentTimeMillis());
                     iterator.remove();
                 } else if (isDeny || isRevoke) {
                     if (permissionId != null && permissionId.length > 0 && Arrays.asList(permissionId).contains(ticket.getId())) {
                         iterator.remove();
                     }
                 }
             }
 
             for (PermissionTicket ticket : tickets) {
                 ticketStore.delete(ticket.getId());
             }
         }
 
         if (isRevoke || isRevokePolicy || isRevokePolicyAll) {
             return forwardToPage("resource-detail", AccountPages.RESOURCE_DETAIL);
         }
 
         return forwardToPage("resources", AccountPages.RESOURCES);
     }

◆ init()

void org.keycloak.services.resources.account.AccountFormService.init ( )

inline

                        {
         eventStore = session.getProvider(EventStoreProvider.class);
 
         account = session.getProvider(AccountProvider.class).setRealm(realm).setUriInfo(session.getContext().getUri()).setHttpHeaders(headers);
 
         AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm);
         if (authResult != null) {
             stateChecker = (String) session.getAttribute("state_checker");
             auth = new Auth(realm, authResult.getToken(), authResult.getUser(), client, authResult.getSession(), true);
             account.setStateChecker(stateChecker);
         }
 
         String requestOrigin = UriUtils.getOrigin(session.getContext().getUri().getBaseUri());
 
         String origin = headers.getRequestHeaders().getFirst("Origin");
         if (origin != null && !requestOrigin.equals(origin)) {
             throw new ForbiddenException();
         }
 
         if (!request.getHttpMethod().equals("GET")) {
             String referrer = headers.getRequestHeaders().getFirst("Referer");
             if (referrer != null && !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
                 throw new ForbiddenException();
             }
         }
 
         if (authResult != null) {
             UserSessionModel userSession = authResult.getSession();
             if (userSession != null) {
                 AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
                 if (clientSession == null) {
                     clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession);
                 }
                 auth.setClientSession(clientSession);
             }
 
             account.setUser(auth.getUser());
         }
 
         account.setFeatures(realm.isIdentityFederationEnabled(), eventStore != null && realm.isEventsEnabled(), true, true);
     }

◆ isPasswordSet()

static boolean org.keycloak.services.resources.account.AccountFormService.isPasswordSet	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inlinestatic

                                                                                                    {
         return session.userCredentialManager().isConfiguredFor(realm, user, CredentialModel.PASSWORD);
     }

◆ login()

Response org.keycloak.services.resources.AbstractSecuredLocalService.login ( String path )

inlineprotectedinherited

                                           {
         OAuthRedirect oauth = new OAuthRedirect();
         String authUrl = OIDCLoginProtocolService.authUrl(session.getContext().getUri()).build(realm.getName()).toString();
         oauth.setAuthUrl(authUrl);
 
         oauth.setClientId(client.getClientId());
 
         oauth.setSecure(realm.getSslRequired().isRequired(clientConnection));
 
         UriBuilder uriBuilder = UriBuilder.fromUri(getBaseRedirectUri()).path("login-redirect");
 
         if (path != null) {
             uriBuilder.queryParam("path", path);
         }
 
         String referrer = session.getContext().getUri().getQueryParameters().getFirst("referrer");
         if (referrer != null) {
             uriBuilder.queryParam("referrer", referrer);
         }
 
         String referrerUri = session.getContext().getUri().getQueryParameters().getFirst("referrer_uri");
         if (referrerUri != null) {
             uriBuilder.queryParam("referrer_uri", referrerUri);
         }
 
         URI accountUri = uriBuilder.build(realm.getName());
 
         oauth.setStateCookiePath(accountUri.getRawPath());
         return oauth.redirect(session.getContext().getUri(), accountUri.toString());
     }

◆ loginRedirect()

Response org.keycloak.services.resources.AbstractSecuredLocalService.loginRedirect	(	@QueryParam("code") String	code,
		@QueryParam("state") String	state,
		@QueryParam("error") String	error,
		@QueryParam("path") String	path,
		@QueryParam("referrer") String	referrer,
		@Context HttpHeaders	headers
	)

inlineinherited

                                                                 {
         try {
             if (error != null) {
                 if (OAuthErrorException.ACCESS_DENIED.equals(error)) {
                     // cased by CANCELLED_BY_USER or CONSENT_DENIED
                     session.getContext().setClient(client);
                     return session.getProvider(LoginFormsProvider.class).setError(Messages.NO_ACCESS).createErrorPage(Response.Status.FORBIDDEN);
                 } else {
                     logger.debug("error from oauth");
                     throw new ForbiddenException("error");
                 }
             }
             if (path != null && !getValidPaths().contains(path)) {
                 throw new BadRequestException("Invalid path");
             }
             if (!realm.isEnabled()) {
                 logger.debug("realm not enabled");
                 throw new ForbiddenException();
             }
             if (!client.isEnabled()) {
                 logger.debug("account management app not enabled");
                 throw new ForbiddenException();
             }
             if (code == null) {
                 logger.debug("code not specified");
                 throw new BadRequestException("code not specified");
             }
             if (state == null) {
                 logger.debug("state not specified");
                 throw new BadRequestException("state not specified");
             }
             KeycloakUriBuilder redirect = KeycloakUriBuilder.fromUri(getBaseRedirectUri());
             if (path != null) {
                 redirect.path(path);
             }
             if (referrer != null) {
                 redirect.queryParam("referrer", referrer);
             }
 
             return Response.status(302).location(redirect.build()).build();
         } finally {
         }
     }

◆ loginRedirectUrl()

static UriBuilder org.keycloak.services.resources.account.AccountFormService.loginRedirectUrl ( UriBuilder base )

inlinestatic

                                                                {
         return RealmsResource.accountUrl(base).path(AccountFormService.class, "loginRedirect");
     }

◆ logPage()

Response org.keycloak.services.resources.account.AccountFormService.logPage ( )

inline

                               {
         if (auth != null) {
             List<Event> events = eventStore.createQuery().type(Constants.EXPOSED_LOG_EVENTS).user(auth.getUser().getId()).maxResults(30).getResultList();
             for (Event e : events) {
                 if (e.getDetails() != null) {
                     Iterator<Map.Entry<String, String>> itr = e.getDetails().entrySet().iterator();
                     while (itr.hasNext()) {
                         if (!Constants.EXPOSED_LOG_DETAILS.contains(itr.next().getKey())) {
                             itr.remove();
                         }
                     }
                 }
             }
             account.setEvents(events);
         }
         return forwardToPage("log", AccountPages.LOG);
     }

◆ passwordPage()

Response org.keycloak.services.resources.account.AccountFormService.passwordPage ( )

inline

                                    {
         if (auth != null) {
             account.setPasswordSet(isPasswordSet(session, realm, auth.getUser()));
         }
 
         return forwardToPage("password", AccountPages.PASSWORD);
     }

◆ passwordUrl()

static UriBuilder org.keycloak.services.resources.account.AccountFormService.passwordUrl ( UriBuilder base )

inlinestatic

                                                           {
         return RealmsResource.accountUrl(base).path(AccountFormService.class, "passwordPage");
     }

◆ processAccountUpdate()

Response org.keycloak.services.resources.account.AccountFormService.processAccountUpdate ( final MultivaluedMap< String, String > formData )

inline

Update account information.

Form params:

firstName lastName email

引数

formData

戻り値

                                                                                         {
         if (auth == null) {
             return login(null);
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
 
         String action = formData.getFirst("submitAction");
         if (action != null && action.equals("Cancel")) {
             setReferrerOnPage();
             return account.createResponse(AccountPages.ACCOUNT);
         }
 
         csrfCheck(formData);
 
         UserModel user = auth.getUser();
 
         event.event(EventType.UPDATE_PROFILE).client(auth.getClient()).user(auth.getUser());
 
         List<FormMessage> errors = Validation.validateUpdateProfileForm(realm, formData);
         if (errors != null && !errors.isEmpty()) {
             setReferrerOnPage();
             return account.setErrors(Response.Status.BAD_REQUEST, errors).setProfileFormData(formData).createResponse(AccountPages.ACCOUNT);
         }
 
         try {
             updateUsername(formData.getFirst("username"), user, session);
             updateEmail(formData.getFirst("email"), user, session, event);
 
             user.setFirstName(formData.getFirst("firstName"));
             user.setLastName(formData.getFirst("lastName"));
 
             AttributeFormDataProcessor.process(formData, realm, user);
 
             event.success();
 
             setReferrerOnPage();
             return account.setSuccess(Messages.ACCOUNT_UPDATED).createResponse(AccountPages.ACCOUNT);
         } catch (ReadOnlyException roe) {
             setReferrerOnPage();
             return account.setError(Response.Status.BAD_REQUEST, Messages.READ_ONLY_USER).setProfileFormData(formData).createResponse(AccountPages.ACCOUNT);
         } catch (ModelDuplicateException mde) {
             setReferrerOnPage();
             return account.setError(Response.Status.CONFLICT, mde.getMessage()).setProfileFormData(formData).createResponse(AccountPages.ACCOUNT);
         }
     }

◆ processFederatedIdentityUpdate()

Response org.keycloak.services.resources.account.AccountFormService.processFederatedIdentityUpdate ( final MultivaluedMap< String, String > formData )

inline

                                                                                                   {
         if (auth == null) {
             return login("identity");
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
         csrfCheck(formData);
         UserModel user = auth.getUser();
 
         String action = formData.getFirst("action");
         String providerId = formData.getFirst("providerId");
 
         if (Validation.isEmpty(providerId)) {
             setReferrerOnPage();
             return account.setError(Response.Status.BAD_REQUEST, Messages.MISSING_IDENTITY_PROVIDER).createResponse(AccountPages.FEDERATED_IDENTITY);
         }
         AccountSocialAction accountSocialAction = AccountSocialAction.getAction(action);
         if (accountSocialAction == null) {
             setReferrerOnPage();
             return account.setError(Response.Status.BAD_REQUEST, Messages.INVALID_FEDERATED_IDENTITY_ACTION).createResponse(AccountPages.FEDERATED_IDENTITY);
         }
 
         boolean hasProvider = false;
 
         for (IdentityProviderModel model : realm.getIdentityProviders()) {
             if (model.getAlias().equals(providerId)) {
                 hasProvider = true;
             }
         }
 
         if (!hasProvider) {
             setReferrerOnPage();
             return account.setError(Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_NOT_FOUND).createResponse(AccountPages.FEDERATED_IDENTITY);
         }
 
         if (!user.isEnabled()) {
             setReferrerOnPage();
             return account.setError(Response.Status.BAD_REQUEST, Messages.ACCOUNT_DISABLED).createResponse(AccountPages.FEDERATED_IDENTITY);
         }
 
         switch (accountSocialAction) {
             case ADD:
                 String redirectUri = UriBuilder.fromUri(Urls.accountFederatedIdentityPage(session.getContext().getUri().getBaseUri(), realm.getName())).build().toString();
 
                 try {
                     String nonce = UUID.randomUUID().toString();
                     MessageDigest md = MessageDigest.getInstance("SHA-256");
                     String input = nonce + auth.getSession().getId() +  client.getClientId() + providerId;
                     byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
                     String hash = Base64Url.encode(check);
                     URI linkUrl = Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), providerId, realm.getName());
                     linkUrl = UriBuilder.fromUri(linkUrl)
                             .queryParam("nonce", nonce)
                             .queryParam("hash", hash)
                             .queryParam("client_id", client.getClientId())
                             .queryParam("redirect_uri", redirectUri)
                             .build();
                     return Response.seeOther(linkUrl)
                             .build();
                 } catch (Exception spe) {
                     setReferrerOnPage();
                     return account.setError(Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_REDIRECT_ERROR).createResponse(AccountPages.FEDERATED_IDENTITY);
                 }
             case REMOVE:
                 FederatedIdentityModel link = session.users().getFederatedIdentity(user, providerId, realm);
                 if (link != null) {
 
                     // Removing last social provider is not possible if you don't have other possibility to authenticate
                     if (session.users().getFederatedIdentities(user, realm).size() > 1 || user.getFederationLink() != null || isPasswordSet(session, realm, user)) {
                         session.users().removeFederatedIdentity(realm, user, providerId);
 
                         logger.debugv("Social provider {0} removed successfully from user {1}", providerId, user.getUsername());
 
                         event.event(EventType.REMOVE_FEDERATED_IDENTITY).client(auth.getClient()).user(auth.getUser())
                                 .detail(Details.USERNAME, auth.getUser().getUsername())
                                 .detail(Details.IDENTITY_PROVIDER, link.getIdentityProvider())
                                 .detail(Details.IDENTITY_PROVIDER_USERNAME, link.getUserName())
                                 .success();
 
                         setReferrerOnPage();
                         return account.setSuccess(Messages.IDENTITY_PROVIDER_REMOVED).createResponse(AccountPages.FEDERATED_IDENTITY);
                     } else {
                         setReferrerOnPage();
                         return account.setError(Response.Status.BAD_REQUEST, Messages.FEDERATED_IDENTITY_REMOVING_LAST_PROVIDER).createResponse(AccountPages.FEDERATED_IDENTITY);
                     }
                 } else {
                     setReferrerOnPage();
                     return account.setError(Response.Status.BAD_REQUEST, Messages.FEDERATED_IDENTITY_NOT_ACTIVE).createResponse(AccountPages.FEDERATED_IDENTITY);
                 }
             default:
                 throw new IllegalArgumentException();
         }
     }

◆ processPasswordUpdate()

Response org.keycloak.services.resources.account.AccountFormService.processPasswordUpdate ( final MultivaluedMap< String, String > formData )

inline

Update account password

Form params:

password - old password password-new pasword-confirm

引数

formData

戻り値

                                                                                          {
         if (auth == null) {
             return login("password");
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
 
         csrfCheck(formData);
         UserModel user = auth.getUser();
 
         boolean requireCurrent = isPasswordSet(session, realm, user);
         account.setPasswordSet(requireCurrent);
 
         String password = formData.getFirst("password");
         String passwordNew = formData.getFirst("password-new");
         String passwordConfirm = formData.getFirst("password-confirm");
 
         EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR)
                 .client(auth.getClient())
                 .user(auth.getSession().getUser());
 
         if (requireCurrent) {
             if (Validation.isBlank(password)) {
                 setReferrerOnPage();
                 errorEvent.error(Errors.PASSWORD_MISSING);
                 return account.setError(Response.Status.BAD_REQUEST, Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
             }
 
             UserCredentialModel cred = UserCredentialModel.password(password);
             if (!session.userCredentialManager().isValid(realm, user, cred)) {
                 setReferrerOnPage();
                 errorEvent.error(Errors.INVALID_USER_CREDENTIALS);
                 return account.setError(Response.Status.BAD_REQUEST, Messages.INVALID_PASSWORD_EXISTING).createResponse(AccountPages.PASSWORD);
             }
         }
 
         if (Validation.isBlank(passwordNew)) {
             setReferrerOnPage();
             errorEvent.error(Errors.PASSWORD_MISSING);
             return account.setError(Response.Status.BAD_REQUEST, Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
         }
 
         if (!passwordNew.equals(passwordConfirm)) {
             setReferrerOnPage();
             errorEvent.error(Errors.PASSWORD_CONFIRM_ERROR);
             return account.setError(Response.Status.BAD_REQUEST, Messages.INVALID_PASSWORD_CONFIRM).createResponse(AccountPages.PASSWORD);
         }
 
         try {
             session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password(passwordNew, false));
         } catch (ReadOnlyException mre) {
             setReferrerOnPage();
             errorEvent.error(Errors.NOT_ALLOWED);
             return account.setError(Response.Status.BAD_REQUEST, Messages.READ_ONLY_PASSWORD).createResponse(AccountPages.PASSWORD);
         } catch (ModelException me) {
             ServicesLogger.LOGGER.failedToUpdatePassword(me);
             setReferrerOnPage();
             errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED);
             return account.setError(Response.Status.INTERNAL_SERVER_ERROR, me.getMessage(), me.getParameters()).createResponse(AccountPages.PASSWORD);
         } catch (Exception ape) {
             ServicesLogger.LOGGER.failedToUpdatePassword(ape);
             setReferrerOnPage();
             errorEvent.detail(Details.REASON, ape.getMessage()).error(Errors.PASSWORD_REJECTED);
             return account.setError(Response.Status.INTERNAL_SERVER_ERROR, ape.getMessage()).createResponse(AccountPages.PASSWORD);
         }
 
         List<UserSessionModel> sessions = session.sessions().getUserSessions(realm, user);
         for (UserSessionModel s : sessions) {
             if (!s.getId().equals(auth.getSession().getId())) {
                 AuthenticationManager.backchannelLogout(session, realm, s, session.getContext().getUri(), clientConnection, headers, true);
             }
         }
 
         event.event(EventType.UPDATE_PASSWORD).client(auth.getClient()).user(auth.getUser()).success();
 
         setReferrerOnPage();
         return account.setPasswordSet(true).setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED).createResponse(AccountPages.PASSWORD);
     }

◆ processResourceActions()

Response org.keycloak.services.resources.account.AccountFormService.processResourceActions	(	@FormParam("resource_id") String []	resourceIds,
		@FormParam("action") String	action
	)

inline

                                                                                                                                {
         AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
         PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
 
         if (action == null) {
             return ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST);
         }
 
         for (String resourceId : resourceIds) {
             Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null);
 
             if (resource == null) {
                 return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
             }
 
             HashMap<String, String> filters = new HashMap<>();
 
             filters.put(PermissionTicket.REQUESTER, auth.getUser().getId());
             filters.put(PermissionTicket.RESOURCE, resource.getId());
 
             if ("cancel".equals(action)) {
                 filters.put(PermissionTicket.GRANTED, Boolean.TRUE.toString());
             } else if ("cancelRequest".equals(action)) {
                 filters.put(PermissionTicket.GRANTED, Boolean.FALSE.toString());
             }
 
             for (PermissionTicket ticket : ticketStore.find(filters, resource.getResourceServer().getId(), -1, -1)) {
                 ticketStore.delete(ticket.getId());
             }
         }
 
         return forwardToPage("authorization", AccountPages.RESOURCES);
     }

◆ processRevokeGrant()

Response org.keycloak.services.resources.account.AccountFormService.processRevokeGrant ( final MultivaluedMap< String, String > formData )

inline

                                                                                       {
         if (auth == null) {
             return login("applications");
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
         csrfCheck(formData);
 
         String clientId = formData.getFirst("clientId");
         if (clientId == null) {
             return account.setError(Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND).createResponse(AccountPages.APPLICATIONS);
         }
         ClientModel client = realm.getClientById(clientId);
         if (client == null) {
             return account.setError(Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND).createResponse(AccountPages.APPLICATIONS);
         }
 
         // Revoke grant in UserModel
         UserModel user = auth.getUser();
         session.users().revokeConsentForClient(realm, user.getId(), client.getId());
         new UserSessionManager(session).revokeOfflineToken(user, client);
 
         // Logout clientSessions for this user and client
         AuthenticationManager.backchannelLogoutUserFromClient(session, realm, user, client, session.getContext().getUri(), headers);
 
         event.event(EventType.REVOKE_GRANT).client(auth.getClient()).user(auth.getUser()).detail(Details.REVOKED_CLIENT, client.getClientId()).success();
         setReferrerOnPage();
 
         UriBuilder builder = Urls.accountBase(session.getContext().getUri().getBaseUri()).path(AccountFormService.class, "applicationsPage");
         String referrer = session.getContext().getUri().getQueryParameters().getFirst("referrer");
         if (referrer != null) {
             builder.queryParam("referrer", referrer);
 
         }
         URI location = builder.build(realm.getName());
         return Response.seeOther(location).build();
     }

◆ processSessionsLogout()

Response org.keycloak.services.resources.account.AccountFormService.processSessionsLogout ( final MultivaluedMap< String, String > formData )

inline

                                                                                          {
         if (auth == null) {
             return login("sessions");
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
         csrfCheck(formData);
 
         UserModel user = auth.getUser();
 
         // Rather decrease time a bit. To avoid situation when user is immediatelly redirected to login screen, then automatically authenticated (eg. with Kerberos) and then seeing issues due the stale token
         // as time on the token will be same like notBefore
         session.users().setNotBeforeForUser(realm, user, Time.currentTime() - 1);
 
         List<UserSessionModel> userSessions = session.sessions().getUserSessions(realm, user);
         for (UserSessionModel userSession : userSessions) {
             AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers, true);
         }
 
         UriBuilder builder = Urls.accountBase(session.getContext().getUri().getBaseUri()).path(AccountFormService.class, "sessionsPage");
         String referrer = session.getContext().getUri().getQueryParameters().getFirst("referrer");
         if (referrer != null) {
             builder.queryParam("referrer", referrer);
 
         }
         URI location = builder.build(realm.getName());
         return Response.seeOther(location).build();
     }

◆ processTotpUpdate()

Response org.keycloak.services.resources.account.AccountFormService.processTotpUpdate ( final MultivaluedMap< String, String > formData )

inline

Update the TOTP for this account.

form parameters:

totp - otp generated by authenticator totpSecret - totp secret to register

引数

formData

戻り値

                                                                                      {
         if (auth == null) {
             return login("totp");
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
 
         account.setAttribute("mode", session.getContext().getUri().getQueryParameters().getFirst("mode"));
 
         String action = formData.getFirst("submitAction");
         if (action != null && action.equals("Cancel")) {
             setReferrerOnPage();
             return account.createResponse(AccountPages.TOTP);
         }
 
         csrfCheck(formData);
 
         UserModel user = auth.getUser();
 
         if (action != null && action.equals("Delete")) {
             session.userCredentialManager().disableCredentialType(realm, user, CredentialModel.OTP);
 
             event.event(EventType.REMOVE_TOTP).client(auth.getClient()).user(auth.getUser()).success();
 
             setReferrerOnPage();
             return account.setSuccess(Messages.SUCCESS_TOTP_REMOVED).createResponse(AccountPages.TOTP);
         } else {
             String totp = formData.getFirst("totp");
             String totpSecret = formData.getFirst("totpSecret");
 
             if (Validation.isBlank(totp)) {
                 setReferrerOnPage();
                 return account.setError(Response.Status.BAD_REQUEST, Messages.MISSING_TOTP).createResponse(AccountPages.TOTP);
             } else if (!CredentialValidation.validOTP(realm, totp, totpSecret)) {
                 setReferrerOnPage();
                 return account.setError(Response.Status.BAD_REQUEST, Messages.INVALID_TOTP).createResponse(AccountPages.TOTP);
             }
 
             UserCredentialModel credentials = new UserCredentialModel();
             credentials.setType(realm.getOTPPolicy().getType());
             credentials.setValue(totpSecret);
             session.userCredentialManager().updateCredential(realm, user, credentials);
 
             // to update counter
             UserCredentialModel cred = new UserCredentialModel();
             cred.setType(realm.getOTPPolicy().getType());
             cred.setValue(totp);
             session.userCredentialManager().isValid(realm, user, cred);
 
             event.event(EventType.UPDATE_TOTP).client(auth.getClient()).user(auth.getUser()).success();
 
             setReferrerOnPage();
             return account.setSuccess(Messages.SUCCESS_TOTP).createResponse(AccountPages.TOTP);
         }
     }

◆ resourceDetailPage()

Response org.keycloak.services.resources.account.AccountFormService.resourceDetailPage ( @PathParam("resource_id") String resourceId )

inline

                                                                                     {
         return forwardToPage("resource-detail", AccountPages.RESOURCE_DETAIL);
     }

◆ resourcesPage()

Response org.keycloak.services.resources.account.AccountFormService.resourcesPage ( @QueryParam("resource_id") String resourceId )

inline

                                                                                 {
         return forwardToPage("resources", AccountPages.RESOURCES);
     }

◆ sessionsPage()

Response org.keycloak.services.resources.account.AccountFormService.sessionsPage ( )

inline

                                    {
         if (auth != null) {
             account.setSessions(session.sessions().getUserSessions(realm, auth.getUser()));
         }
         return forwardToPage("sessions", AccountPages.SESSIONS);
     }

◆ setReferrerOnPage()

void org.keycloak.services.resources.account.AccountFormService.setReferrerOnPage ( )

inlineprivate

                                      {
         String[] referrer = getReferrer();
         if (referrer != null) {
             account.setReferrer(referrer);
         }
     }

◆ shareResource()

Response org.keycloak.services.resources.account.AccountFormService.shareResource	(	@PathParam("resource_id") String	resourceId,
		@FormParam("user_id") String []	userIds,
		@FormParam("scope_id") String []	scopes
	)

inline

                                                                                                                                                                {
         AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
         PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
         Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null);
 
         if (resource == null) {
             return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
         }
 
         if (userIds == null || userIds.length == 0) {
             return account.setError(Status.BAD_REQUEST, Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
         }
 
         for (String id : userIds) {
             UserModel user = session.users().getUserById(id, realm);
 
             if (user == null) {
                 user = session.users().getUserByUsername(id, realm);
             }
 
             if (user == null) {
                 user = session.users().getUserByEmail(id, realm);
             }
 
             if (user == null) {
                 return account.setError(Status.BAD_REQUEST, Messages.INVALID_USER).createResponse(AccountPages.RESOURCE_DETAIL);
             }
 
             Map<String, String> filters = new HashMap<>();
 
             filters.put(PermissionTicket.RESOURCE, resource.getId());
             filters.put(PermissionTicket.OWNER, auth.getUser().getId());
             filters.put(PermissionTicket.REQUESTER, user.getId());
 
             List<PermissionTicket> tickets = ticketStore.find(filters, resource.getResourceServer().getId(), -1, -1);
 
             if (tickets.isEmpty()) {
                 if (scopes != null && scopes.length > 0) {
                     for (String scope : scopes) {
                         PermissionTicket ticket = ticketStore.create(resourceId, scope, user.getId(), resource.getResourceServer());
                         ticket.setGrantedTimestamp(System.currentTimeMillis());
                     }
                 } else {
                     if (resource.getScopes().isEmpty()) {
                         PermissionTicket ticket = ticketStore.create(resourceId, null, user.getId(), resource.getResourceServer());
                         ticket.setGrantedTimestamp(System.currentTimeMillis());
                     } else {
                         for (Scope scope : resource.getScopes()) {
                             PermissionTicket ticket = ticketStore.create(resourceId, scope.getId(), user.getId(), resource.getResourceServer());
                             ticket.setGrantedTimestamp(System.currentTimeMillis());
                         }
                     }
                 }
             } else if (scopes != null && scopes.length > 0) {
                 List<String> grantScopes = new ArrayList<>(Arrays.asList(scopes));
 
                 for (PermissionTicket ticket : tickets) {
                     Scope scope = ticket.getScope();
 
                     if (scope != null) {
                         grantScopes.remove(scope.getId());
                     }
                 }
 
                 for (String grantScope : grantScopes) {
                     PermissionTicket ticket = ticketStore.create(resourceId, grantScope, user.getId(), resource.getResourceServer());
                     ticket.setGrantedTimestamp(System.currentTimeMillis());
                 }
             }
         }
 
         return forwardToPage("resource-detail", AccountPages.RESOURCE_DETAIL);
     }

◆ totpPage()

Response org.keycloak.services.resources.account.AccountFormService.totpPage ( )

inline

                                {
         account.setAttribute("mode", session.getContext().getUri().getQueryParameters().getFirst("mode"));
         return forwardToPage("totp", AccountPages.TOTP);
     }

◆ totpUrl()

static UriBuilder org.keycloak.services.resources.account.AccountFormService.totpUrl ( UriBuilder base )

inlinestatic

                                                       {
         return RealmsResource.accountUrl(base).path(AccountFormService.class, "totpPage");
     }

◆ updateEmail()

void org.keycloak.services.resources.account.AccountFormService.updateEmail	(	String	email,
		UserModel	user,
		KeycloakSession	session,
		EventBuilder	event
	)

inlineprivate

                                                                                                         {
         RealmModel realm = session.getContext().getRealm();
         String oldEmail = user.getEmail();
         boolean emailChanged = oldEmail != null ? !oldEmail.equals(email) : email != null;
         if (emailChanged && !realm.isDuplicateEmailsAllowed()) {
             UserModel existing = session.users().getUserByEmail(email, realm);
             if (existing != null && !existing.getId().equals(user.getId())) {
                 throw new ModelDuplicateException(Messages.EMAIL_EXISTS);
             }
         }
 
         user.setEmail(email);
 
         if (emailChanged) {
             user.setEmailVerified(false);
             event.clone().event(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, oldEmail).detail(Details.UPDATED_EMAIL, email).success();
         }
 
         if (realm.isRegistrationEmailAsUsername()) {
             if (!realm.isDuplicateEmailsAllowed()) {
                 UserModel existing = session.users().getUserByEmail(email, realm);
                 if (existing != null && !existing.getId().equals(user.getId())) {
                     throw new ModelDuplicateException(Messages.USERNAME_EXISTS);
                 }
             }
             user.setUsername(email);
         }
     }

◆ updateUsername()

void org.keycloak.services.resources.account.AccountFormService.updateUsername	(	String	username,
		UserModel	user,
		KeycloakSession	session
	)

inlineprivate

                                                                                           {
         RealmModel realm = session.getContext().getRealm();
         boolean usernameChanged = username == null || !user.getUsername().equals(username);
         if (realm.isEditUsernameAllowed() && !realm.isRegistrationEmailAsUsername()) {
             if (usernameChanged) {
                 UserModel existing = session.users().getUserByUsername(username, realm);
                 if (existing != null && !existing.getId().equals(user.getId())) {
                     throw new ModelDuplicateException(Messages.USERNAME_EXISTS);
                 }
 
                 user.setUsername(username);
             }
         } else if (usernameChanged) {
 
         }
     }

staticprivate

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/services/resources/account/AccountFormService.java

クラス

公開メンバ関数

静的公開メンバ関数

静的公開変数類

限定公開メンバ関数

限定公開変数類

静的関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ AccountFormService()

関数詳解

◆ [static initializer]()

◆ accountPage()

◆ accountServiceApplicationPage()

◆ accountServiceBaseUrl()

◆ applicationsPage()

◆ csrfCheck()

◆ federatedIdentityPage()

◆ forwardToPage()

◆ getBaseRedirectUri()

◆ getReferrer()

◆ getValidPaths()

◆ grantPermission()

◆ init()

◆ isPasswordSet()

◆ login()

◆ loginRedirect()

◆ loginRedirectUrl()

◆ logPage()

◆ passwordPage()

◆ passwordUrl()

◆ processAccountUpdate()

◆ processFederatedIdentityUpdate()

◆ processPasswordUpdate()

◆ processResourceActions()

◆ processRevokeGrant()

◆ processSessionsLogout()

◆ processTotpUpdate()

◆ resourceDetailPage()

◆ resourcesPage()

◆ sessionsPage()

◆ setReferrerOnPage()

◆ shareResource()

◆ totpPage()

◆ totpUrl()

◆ updateEmail()

◆ updateUsername()

メンバ詳解

◆ account

◆ ACCOUNT_MGMT_FORWARDED_ERROR_NOTE

◆ auth

◆ authManager

◆ client

◆ clientConnection

◆ event

◆ eventStore

◆ headers

◆ logger

◆ realm

◆ request

◆ session

◆ stateChecker

◆ VALID_PATHS