org.keycloak.services.managers.AppAuthManager クラス

org.keycloak.services.managers.AppAuthManager の継承関係図

org.keycloak.services.managers.AppAuthManager 連携図

公開メンバ関数
AuthResult	authenticateIdentityCookie (KeycloakSession session, RealmModel realm)
String	extractAuthorizationHeaderToken (HttpHeaders headers)
AuthResult	authenticateBearerToken (KeycloakSession session, RealmModel realm)
AuthResult	authenticateBearerToken (KeycloakSession session)
AuthResult	authenticateBearerToken (KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers)
AuthResult	authenticateBearerToken (String tokenString, KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers)

静的公開メンバ関数
static boolean	isSessionValid (RealmModel realm, UserSessionModel userSession)
static boolean	isOfflineSessionValid (RealmModel realm, UserSessionModel userSession)
static void	expireUserSessionCookie (KeycloakSession session, UserSessionModel userSession, RealmModel realm, UriInfo uriInfo, HttpHeaders headers, ClientConnection connection)
static void	backchannelLogout (KeycloakSession session, UserSessionModel userSession, boolean logoutBroker)
static void	backchannelLogout (KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers, boolean logoutBroker)
static void	backchannelLogout (KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers, boolean logoutBroker, boolean offlineSession)
static void	setClientLogoutAction (AuthenticationSessionModel logoutAuthSession, String clientUuid, AuthenticationSessionModel.Action action)
static AuthenticationSessionModel.Action	getClientLogoutAction (AuthenticationSessionModel logoutAuthSession, String clientUuid)
static void	backchannelLogoutUserFromClient (KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, UriInfo uriInfo, HttpHeaders headers)
static Response	browserLogout (KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers)
static Response	finishBrowserLogout (KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers)
static IdentityCookieToken	createIdentityToken (KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer)
static void	createLoginCookie (KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, UriInfo uriInfo, ClientConnection connection)
static void	createRememberMeCookie (RealmModel realm, String username, UriInfo uriInfo, ClientConnection connection)
static String	getRememberMeUsername (RealmModel realm, HttpHeaders headers)
static void	expireIdentityCookie (RealmModel realm, UriInfo uriInfo, ClientConnection connection)
static void	expireOldIdentityCookie (RealmModel realm, UriInfo uriInfo, ClientConnection connection)
static void	expireRememberMeCookie (RealmModel realm, UriInfo uriInfo, ClientConnection connection)
static void	expireOldAuthSessionCookie (RealmModel realm, UriInfo uriInfo, ClientConnection connection)
static String	getRealmCookiePath (RealmModel realm, UriInfo uriInfo)
static String	getOldCookiePath (RealmModel realm, UriInfo uriInfo)
static String	getAccountCookiePath (RealmModel realm, UriInfo uriInfo)
static void	expireCookie (RealmModel realm, String cookieName, String path, boolean httpOnly, ClientConnection connection)
static AuthResult	authenticateIdentityCookie (KeycloakSession session, RealmModel realm, boolean checkActive)
static Response	redirectAfterSuccessfulFlow (KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, String protocol)
static Response	redirectAfterSuccessfulFlow (KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, LoginProtocol protocol)
static boolean	isSSOAuthentication (AuthenticatedClientSessionModel clientSession)
static Response	nextActionAfterAuthentication (KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event)
static Response	redirectToRequiredActions (KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, UriInfo uriInfo, String requiredAction)
static Response	finishedRequiredActions (KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event)
static String	nextRequiredAction (final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event)
static Response	actionRequired (final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event)
static void	setClientScopesInSession (AuthenticationSessionModel authSession)
static RequiredActionProvider	createRequiredAction (RequiredActionContextResult context)
static void	evaluateRequiredActionTriggers (final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event, final RealmModel realm, final UserModel user)
static AuthResult	verifyIdentityToken (KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, boolean isCookie, String tokenString, HttpHeaders headers)

静的公開変数類
static final String	SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS = "SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS"
static final String	END_AFTER_REQUIRED_ACTIONS = "END_AFTER_REQUIRED_ACTIONS"
static final String	INVALIDATE_ACTION_TOKEN = "INVALIDATE_ACTION_TOKEN"
static final String	CLIENT_LOGOUT_STATE = "logout.state."
static final String	AUTH_TIME = "AUTH_TIME"
static final String	SSO_AUTH = "SSO_AUTH"
static final String	FORM_USERNAME = "username"
static final String	KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY"
static final String	KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION"
static final String	KEYCLOAK_REMEMBER_ME = "KEYCLOAK_REMEMBER_ME"
static final String	KEYCLOAK_LOGOUT_PROTOCOL = "KEYCLOAK_LOGOUT_PROTOCOL"

静的限定公開メンバ関数
static String	getIdentityCookiePath (RealmModel realm, UriInfo uriInfo)
static Response	executionActions (KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Set< String > requiredActions)

静的限定公開変数類
static final Logger	logger = Logger.getLogger(AuthenticationManager.class)

詳解

著者

Bill Burke

Stian Thorgersen

関数詳解

actionRequired()

static Response org.keycloak.services.managers.AuthenticationManager.actionRequired ( final KeycloakSession  session, final AuthenticationSessionModel  authSession, final ClientConnection  clientConnection, final HttpRequest  request, final UriInfo  uriInfo, final EventBuilder  event  )

inlinestaticinherited

                                                                                                                                     {
        final RealmModel realm = authSession.getRealm();
        final UserModel user = authSession.getAuthenticatedUser();
        final ClientModel client = authSession.getClient();

        evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user);


        logger.debugv("processAccessCode: go to oauth page?: {0}", client.isConsentRequired());

        event.detail(Details.CODE_ID, authSession.getParentSession().getId());

        Set<String> requiredActions = user.getRequiredActions();
        Response action = executionActions(session, authSession, request, event, realm, user, requiredActions);
        if (action != null) return action;

        // executionActions() method should remove any duplicate actions that might be in the clientSession
        requiredActions = authSession.getRequiredActions();
        action = executionActions(session, authSession, request, event, realm, user, requiredActions);
        if (action != null) return action;

        if (client.isConsentRequired()) {

            UserConsentModel grantedConsent = getEffectiveGrantedConsent(session, authSession);

            List<ClientScopeModel> clientScopesToApprove = getClientScopesToApproveOnConsentScreen(realm, grantedConsent, authSession);

            // Skip grant screen if everything was already approved by this user
            if (clientScopesToApprove.size() > 0) {
                String execution = AuthenticatedClientSessionModel.Action.OAUTH_GRANT.name();

                ClientSessionCode<AuthenticationSessionModel> accessCode = new ClientSessionCode<>(session, realm, authSession);
                accessCode.setAction(AuthenticatedClientSessionModel.Action.REQUIRED_ACTIONS.name());
                authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution);

                return session.getProvider(LoginFormsProvider.class)
                        .setAuthenticationSession(authSession)
                        .setExecution(execution)
                        .setClientSessionCode(accessCode.getOrGenerateCode())
                        .setAccessRequest(clientScopesToApprove)
                        .createOAuthGrant();
            } else {
                String consentDetail = (grantedConsent != null) ? Details.CONSENT_VALUE_PERSISTED_CONSENT : Details.CONSENT_VALUE_NO_CONSENT_REQUIRED;
                event.detail(Details.CONSENT, consentDetail);
            }
        } else {
            event.detail(Details.CONSENT, Details.CONSENT_VALUE_NO_CONSENT_REQUIRED);
        }
        return null;

    }

authenticateBearerToken() [1/4]

AuthResult org.keycloak.services.managers.AppAuthManager.authenticateBearerToken ( KeycloakSession  session, RealmModel  realm  )

inline

                                                                                         {
        KeycloakContext ctx = session.getContext();
        return authenticateBearerToken(session, realm, ctx.getUri(), ctx.getConnection(), ctx.getRequestHeaders());
    }

authenticateBearerToken() [2/4]

AuthResult org.keycloak.services.managers.AppAuthManager.authenticateBearerToken ( KeycloakSession  session )

inline

                                                                       {
        return authenticateBearerToken(session, session.getContext().getRealm(), session.getContext().getUri(), session.getContext().getConnection(), session.getContext().getRequestHeaders());
    }

authenticateBearerToken() [3/4]

AuthResult org.keycloak.services.managers.AppAuthManager.authenticateBearerToken ( KeycloakSession  session, RealmModel  realm, UriInfo  uriInfo, ClientConnection  connection, HttpHeaders  headers  )

inline

                                                                                                                                                            {
        return authenticateBearerToken(extractAuthorizationHeaderToken(headers), session, realm, uriInfo, connection, headers);
    }

authenticateBearerToken() [4/4]

AuthResult org.keycloak.services.managers.AppAuthManager.authenticateBearerToken ( String  tokenString, KeycloakSession  session, RealmModel  realm, UriInfo  uriInfo, ClientConnection  connection, HttpHeaders  headers  )

inline

                                                                                                                                                                                {
        if (tokenString == null) return null;
        AuthResult authResult = verifyIdentityToken(session, realm, uriInfo, connection, true, true, false, tokenString, headers);
        return authResult;
    }

authenticateIdentityCookie() [1/2]

AuthResult org.keycloak.services.managers.AppAuthManager.authenticateIdentityCookie ( KeycloakSession  session, RealmModel  realm  )

inline

                                                                                            {
        AuthResult authResult = super.authenticateIdentityCookie(session, realm);
        if (authResult == null) return null;
        // refresh the cookies!
        createLoginCookie(session, realm, authResult.getUser(), authResult.getSession(), session.getContext().getUri(), session.getContext().getConnection());
        if (authResult.getSession().isRememberMe()) createRememberMeCookie(realm, authResult.getUser().getUsername(), session.getContext().getUri(), session.getContext().getConnection());
        return authResult;
    }

authenticateIdentityCookie() [2/2]

static AuthResult org.keycloak.services.managers.AuthenticationManager.authenticateIdentityCookie ( KeycloakSession  session, RealmModel  realm, boolean  checkActive  )

inlinestaticinherited

                                                                                                                        {
        Cookie cookie = session.getContext().getRequestHeaders().getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
        if (cookie == null || "".equals(cookie.getValue())) {
            logger.debugv("Could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
            return null;
        }

        String tokenString = cookie.getValue();
        AuthResult authResult = verifyIdentityToken(session, realm, session.getContext().getUri(), session.getContext().getConnection(), checkActive, false, true, tokenString, session.getContext().getRequestHeaders());
        if (authResult == null) {
            expireIdentityCookie(realm, session.getContext().getUri(), session.getContext().getConnection());
            expireOldIdentityCookie(realm, session.getContext().getUri(), session.getContext().getConnection());
            return null;
        }
        authResult.getSession().setLastSessionRefresh(Time.currentTime());
        return authResult;
    }

backchannelLogout() [1/3]

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogout ( KeycloakSession  session, UserSessionModel  userSession, boolean  logoutBroker  )

inlinestaticinherited

                                                                                                                      {
        backchannelLogout(
                session,
                session.getContext().getRealm(),
                userSession,
                session.getContext().getUri(),
                session.getContext().getConnection(),
                session.getContext().getRequestHeaders(),
                logoutBroker
        );
    }

backchannelLogout() [2/3]

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogout ( KeycloakSession  session, RealmModel  realm, UserSessionModel  userSession, UriInfo  uriInfo, ClientConnection  connection, HttpHeaders  headers, boolean  logoutBroker  )

inlinestaticinherited

                                                               {
        backchannelLogout(session, realm, userSession, uriInfo, connection, headers, logoutBroker, false);
    }

backchannelLogout() [3/3]

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogout ( KeycloakSession  session, RealmModel  realm, UserSessionModel  userSession, UriInfo  uriInfo, ClientConnection  connection, HttpHeaders  headers, boolean  logoutBroker, boolean  offlineSession  )

inlinestaticinherited

引数

session
realm
userSession
uriInfo
connection
headers
logoutBroker
offlineSession

                                                                 {
        if (userSession == null) return;
        UserModel user = userSession.getUser();
        if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
            userSession.setState(UserSessionModel.State.LOGGING_OUT);
        }

        logger.debugv("Logging out: {0} ({1}) offline: {2}", user.getUsername(), userSession.getId(), userSession.isOffline());
        expireUserSessionCookie(session, userSession, realm, uriInfo, headers, connection);

        final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
        AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, false);

        try {
            backchannelLogoutAll(session, realm, userSession, logoutAuthSession, uriInfo, headers, logoutBroker);
            checkUserSessionOnlyHasLoggedOutClients(realm, userSession, logoutAuthSession);
        } finally {
            asm.removeAuthenticationSession(realm, logoutAuthSession, false);
        }

        userSession.setState(UserSessionModel.State.LOGGED_OUT);

        if (offlineSession) {
            new UserSessionManager(session).revokeOfflineUserSession(userSession);

            // Check if "online" session still exists and remove it too
            UserSessionModel onlineUserSession = session.sessions().getUserSession(realm, userSession.getId());
            if (onlineUserSession != null) {
                session.sessions().removeUserSession(realm, onlineUserSession);
            }
        } else {
            session.sessions().removeUserSession(realm, userSession);
        }
    }

backchannelLogoutUserFromClient()

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogoutUserFromClient ( KeycloakSession  session, RealmModel  realm, UserModel  user, ClientModel  client, UriInfo  uriInfo, HttpHeaders  headers  )

inlinestaticinherited

Logout all clientSessions of this user and client

引数

session
realm
user
client
uriInfo
headers

                                                                                                                                                                            {
        List<UserSessionModel> userSessions = session.sessions().getUserSessions(realm, user);
        for (UserSessionModel userSession : userSessions) {
            AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
            if (clientSession != null) {
                AuthenticationManager.backchannelLogoutClientSession(session, realm, clientSession, null, uriInfo, headers);
                clientSession.setAction(AuthenticationSessionModel.Action.LOGGED_OUT.name());
                org.keycloak.protocol.oidc.TokenManager.dettachClientSession(session.sessions(), realm, clientSession);
            }
        }
    }

browserLogout()

static Response org.keycloak.services.managers.AuthenticationManager.browserLogout ( KeycloakSession  session, RealmModel  realm, UserSessionModel  userSession, UriInfo  uriInfo, ClientConnection  connection, HttpHeaders  headers  )

inlinestaticinherited

                                                                                                                                                                                     {
        if (userSession == null) return null;

        if (logger.isDebugEnabled()) {
            UserModel user = userSession.getUser();
            logger.debugv("Logging out: {0} ({1})", user.getUsername(), userSession.getId());
        }
        
        if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
            userSession.setState(UserSessionModel.State.LOGGING_OUT);
        }

        final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
        AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, true);

        Response response = browserLogoutAllClients(userSession, session, realm, headers, uriInfo, logoutAuthSession);
        if (response != null) {
            return response;
        }

        String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
        if (brokerId != null) {
            IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);
            response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);
            if (response != null) {
                return response;
            }
        }

        return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers);
    }

createIdentityToken()

static IdentityCookieToken org.keycloak.services.managers.AuthenticationManager.createIdentityToken ( KeycloakSession  keycloakSession, RealmModel  realm, UserModel  user, UserSessionModel  session, String  issuer  )

inlinestaticinherited

                                                                                                                                                                      {
        IdentityCookieToken token = new IdentityCookieToken();
        token.id(KeycloakModelUtils.generateId());
        token.issuedNow();
        token.subject(user.getId());
        token.issuer(issuer);
        if (session != null) {
            token.setSessionState(session.getId());
        }
        if (realm.getSsoSessionMaxLifespan() > 0) {
            token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespan());
        }

        String stateChecker = (String) keycloakSession.getAttribute("state_checker");
        if (stateChecker == null) {
            stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
            keycloakSession.setAttribute("state_checker", stateChecker);
        }
        token.getOtherClaims().put("state_checker", stateChecker);

        return token;
    }

createLoginCookie()

static void org.keycloak.services.managers.AuthenticationManager.createLoginCookie ( KeycloakSession  keycloakSession, RealmModel  realm, UserModel  user, UserSessionModel  session, UriInfo  uriInfo, ClientConnection  connection  )

inlinestaticinherited

                                                                                                                                                                                    {
        String cookiePath = getIdentityCookiePath(realm, uriInfo);
        String issuer = Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName());
        IdentityCookieToken identityCookieToken = createIdentityToken(keycloakSession, realm, user, session, issuer);
        String encoded = keycloakSession.tokens().encode(identityCookieToken);
        boolean secureOnly = realm.getSslRequired().isRequired(connection);
        int maxAge = NewCookie.DEFAULT_MAX_AGE;
        if (session != null && session.isRememberMe()) {
            maxAge = realm.getSsoSessionMaxLifespan();
        }
        logger.debugv("Create login cookie - name: {0}, path: {1}, max-age: {2}", KEYCLOAK_IDENTITY_COOKIE, cookiePath, maxAge);
        CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encoded, cookiePath, null, null, maxAge, secureOnly, true);
        //builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);

        String sessionCookieValue = realm.getName() + "/" + user.getId();
        if (session != null) {
            sessionCookieValue += "/" + session.getId();
        }
        // THIS SHOULD NOT BE A HTTPONLY COOKIE!  It is used for OpenID Connect Iframe Session support!
        // Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login
        CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, realm.getSsoSessionMaxLifespan(), secureOnly, false);
        P3PHelper.addP3PHeader(keycloakSession);
    }

createRememberMeCookie()

static void org.keycloak.services.managers.AuthenticationManager.createRememberMeCookie ( RealmModel  realm, String  username, UriInfo  uriInfo, ClientConnection  connection  )

inlinestaticinherited

                                                                                                                               {
        String path = getIdentityCookiePath(realm, uriInfo);
        boolean secureOnly = realm.getSslRequired().isRequired(connection);
        // remember me cookie should be persistent (hardcoded to 365 days for now)
        //NewCookie cookie = new NewCookie(KEYCLOAK_REMEMBER_ME, "true", path, null, null, realm.getCentralLoginLifespan(), secureOnly);// todo httponly , true);
        CookieHelper.addCookie(KEYCLOAK_REMEMBER_ME, "username:" + username, path, null, null, 31536000, secureOnly, true);
    }

createRequiredAction()

static RequiredActionProvider org.keycloak.services.managers.AuthenticationManager.createRequiredAction ( RequiredActionContextResult  context )

inlinestaticinherited

                                                                                                   {
        String display = context.getAuthenticationSession().getAuthNote(OAuth2Constants.DISPLAY);
        if (display == null) return context.getFactory().create(context.getSession());


        if (context.getFactory() instanceof DisplayTypeRequiredActionFactory) {
            RequiredActionProvider provider = ((DisplayTypeRequiredActionFactory)context.getFactory()).createDisplay(context.getSession(), display);
            if (provider != null) return provider;
        }
        // todo create a provider for handling lack of display support
        if (OAuth2Constants.DISPLAY_CONSOLE.equalsIgnoreCase(display)) {
            context.getAuthenticationSession().removeAuthNote(OAuth2Constants.DISPLAY);
            throw new AuthenticationFlowException(AuthenticationFlowError.DISPLAY_NOT_SUPPORTED, ConsoleDisplayMode.browserContinue(context.getSession(), context.getUriInfo().getRequestUri().toString()));

        } else {
            return context.getFactory().create(context.getSession());
        }
    }

evaluateRequiredActionTriggers()

static void org.keycloak.services.managers.AuthenticationManager.evaluateRequiredActionTriggers ( final KeycloakSession  session, final AuthenticationSessionModel  authSession, final ClientConnection  clientConnection, final HttpRequest  request, final UriInfo  uriInfo, final EventBuilder  event, final RealmModel  realm, final UserModel  user  )

inlinestaticinherited

                                                                                                                                                                                                                                                                                                      {

        // see if any required actions need triggering, i.e. an expired password
        for (RequiredActionProviderModel model : realm.getRequiredActionProviders()) {
            if (!model.isEnabled()) continue;
            RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId());
            if (factory == null) {
                throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?");
            }
            RequiredActionProvider provider = factory.create(session);
            RequiredActionContextResult result = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory) {
                @Override
                public void challenge(Response response) {
                    throw new RuntimeException("Not allowed to call challenge() within evaluateTriggers()");
                }

                @Override
                public void failure() {
                    throw new RuntimeException("Not allowed to call failure() within evaluateTriggers()");
                }

                @Override
                public void success() {
                    throw new RuntimeException("Not allowed to call success() within evaluateTriggers()");
                }

                @Override
                public void ignore() {
                    throw new RuntimeException("Not allowed to call ignore() within evaluateTriggers()");
                }
            };

            provider.evaluateTriggers(result);
        }
    }

executionActions()

static Response org.keycloak.services.managers.AuthenticationManager.executionActions ( KeycloakSession  session, AuthenticationSessionModel  authSession, HttpRequest  request, EventBuilder  event, RealmModel  realm, UserModel  user, Set< String >  requiredActions  )

inlinestaticprotectedinherited

                                                                            {

        List<RequiredActionProviderModel> sortedRequiredActions = sortRequiredActionsByPriority(realm, requiredActions);

        for (RequiredActionProviderModel model : sortedRequiredActions) {
            RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId());
            if (factory == null) {
                throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?");
            }
            RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory);
            RequiredActionProvider actionProvider = null;
            try {
                actionProvider = createRequiredAction(context);
            } catch (AuthenticationFlowException e) {
                if (e.getResponse() != null) {
                    return e.getResponse();
                }
                throw e;
            }
            actionProvider.requiredActionChallenge(context);

            if (context.getStatus() == RequiredActionContext.Status.FAILURE) {
                LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, context.getAuthenticationSession().getProtocol());
                protocol.setRealm(context.getRealm())
                        .setHttpHeaders(context.getHttpRequest().getHttpHeaders())
                        .setUriInfo(context.getUriInfo())
                        .setEventBuilder(event);
                Response response = protocol.sendError(context.getAuthenticationSession(), Error.CONSENT_DENIED);
                event.error(Errors.REJECTED_BY_USER);
                return response;
            }
            else if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) {
                authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, model.getProviderId());
                return context.getChallenge();
            }
            else if (context.getStatus() == RequiredActionContext.Status.SUCCESS) {
                event.clone().event(EventType.CUSTOM_REQUIRED_ACTION).detail(Details.CUSTOM_REQUIRED_ACTION, factory.getId()).success();
                // don't have to perform the same action twice, so remove it from both the user and session required actions
                authSession.getAuthenticatedUser().removeRequiredAction(factory.getId());
                authSession.removeRequiredAction(factory.getId());
            }
        }
        return null;
    }

expireCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireCookie ( RealmModel  realm, String  cookieName, String  path, boolean  httpOnly, ClientConnection  connection  )

inlinestaticinherited

                                                                                                                                     {
        logger.debugv("Expiring cookie: {0} path: {1}", cookieName, path);
        boolean secureOnly = realm.getSslRequired().isRequired(connection);;
        CookieHelper.addCookie(cookieName, "", path, null, "Expiring cookie", 0, secureOnly, httpOnly);
    }

expireIdentityCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireIdentityCookie ( RealmModel  realm, UriInfo  uriInfo, ClientConnection  connection  )

inlinestaticinherited

                                                                                                            {
        logger.debug("Expiring identity cookie");
        String path = getIdentityCookiePath(realm, uriInfo);
        expireCookie(realm, KEYCLOAK_IDENTITY_COOKIE, path, true, connection);
        expireCookie(realm, KEYCLOAK_SESSION_COOKIE, path, false, connection);

        String oldPath = getOldCookiePath(realm, uriInfo);
        expireCookie(realm, KEYCLOAK_IDENTITY_COOKIE, oldPath, true, connection);
        expireCookie(realm, KEYCLOAK_SESSION_COOKIE, oldPath, false, connection);
    }

expireOldAuthSessionCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireOldAuthSessionCookie ( RealmModel  realm, UriInfo  uriInfo, ClientConnection  connection  )

inlinestaticinherited

                                                                                                                  {
        logger.debugv("Expire {1} cookie .", AuthenticationSessionManager.AUTH_SESSION_ID);

        String oldPath = getOldCookiePath(realm, uriInfo);
        expireCookie(realm, AuthenticationSessionManager.AUTH_SESSION_ID, oldPath, true, connection);
    }

expireOldIdentityCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireOldIdentityCookie ( RealmModel  realm, UriInfo  uriInfo, ClientConnection  connection  )

inlinestaticinherited

                                                                                                               {
        logger.debug("Expiring old identity cookie with wrong path");

        String oldPath = getOldCookiePath(realm, uriInfo);
        expireCookie(realm, KEYCLOAK_IDENTITY_COOKIE, oldPath, true, connection);
        expireCookie(realm, KEYCLOAK_SESSION_COOKIE, oldPath, false, connection);
    }

expireRememberMeCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireRememberMeCookie ( RealmModel  realm, UriInfo  uriInfo, ClientConnection  connection  )

inlinestaticinherited

                                                                                                              {
        logger.debug("Expiring remember me cookie");
        String path = getIdentityCookiePath(realm, uriInfo);
        String cookieName = KEYCLOAK_REMEMBER_ME;
        expireCookie(realm, cookieName, path, true, connection);
    }

expireUserSessionCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireUserSessionCookie ( KeycloakSession  session, UserSessionModel  userSession, RealmModel  realm, UriInfo  uriInfo, HttpHeaders  headers, ClientConnection  connection  )

inlinestaticinherited

                                                                                                                                                                                           {
        try {
            // check to see if any identity cookie is set with the same session and expire it if necessary
            Cookie cookie = headers.getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
            if (cookie == null) return;
            String tokenString = cookie.getValue();

            TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
              .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()))
              .checkActive(false)
              .checkTokenType(false);

            String kid = verifier.getHeader().getKeyId();
            String algorithm = verifier.getHeader().getAlgorithm().name();

            SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
            verifier.verifierContext(signatureVerifier);

            AccessToken token = verifier.verify().getToken();
            UserSessionModel cookieSession = session.sessions().getUserSession(realm, token.getSessionState());
            if (cookieSession == null || !cookieSession.getId().equals(userSession.getId())) return;
            expireIdentityCookie(realm, uriInfo, connection);
        } catch (Exception e) {
        }

    }

extractAuthorizationHeaderToken()

String org.keycloak.services.managers.AppAuthManager.extractAuthorizationHeaderToken ( HttpHeaders  headers )

inline

                                                                       {
        String tokenString = null;
        String authHeader = headers.getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
        if (authHeader != null) {
            String[] split = authHeader.trim().split("\\s+");
            if (split == null || split.length != 2) throw new UnauthorizedException("Bearer");
            if (!split[0].equalsIgnoreCase("Bearer")) throw new UnauthorizedException("Bearer");
            tokenString = split[1];
        }
        return tokenString;
    }

finishBrowserLogout()

static Response org.keycloak.services.managers.AuthenticationManager.finishBrowserLogout ( KeycloakSession  session, RealmModel  realm, UserSessionModel  userSession, UriInfo  uriInfo, ClientConnection  connection, HttpHeaders  headers  )

inlinestaticinherited

                                                                                                                                                                                           {
        final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
        AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, true);

        checkUserSessionOnlyHasLoggedOutClients(realm, userSession, logoutAuthSession);

        expireIdentityCookie(realm, uriInfo, connection);
        expireRememberMeCookie(realm, uriInfo, connection);
        userSession.setState(UserSessionModel.State.LOGGED_OUT);
        String method = userSession.getNote(KEYCLOAK_LOGOUT_PROTOCOL);
        EventBuilder event = new EventBuilder(realm, session, connection);
        LoginProtocol protocol = session.getProvider(LoginProtocol.class, method);
        protocol.setRealm(realm)
                .setHttpHeaders(headers)
                .setUriInfo(uriInfo)
                .setEventBuilder(event);
        Response response = protocol.finishLogout(userSession);
        session.sessions().removeUserSession(realm, userSession);
        session.authenticationSessions().removeRootAuthenticationSession(realm, logoutAuthSession.getParentSession());
        return response;
    }

finishedRequiredActions()

static Response org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions ( KeycloakSession  session, AuthenticationSessionModel  authSession, UserSessionModel  userSession, ClientConnection  clientConnection, HttpRequest  request, UriInfo  uriInfo, EventBuilder  event  )

inlinestaticinherited

                                                                                                                                                {
        String actionTokenKeyToInvalidate = authSession.getAuthNote(INVALIDATE_ACTION_TOKEN);
        if (actionTokenKeyToInvalidate != null) {
            ActionTokenKeyModel actionTokenKey = DefaultActionTokenKey.from(actionTokenKeyToInvalidate);
            
            if (actionTokenKey != null) {
                ActionTokenStoreProvider actionTokenStore = session.getProvider(ActionTokenStoreProvider.class);
                actionTokenStore.put(actionTokenKey, null); // Token is invalidated
            }
        }

        if (authSession.getAuthNote(END_AFTER_REQUIRED_ACTIONS) != null) {
            LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
                    .setSuccess(Messages.ACCOUNT_UPDATED);
            if (authSession.getAuthNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) {
                if (authSession.getRedirectUri() != null) {
                    infoPage.setAttribute("pageRedirectUri", authSession.getRedirectUri());
                }

            } else {
                infoPage.setAttribute(Constants.SKIP_LINK, true);
            }
            Response response = infoPage
                    .createInfoPage();

            new AuthenticationSessionManager(session).removeAuthenticationSession(authSession.getRealm(), authSession, true);

            return response;
        }
        RealmModel realm = authSession.getRealm();

        ClientSessionContext clientSessionCtx = AuthenticationProcessor.attachSession(authSession, userSession, session, realm, clientConnection, event);
        userSession = clientSessionCtx.getClientSession().getUserSession();

        event.event(EventType.LOGIN);
        event.session(userSession);
        event.success();
        return redirectAfterSuccessfulFlow(session, realm, userSession, clientSessionCtx, request, uriInfo, clientConnection, event, authSession.getProtocol());
    }

getAccountCookiePath()

static String org.keycloak.services.managers.AuthenticationManager.getAccountCookiePath ( RealmModel  realm, UriInfo  uriInfo  )

inlinestaticinherited

                                                                                 {
        URI uri = RealmsResource.accountUrl(uriInfo.getBaseUriBuilder()).build(realm.getName());
        return uri.getRawPath();
    }

getClientLogoutAction()

static AuthenticationSessionModel.Action org.keycloak.services.managers.AuthenticationManager.getClientLogoutAction ( AuthenticationSessionModel  logoutAuthSession, String  clientUuid  )

inlinestaticinherited

Returns the logout state of the particular client as per the

logoutAuthSession 

引数

logoutAuthSession	logoutAuthSession. May be null in which case this is a no-op.
clientUuid	Internal ID of the client. Must not be null

戻り値

State if it can be determined,

null 

otherwise.

                                                                                                                                           {
        if (logoutAuthSession == null || clientUuid == null) {
            return null;
        }

        String state = logoutAuthSession.getAuthNote(CLIENT_LOGOUT_STATE + clientUuid);
        return state == null ? null : AuthenticationSessionModel.Action.valueOf(state);
    }

getIdentityCookiePath()

static String org.keycloak.services.managers.AuthenticationManager.getIdentityCookiePath ( RealmModel  realm, UriInfo  uriInfo  )

inlinestaticprotectedinherited

                                                                                     {
        return getRealmCookiePath(realm, uriInfo);
    }

getOldCookiePath()

static String org.keycloak.services.managers.AuthenticationManager.getOldCookiePath ( RealmModel  realm, UriInfo  uriInfo  )

inlinestaticinherited

                                                                             {
        URI uri = RealmsResource.realmBaseUrl(uriInfo).build(realm.getName());
        return uri.getRawPath();
    }

getRealmCookiePath()

static String org.keycloak.services.managers.AuthenticationManager.getRealmCookiePath ( RealmModel  realm, UriInfo  uriInfo  )

inlinestaticinherited

                                                                               {
        URI uri = RealmsResource.realmBaseUrl(uriInfo).build(realm.getName());
        // KEYCLOAK-5270
        return uri.getRawPath() + "/";
    }

getRememberMeUsername()

static String org.keycloak.services.managers.AuthenticationManager.getRememberMeUsername ( RealmModel  realm, HttpHeaders  headers  )

inlinestaticinherited

                                                                                      {
        if (realm.isRememberMe()) {
            Cookie cookie = headers.getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME);
            if (cookie != null) {
                String value = cookie.getValue();
                String[] s = value.split(":");
                if (s[0].equals("username") && s.length == 2) {
                    return s[1];
                }
            }
        }
        return null;
    }

isOfflineSessionValid()

static boolean org.keycloak.services.managers.AuthenticationManager.isOfflineSessionValid ( RealmModel  realm, UserSessionModel  userSession  )

inlinestaticinherited

                                                                                                {
        if (userSession == null) {
            logger.debug("No offline user session");
            return false;
        }
        int currentTime = Time.currentTime();
        // Additional time window is added for the case when session was updated in different DC and the update to current DC was postponed
        int maxIdle = realm.getOfflineSessionIdleTimeout() + SessionTimeoutHelper.IDLE_TIMEOUT_WINDOW_SECONDS;

        // KEYCLOAK-7688 Offline Session Max for Offline Token
        if (realm.isOfflineSessionMaxLifespanEnabled()) {
            int max = userSession.getStarted() + realm.getOfflineSessionMaxLifespan();
            return userSession.getLastSessionRefresh() + maxIdle > currentTime && max > currentTime;
        } else {
            return userSession.getLastSessionRefresh() + maxIdle > currentTime;
        }
    }

isSessionValid()

static boolean org.keycloak.services.managers.AuthenticationManager.isSessionValid ( RealmModel  realm, UserSessionModel  userSession  )

inlinestaticinherited

                                                                                         {
        if (userSession == null) {
            logger.debug("No user session");
            return false;
        }
        int currentTime = Time.currentTime();
        int max = userSession.getStarted() + realm.getSsoSessionMaxLifespan();

        // Additional time window is added for the case when session was updated in different DC and the update to current DC was postponed
        int maxIdle = realm.getSsoSessionIdleTimeout() + SessionTimeoutHelper.IDLE_TIMEOUT_WINDOW_SECONDS;

        return userSession.getLastSessionRefresh() + maxIdle > currentTime && max > currentTime;
    }

isSSOAuthentication()

static boolean org.keycloak.services.managers.AuthenticationManager.isSSOAuthentication ( AuthenticatedClientSessionModel  clientSession )

inlinestaticinherited

                                                                                             {
        String ssoAuth = clientSession.getNote(SSO_AUTH);
        return Boolean.parseBoolean(ssoAuth);
    }

nextActionAfterAuthentication()

static Response org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication ( KeycloakSession  session, AuthenticationSessionModel  authSession, ClientConnection  clientConnection, HttpRequest  request, UriInfo  uriInfo, EventBuilder  event  )

inlinestaticinherited

                                                                                                            {
        Response requiredAction = actionRequired(session, authSession, clientConnection, request, uriInfo, event);
        if (requiredAction != null) return requiredAction;
        return finishedRequiredActions(session, authSession, null, clientConnection, request, uriInfo, event);

    }

nextRequiredAction()

static String org.keycloak.services.managers.AuthenticationManager.nextRequiredAction ( final KeycloakSession  session, final AuthenticationSessionModel  authSession, final ClientConnection  clientConnection, final HttpRequest  request, final UriInfo  uriInfo, final EventBuilder  event  )

inlinestaticinherited

                                                                                                                        {
        final RealmModel realm = authSession.getRealm();
        final UserModel user = authSession.getAuthenticatedUser();
        final ClientModel client = authSession.getClient();

        evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user);

        if (!user.getRequiredActions().isEmpty()) {
            return user.getRequiredActions().iterator().next();
        }
        if (!authSession.getRequiredActions().isEmpty()) {
            return authSession.getRequiredActions().iterator().next();
        }

        if (client.isConsentRequired()) {

            UserConsentModel grantedConsent = getEffectiveGrantedConsent(session, authSession);

            // See if any clientScopes need to be approved on consent screen
            List<ClientScopeModel> clientScopesToApprove = getClientScopesToApproveOnConsentScreen(realm, grantedConsent, authSession);
            if (!clientScopesToApprove.isEmpty()) {
                return CommonClientSessionModel.Action.OAUTH_GRANT.name();
            }

            String consentDetail = (grantedConsent != null) ? Details.CONSENT_VALUE_PERSISTED_CONSENT : Details.CONSENT_VALUE_NO_CONSENT_REQUIRED;
            event.detail(Details.CONSENT, consentDetail);
        } else {
            event.detail(Details.CONSENT, Details.CONSENT_VALUE_NO_CONSENT_REQUIRED);
        }
        return null;

    }

redirectAfterSuccessfulFlow() [1/2]

static Response org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow ( KeycloakSession  session, RealmModel  realm, UserSessionModel  userSession, ClientSessionContext  clientSessionCtx, HttpRequest  request, UriInfo  uriInfo, ClientConnection  clientConnection, EventBuilder  event, String  protocol  )

inlinestaticinherited

                                                                                     {
        LoginProtocol protocolImpl = session.getProvider(LoginProtocol.class, protocol);
        protocolImpl.setRealm(realm)
                .setHttpHeaders(request.getHttpHeaders())
                .setUriInfo(uriInfo)
                .setEventBuilder(event);
        return redirectAfterSuccessfulFlow(session, realm, userSession, clientSessionCtx, request, uriInfo, clientConnection, event, protocolImpl);

    }

redirectAfterSuccessfulFlow() [2/2]

static Response org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow ( KeycloakSession  session, RealmModel  realm, UserSessionModel  userSession, ClientSessionContext  clientSessionCtx, HttpRequest  request, UriInfo  uriInfo, ClientConnection  clientConnection, EventBuilder  event, LoginProtocol  protocol  )

inlinestaticinherited

                                                                                                   {
        Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE);
        if (sessionCookie != null) {

            String[] split = sessionCookie.getValue().split("/");
            if (split.length >= 3) {
                String oldSessionId = split[2];
                if (!oldSessionId.equals(userSession.getId())) {
                    UserSessionModel oldSession = session.sessions().getUserSession(realm, oldSessionId);
                    if (oldSession != null) {
                        logger.debugv("Removing old user session: session: {0}", oldSessionId);
                        session.sessions().removeUserSession(realm, oldSession);
                    }
                }
            }
        }

        // Updates users locale if required
        session.getContext().resolveLocale(userSession.getUser());

        // refresh the cookies!
        createLoginCookie(session, realm, userSession.getUser(), userSession, uriInfo, clientConnection);
        if (userSession.getState() != UserSessionModel.State.LOGGED_IN) userSession.setState(UserSessionModel.State.LOGGED_IN);
        if (userSession.isRememberMe()) {
            createRememberMeCookie(realm, userSession.getLoginUsername(), uriInfo, clientConnection);
        } else {
            expireRememberMeCookie(realm, uriInfo, clientConnection);
        }

        AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();

        // Update userSession note with authTime. But just if flag SSO_AUTH is not set
        boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
        if (isSSOAuthentication) {
            clientSession.setNote(SSO_AUTH, "true");
        } else {
            int authTime = Time.currentTime();
            userSession.setNote(AUTH_TIME, String.valueOf(authTime));
            clientSession.removeNote(SSO_AUTH);
        }

        return protocol.authenticated(userSession, clientSessionCtx);

    }

redirectToRequiredActions()

static Response org.keycloak.services.managers.AuthenticationManager.redirectToRequiredActions ( KeycloakSession  session, RealmModel  realm, AuthenticationSessionModel  authSession, UriInfo  uriInfo, String  requiredAction  )

inlinestaticinherited

                                                                                                                                                                                {
        // redirect to non-action url so browser refresh button works without reposting past data
        ClientSessionCode<AuthenticationSessionModel> accessCode = new ClientSessionCode<>(session, realm, authSession);
        accessCode.setAction(AuthenticationSessionModel.Action.REQUIRED_ACTIONS.name());
        authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, LoginActionsService.REQUIRED_ACTION);
        authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, requiredAction);

        UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo)
                .path(LoginActionsService.REQUIRED_ACTION);

        if (requiredAction != null) {
            uriBuilder.queryParam(Constants.EXECUTION, requiredAction);
        }

        uriBuilder.queryParam(Constants.CLIENT_ID, authSession.getClient().getClientId());
        uriBuilder.queryParam(Constants.TAB_ID, authSession.getTabId());

        if (uriInfo.getQueryParameters().containsKey(LoginActionsService.AUTH_SESSION_ID)) {
            uriBuilder.queryParam(LoginActionsService.AUTH_SESSION_ID, authSession.getParentSession().getId());

        }

        URI redirect = uriBuilder.build(realm.getName());
        return Response.status(302).location(redirect).build();

    }

setClientLogoutAction()

static void org.keycloak.services.managers.AuthenticationManager.setClientLogoutAction ( AuthenticationSessionModel  logoutAuthSession, String  clientUuid, AuthenticationSessionModel.Action  action  )

inlinestaticinherited

Sets logout state of the particular client into the

logoutAuthSession 

引数

logoutAuthSession	logoutAuthSession. May be null in which case this is a no-op.
clientUuid	Client. Must not be null
action

                                                                                                                                                        {
        if (logoutAuthSession != null && clientUuid != null) {
            logoutAuthSession.setAuthNote(CLIENT_LOGOUT_STATE + clientUuid, action.name());
        }
    }

setClientScopesInSession()

static void org.keycloak.services.managers.AuthenticationManager.setClientScopesInSession ( AuthenticationSessionModel  authSession )

inlinestaticinherited

                                                                                        {
        ClientModel client = authSession.getClient();
        UserModel user = authSession.getAuthenticatedUser();

        // todo scope param protocol independent
        String scopeParam = authSession.getClientNote(OAuth2Constants.SCOPE);

        Set<String> requestedClientScopes = new HashSet<String>();
        for (ClientScopeModel clientScope : org.keycloak.protocol.oidc.TokenManager.getRequestedClientScopes(scopeParam, client)) {
            requestedClientScopes.add(clientScope.getId());
        }
        authSession.setClientScopes(requestedClientScopes);
    }

verifyIdentityToken()

static AuthResult org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken ( KeycloakSession  session, RealmModel  realm, UriInfo  uriInfo, ClientConnection  connection, boolean  checkActive, boolean  checkTokenType, boolean  isCookie, String  tokenString, HttpHeaders  headers  )

inlinestaticinherited

                                                                                                               {
        try {
            TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
              .withDefaultChecks()
              .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()))
              .checkActive(checkActive)
              .checkTokenType(checkTokenType);
            String kid = verifier.getHeader().getKeyId();
            String algorithm = verifier.getHeader().getAlgorithm().name();

            SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
            verifier.verifierContext(signatureVerifier);

            AccessToken token = verifier.verify().getToken();
            if (checkActive) {
                if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
                    logger.debug("Identity cookie expired");
                    return null;
                }
            }

            UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
            UserModel user = null;
            if (userSession != null) {
                user = userSession.getUser();
                if (user == null || !user.isEnabled()) {
                    logger.debug("Unknown user in identity token");
                    return null;
                }

                int userNotBefore = session.users().getNotBeforeOfUser(realm, user);
                if (token.getIssuedAt() < userNotBefore) {
                    logger.debug("User notBefore newer than token");
                    return null;
                }
            }

            if (!isSessionValid(realm, userSession)) {
                // Check if accessToken was for the offline session.
                if (!isCookie) {
                    UserSessionModel offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState());
                    if (isOfflineSessionValid(realm, offlineUserSession)) {
                        user = offlineUserSession.getUser();
                        return new AuthResult(user, offlineUserSession, token);
                    }
                }

                if (userSession != null) backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
                logger.debug("User session not active");
                return null;
            }

            session.setAttribute("state_checker", token.getOtherClaims().get("state_checker"));

            return new AuthResult(user, userSession, token);
        } catch (VerificationException e) {
            logger.debugf("Failed to verify identity token: %s", e.getMessage());
        }
        return null;
    }

メンバ詳解

AUTH_TIME

final String org.keycloak.services.managers.AuthenticationManager.AUTH_TIME = "AUTH_TIME"

staticinherited

CLIENT_LOGOUT_STATE

final String org.keycloak.services.managers.AuthenticationManager.CLIENT_LOGOUT_STATE = "logout.state."

staticinherited

Auth session note on client logout state (when logging out)

END_AFTER_REQUIRED_ACTIONS

final String org.keycloak.services.managers.AuthenticationManager.END_AFTER_REQUIRED_ACTIONS = "END_AFTER_REQUIRED_ACTIONS"

staticinherited

FORM_USERNAME

final String org.keycloak.services.managers.AuthenticationManager.FORM_USERNAME = "username"

staticinherited

INVALIDATE_ACTION_TOKEN

final String org.keycloak.services.managers.AuthenticationManager.INVALIDATE_ACTION_TOKEN = "INVALIDATE_ACTION_TOKEN"

staticinherited

KEYCLOAK_IDENTITY_COOKIE

final String org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY"

staticinherited

KEYCLOAK_LOGOUT_PROTOCOL

final String org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL = "KEYCLOAK_LOGOUT_PROTOCOL"

staticinherited

KEYCLOAK_REMEMBER_ME

final String org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_REMEMBER_ME = "KEYCLOAK_REMEMBER_ME"

staticinherited

KEYCLOAK_SESSION_COOKIE

final String org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION"

staticinherited

logger

final Logger org.keycloak.services.managers.AuthenticationManager.logger = Logger.getLogger(AuthenticationManager.class)

staticprotectedinherited

SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS

final String org.keycloak.services.managers.AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS = "SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS"

staticinherited

SSO_AUTH

final String org.keycloak.services.managers.AuthenticationManager.SSO_AUTH = "SSO_AUTH"

staticinherited

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/oidc-service/src/main/java/org/keycloak/services/managers/AppAuthManager.java