org.keycloak.protocol.oidc.endpoints.LogoutEndpoint 連携図

公開メンバ関数
	LogoutEndpoint (TokenManager tokenManager, RealmModel realm, EventBuilder event)

Response	logout (@QueryParam(OIDCLoginProtocol.REDIRECT_URI_PARAM) String redirectUri, @QueryParam("id_token_hint") String encodedIdToken, @QueryParam("post_logout_redirect_uri") String postLogoutRedirectUri, @QueryParam("state") String state)

Response	logoutToken ()

非公開メンバ関数
void	logout (UserSessionModel userSession, boolean offline)

ClientModel	authorizeClient ()

void	checkSsl ()

非公開変数類
KeycloakSession	session

ClientConnection	clientConnection

HttpRequest	request

HttpHeaders	headers

TokenManager	tokenManager

RealmModel	realm

EventBuilder	event

静的非公開変数類
static final Logger	logger = Logger.getLogger(LogoutEndpoint.class)

詳解

著者: Stian Thorgersen

構築子と解体子

◆ LogoutEndpoint()

org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.LogoutEndpoint	(	TokenManager	tokenManager,
		RealmModel	realm,
		EventBuilder	event
	)

inline

                                                                                            {
         this.tokenManager = tokenManager;
         this.realm = realm;
         this.event = event;
     }

関数詳解

◆ authorizeClient()

ClientModel org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.authorizeClient ( )

inlineprivate

                                           {
         ClientModel client = AuthorizeClientUtil.authorizeClient(session, event).getClient();
 
         if (client.isBearerOnly()) {
             throw new ErrorResponseException("invalid_client", "Bearer-only not allowed", Response.Status.BAD_REQUEST);
         }
 
         return client;
     }

◆ checkSsl()

void org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.checkSsl ( )

inlineprivate

                             {
         if (!session.getContext().getUri().getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
             throw new ErrorResponseException("invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
         }
     }

◆ logout() [1/2]

Response org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout	(	@QueryParam(OIDCLoginProtocol.REDIRECT_URI_PARAM) String	redirectUri,
		@QueryParam("id_token_hint") String	encodedIdToken,
		@QueryParam("post_logout_redirect_uri") String	postLogoutRedirectUri,
		@QueryParam("state") String	state
	)

inline

Logout user session. User must be logged in via a session cookie.

引数

redirectUri

戻り値

                                                               {
         String redirect = postLogoutRedirectUri != null ? postLogoutRedirectUri : redirectUri;
 
         if (redirect != null) {
             String validatedUri = RedirectUtils.verifyRealmRedirectUri(session.getContext().getUri(), redirect, realm);
             if (validatedUri == null) {
                 event.event(EventType.LOGOUT);
                 event.detail(Details.REDIRECT_URI, redirect);
                 event.error(Errors.INVALID_REDIRECT_URI);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI);
             }
             redirect = validatedUri;
         }
 
         UserSessionModel userSession = null;
         if (encodedIdToken != null) {
             try {
                 IDToken idToken = tokenManager.verifyIDTokenSignature(session, encodedIdToken);
                 userSession = session.sessions().getUserSession(realm, idToken.getSessionState());
             } catch (OAuthErrorException e) {
                 event.event(EventType.LOGOUT);
                 event.error(Errors.INVALID_TOKEN);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.SESSION_NOT_ACTIVE);
             }
         }
 
         // authenticate identity cookie, but ignore an access token timeout as we're logging out anyways.
         AuthenticationManager.AuthResult authResult = AuthenticationManager.authenticateIdentityCookie(session, realm, false);
         if (authResult != null) {
             userSession = userSession != null ? userSession : authResult.getSession();
             if (redirect != null) userSession.setNote(OIDCLoginProtocol.LOGOUT_REDIRECT_URI, redirect);
             if (state != null) userSession.setNote(OIDCLoginProtocol.LOGOUT_STATE_PARAM, state);
             userSession.setNote(AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL, OIDCLoginProtocol.LOGIN_PROTOCOL);
             logger.debug("Initiating OIDC browser logout");
             Response response =  AuthenticationManager.browserLogout(session, realm, authResult.getSession(), session.getContext().getUri(), clientConnection, headers);
             logger.debug("finishing OIDC browser logout");
             return response;
         } else if (userSession != null) { // non browser logout
             event.event(EventType.LOGOUT);
             AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers, true);
             event.user(userSession.getUser()).session(userSession).success();
         }
 
         if (redirect != null) {
             UriBuilder uriBuilder = UriBuilder.fromUri(redirect);
             if (state != null) uriBuilder.queryParam(OIDCLoginProtocol.STATE_PARAM, state);
             return Response.status(302).location(uriBuilder.build()).build();
         } else {
             return Response.ok().build();
         }
     }

◆ logout() [2/2]

void org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout	(	UserSessionModel	userSession,
		boolean	offline
	)

inlineprivate

                                                                        {
         AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers, true, offline);
         event.user(userSession.getUser()).session(userSession).success();
     }

◆ logoutToken()

Response org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logoutToken ( )

inline

Logout a session via a non-browser invocation. Similar signature to refresh token except there is no grant_type. You must pass in the refresh token and authenticate the client if it is not public.

If the client is a confidential client you must include the client-id and secret in an Basic Auth Authorization header.

If the client is a public client, then you must include a "client_id" form parameter.

returns 204 if successful, 400 if not with a json error response.

戻り値

                                   {
         MultivaluedMap<String, String> form = request.getDecodedFormParameters();
         checkSsl();
 
         event.event(EventType.LOGOUT);
 
         ClientModel client = authorizeClient();
         String refreshToken = form.getFirst(OAuth2Constants.REFRESH_TOKEN);
         if (refreshToken == null) {
             event.error(Errors.INVALID_TOKEN);
             throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "No refresh token", Response.Status.BAD_REQUEST);
         }
 
         RefreshToken token = null;
         try {
             // KEYCLOAK-6771 Certificate Bound Token
             token = tokenManager.verifyRefreshToken(session, realm, client, request, refreshToken, false);
 
             boolean offline = TokenUtil.TOKEN_TYPE_OFFLINE.equals(token.getType());
 
             UserSessionModel userSessionModel;
             if (offline) {
                 UserSessionManager sessionManager = new UserSessionManager(session);
                 userSessionModel = sessionManager.findOfflineUserSession(realm, token.getSessionState());
             } else {
                 userSessionModel = session.sessions().getUserSession(realm, token.getSessionState());
             }
 
             if (userSessionModel != null) {
                 logout(userSessionModel, offline);
             }
         } catch (OAuthErrorException e) {
             // KEYCLOAK-6771 Certificate Bound Token
             if (MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC.equals(e.getDescription())) {
                 event.error(Errors.NOT_ALLOWED);
                 throw new ErrorResponseException(e.getError(), e.getDescription(), Response.Status.UNAUTHORIZED);
             } else {
                 event.error(Errors.INVALID_TOKEN);
                 throw new ErrorResponseException(e.getError(), e.getDescription(), Response.Status.BAD_REQUEST);
             }
         }
 
         return Cors.add(request, Response.noContent()).auth().allowedOrigins(session.getContext().getUri(), client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
     }

メンバ詳解

◆ clientConnection

ClientConnection org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.clientConnection

private

◆ event

EventBuilder org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.event

private

◆ headers

HttpHeaders org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.headers

private

◆ logger

final Logger org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logger = Logger.getLogger(LogoutEndpoint.class)

staticprivate

◆ realm

RealmModel org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.realm

private

◆ request

HttpRequest org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.request

private

◆ session

KeycloakSession org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.session

private

◆ tokenManager

TokenManager org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.tokenManager

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java

公開メンバ関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ LogoutEndpoint()

関数詳解

◆ authorizeClient()

◆ checkSsl()

◆ logout() [1/2]

◆ logout() [2/2]

◆ logoutToken()

メンバ詳解

◆ clientConnection

◆ event

◆ headers

◆ logger

◆ realm

◆ request

◆ session

◆ tokenManager