keycloak-service
クラス | 公開メンバ関数 | 静的公開変数類 | 限定公開メンバ関数 | 限定公開変数類 | 非公開メンバ関数 | 非公開変数類 | 静的非公開変数類 | 全メンバ一覧
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint クラス
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint の継承関係図
Inheritance graph
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint 連携図
Collaboration graph

クラス

enum  Action
 

公開メンバ関数

 AuthorizationEndpoint (RealmModel realm, EventBuilder event)
 
Response buildPost ()
 
Response buildGet ()
 
AuthorizationEndpoint register ()
 
AuthorizationEndpoint forgotCredentials ()
 

静的公開変数類

static final String CODE_AUTH_TYPE = "code"
 
static final String LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX = "client_request_param_"
 
static final String APP_INITIATED_FLOW = "APP_INITIATED_FLOW"
 

限定公開メンバ関数

AuthenticationProcessor createProcessor (AuthenticationSessionModel authSession, String flowId, String flowPath)
 
Response handleBrowserAuthenticationRequest (AuthenticationSessionModel authSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication)
 
AuthenticationFlowModel getAuthenticationFlow (AuthenticationSessionModel authSession)
 
void checkSsl ()
 
void checkRealm ()
 
AuthenticationSessionModel createAuthenticationSession (ClientModel client, String requestState)
 

限定公開変数類

RealmModel realm
 
EventBuilder event
 
AuthenticationManager authManager
 
HttpHeaders headers
 
HttpRequest httpRequest
 
KeycloakSession session
 
ClientConnection clientConnection
 

非公開メンバ関数

Response process (MultivaluedMap< String, String > params)
 
void checkClient (String clientId)
 
Response checkResponseType ()
 
Response checkOIDCParams ()
 
Response checkPKCEParams ()
 
boolean isValidPkceCodeChallenge (String codeChallenge)
 
Response redirectErrorToClient (OIDCResponseMode responseMode, String error, String errorDescription)
 
void checkRedirectUri ()
 
void updateAuthenticationSession ()
 
Response buildAuthorizationCodeAuthorizationResponse ()
 
Response buildRegister ()
 
Response buildForgotCredential ()
 

非公開変数類

ClientModel client
 
AuthenticationSessionModel authenticationSession
 
Action action
 
OIDCResponseType parsedResponseType
 
OIDCResponseMode parsedResponseMode
 
AuthorizationEndpointRequest request
 
String redirectUri
 

静的非公開変数類

static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class)
 
static final Pattern VALID_CODE_CHALLENGE_PATTERN = Pattern.compile("^[0-9a-zA-Z\\-\\.~_]+$")
 

詳解

著者
Stian Thorgersen

クラス詳解

◆ org::keycloak::protocol::oidc::endpoints::AuthorizationEndpoint::Action

enum org::keycloak::protocol::oidc::endpoints::AuthorizationEndpoint::Action
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.Action 連携図
Collaboration graph
列挙値
CODE
FORGOT_CREDENTIALS
REGISTER

構築子と解体子

◆ AuthorizationEndpoint()

org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.AuthorizationEndpoint ( RealmModel  realm,
EventBuilder  event 
)
inline
93  {
94  super(realm, event);
95  event.event(EventType.LOGIN);
96  }
org.keycloak.protocol.AuthorizationEndpointBase.event
EventBuilder event
Definition: AuthorizationEndpointBase.java:61
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60

関数詳解

◆ buildAuthorizationCodeAuthorizationResponse()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse ( )
inlineprivate
405  {
406  this.event.event(EventType.LOGIN);
407  authenticationSession.setAuthNote(Details.AUTH_TYPE, CODE_AUTH_TYPE);
408 
409  return handleBrowserAuthenticationRequest(authenticationSession, new OIDCLoginProtocol(session, realm, session.getContext().getUri(), headers, event), TokenUtil.hasPrompt(request.getPrompt(), OIDCLoginProtocol.PROMPT_VALUE_NONE), false);
410  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
AuthorizationEndpointRequest request
Definition: AuthorizationEndpoint.java:90
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest
Response handleBrowserAuthenticationRequest(AuthenticationSessionModel authSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication)
Definition: AuthorizationEndpointBase.java:105
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.CODE_AUTH_TYPE
static final String CODE_AUTH_TYPE
Definition: AuthorizationEndpoint.java:66
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getPrompt
String getPrompt()
Definition: AuthorizationEndpointRequest.java:81
org.keycloak.protocol.AuthorizationEndpointBase.headers
HttpHeaders headers
Definition: AuthorizationEndpointBase.java:65
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.event
EventBuilder event
Definition: AuthorizationEndpointBase.java:61
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

◆ buildForgotCredential()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildForgotCredential ( )
inlineprivate
424  {
425  authManager.expireIdentityCookie(realm, session.getContext().getUri(), clientConnection);
426 
427  AuthenticationFlowModel flow = realm.getResetCredentialsFlow();
428  String flowId = flow.getId();
429 
430  AuthenticationProcessor processor = createProcessor(authenticationSession, flowId, LoginActionsService.RESET_CREDENTIALS_PATH);
431  authenticationSession.setClientNote(APP_INITIATED_FLOW, LoginActionsService.RESET_CREDENTIALS_PATH);
432 
433  return processor.authenticate();
434  }
org.keycloak.services.managers.AuthenticationManager.expireIdentityCookie
static void expireIdentityCookie(RealmModel realm, UriInfo uriInfo, ClientConnection connection)
Definition: AuthenticationManager.java:636
org.keycloak.protocol.AuthorizationEndpointBase.APP_INITIATED_FLOW
static final String APP_INITIATED_FLOW
Definition: AuthorizationEndpointBase.java:58
org.keycloak.protocol.AuthorizationEndpointBase.clientConnection
ClientConnection clientConnection
Definition: AuthorizationEndpointBase.java:71
org.keycloak.protocol.AuthorizationEndpointBase.authManager
AuthenticationManager authManager
Definition: AuthorizationEndpointBase.java:62
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.createProcessor
AuthenticationProcessor createProcessor(AuthenticationSessionModel authSession, String flowId, String flowPath)
Definition: AuthorizationEndpointBase.java:78
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

◆ buildGet()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet ( )
inline
106  {
107  logger.trace("Processing @GET request");
108  return process(session.getContext().getUri().getQueryParameters());
109  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.logger
static final Logger logger
Definition: AuthorizationEndpoint.java:64
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process
Response process(MultivaluedMap< String, String > params)
Definition: AuthorizationEndpoint.java:111
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69

◆ buildPost()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildPost ( )
inline
100  {
101  logger.trace("Processing @POST request");
102  return process(httpRequest.getDecodedFormParameters());
103  }
org.keycloak.protocol.AuthorizationEndpointBase.httpRequest
HttpRequest httpRequest
Definition: AuthorizationEndpointBase.java:67
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.logger
static final Logger logger
Definition: AuthorizationEndpoint.java:64
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process
Response process(MultivaluedMap< String, String > params)
Definition: AuthorizationEndpoint.java:111

◆ buildRegister()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildRegister ( )
inlineprivate
412  {
413  authManager.expireIdentityCookie(realm, session.getContext().getUri(), clientConnection);
414 
415  AuthenticationFlowModel flow = realm.getRegistrationFlow();
416  String flowId = flow.getId();
417 
418  AuthenticationProcessor processor = createProcessor(authenticationSession, flowId, LoginActionsService.REGISTRATION_PATH);
419  authenticationSession.setClientNote(APP_INITIATED_FLOW, LoginActionsService.REGISTRATION_PATH);
420 
421  return processor.authenticate();
422  }
org.keycloak.services.managers.AuthenticationManager.expireIdentityCookie
static void expireIdentityCookie(RealmModel realm, UriInfo uriInfo, ClientConnection connection)
Definition: AuthenticationManager.java:636
org.keycloak.protocol.AuthorizationEndpointBase.APP_INITIATED_FLOW
static final String APP_INITIATED_FLOW
Definition: AuthorizationEndpointBase.java:58
org.keycloak.protocol.AuthorizationEndpointBase.clientConnection
ClientConnection clientConnection
Definition: AuthorizationEndpointBase.java:71
org.keycloak.protocol.AuthorizationEndpointBase.authManager
AuthenticationManager authManager
Definition: AuthorizationEndpointBase.java:62
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.createProcessor
AuthenticationProcessor createProcessor(AuthenticationSessionModel authSession, String flowId, String flowPath)
Definition: AuthorizationEndpointBase.java:78
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

◆ checkClient()

void org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkClient ( String  clientId)
inlineprivate
180  {
181  if (clientId == null) {
182  event.error(Errors.INVALID_REQUEST);
183  throw new ErrorPageException(session, authenticationSession, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
184  }
185 
186  event.client(clientId);
187 
188  client = realm.getClientByClientId(clientId);
189  if (client == null) {
190  event.error(Errors.CLIENT_NOT_FOUND);
191  throw new ErrorPageException(session, authenticationSession, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND);
192  }
193 
194  if (!client.isEnabled()) {
195  event.error(Errors.CLIENT_DISABLED);
196  throw new ErrorPageException(session, authenticationSession, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED);
197  }
198 
199  if (client.isBearerOnly()) {
200  event.error(Errors.NOT_ALLOWED);
201  throw new ErrorPageException(session, authenticationSession, Response.Status.FORBIDDEN, Messages.BEARER_ONLY);
202  }
203 
204  session.getContext().setClient(client);
205  }
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.client
ClientModel client
Definition: AuthorizationEndpoint.java:83
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

◆ checkOIDCParams()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkOIDCParams ( )
inlineprivate
264  {
265  // If request is not OIDC request, but pure OAuth2 request and response_type is just 'token', then 'nonce' is not mandatory
266  boolean isOIDCRequest = TokenUtil.isOIDCRequest(request.getScope());
267  if (!isOIDCRequest && parsedResponseType.toString().equals(OIDCResponseType.TOKEN)) {
268  return null;
269  }
270 
271  if (parsedResponseType.isImplicitOrHybridFlow() && request.getNonce() == null) {
272  ServicesLogger.LOGGER.missingParameter(OIDCLoginProtocol.NONCE_PARAM);
273  event.error(Errors.INVALID_REQUEST);
274  return redirectErrorToClient(parsedResponseMode, OAuthErrorException.INVALID_REQUEST, "Missing parameter: nonce");
275  }
276 
277  return null;
278  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
AuthorizationEndpointRequest request
Definition: AuthorizationEndpoint.java:90
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.parsedResponseMode
OIDCResponseMode parsedResponseMode
Definition: AuthorizationEndpoint.java:88
org.keycloak.protocol.oidc.utils.OIDCResponseType.toString
String toString()
Definition: OIDCResponseType.java:106
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.parsedResponseType
OIDCResponseType parsedResponseType
Definition: AuthorizationEndpoint.java:87
org.keycloak.protocol.oidc.utils.OIDCResponseType.isImplicitOrHybridFlow
boolean isImplicitOrHybridFlow()
Definition: OIDCResponseType.java:96
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.redirectErrorToClient
Response redirectErrorToClient(OIDCResponseMode responseMode, String error, String errorDescription)
Definition: AuthorizationEndpoint.java:339
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getScope
String getScope()
Definition: AuthorizationEndpointRequest.java:73
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getNonce
String getNonce()
Definition: AuthorizationEndpointRequest.java:85

◆ checkPKCEParams()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkPKCEParams ( )
inlineprivate
281  {
282  String codeChallenge = request.getCodeChallenge();
283  String codeChallengeMethod = request.getCodeChallengeMethod();
284 
285  // PKCE not adopted to OAuth2 Implicit Grant and OIDC Implicit Flow,
286  // adopted to OAuth2 Authorization Code Grant and OIDC Authorization Code Flow, Hybrid Flow
287  // Namely, flows using authorization code.
288  if (parsedResponseType.isImplicitFlow()) return null;
289 
290  if (codeChallenge == null && codeChallengeMethod != null) {
291  logger.info("PKCE supporting Client without code challenge");
292  event.error(Errors.INVALID_REQUEST);
293  return redirectErrorToClient(parsedResponseMode, OAuthErrorException.INVALID_REQUEST, "Missing parameter: code_challenge");
294  }
295 
296  // based on code_challenge value decide whether this client(RP) supports PKCE
297  if (codeChallenge == null) {
298  logger.debug("PKCE non-supporting Client");
299  return null;
300  }
301 
302  if (codeChallengeMethod != null) {
303  // https://tools.ietf.org/html/rfc7636#section-4.2
304  // plain or S256
305  if (!codeChallengeMethod.equals(OIDCLoginProtocol.PKCE_METHOD_S256) && !codeChallengeMethod.equals(OIDCLoginProtocol.PKCE_METHOD_PLAIN)) {
306  logger.infof("PKCE supporting Client with invalid code challenge method not specified in PKCE, codeChallengeMethod = %s", codeChallengeMethod);
307  event.error(Errors.INVALID_REQUEST);
308  return redirectErrorToClient(parsedResponseMode, OAuthErrorException.INVALID_REQUEST, "Invalid parameter: code_challenge_method");
309  }
310  } else {
311  // https://tools.ietf.org/html/rfc7636#section-4.3
312  // default code_challenge_method is plane
313  codeChallengeMethod = OIDCLoginProtocol.PKCE_METHOD_PLAIN;
314  }
315 
316  if (!isValidPkceCodeChallenge(codeChallenge)) {
317  logger.infof("PKCE supporting Client with invalid code challenge specified in PKCE, codeChallenge = %s", codeChallenge);
318  event.error(Errors.INVALID_REQUEST);
319  return redirectErrorToClient(parsedResponseMode, OAuthErrorException.INVALID_REQUEST, "Invalid parameter: code_challenge");
320  }
321 
322  return null;
323  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
AuthorizationEndpointRequest request
Definition: AuthorizationEndpoint.java:90
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.parsedResponseMode
OIDCResponseMode parsedResponseMode
Definition: AuthorizationEndpoint.java:88
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.parsedResponseType
OIDCResponseType parsedResponseType
Definition: AuthorizationEndpoint.java:87
org.keycloak.protocol.oidc.utils.OIDCResponseType.isImplicitFlow
boolean isImplicitFlow()
Definition: OIDCResponseType.java:100
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.logger
static final Logger logger
Definition: AuthorizationEndpoint.java:64
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.isValidPkceCodeChallenge
boolean isValidPkceCodeChallenge(String codeChallenge)
Definition: AuthorizationEndpoint.java:326
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getCodeChallenge
String getCodeChallenge()
Definition: AuthorizationEndpointRequest.java:106
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getCodeChallengeMethod
String getCodeChallengeMethod()
Definition: AuthorizationEndpointRequest.java:111
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.redirectErrorToClient
Response redirectErrorToClient(OIDCResponseMode responseMode, String error, String errorDescription)
Definition: AuthorizationEndpoint.java:339

◆ checkRealm()

void org.keycloak.protocol.AuthorizationEndpointBase.checkRealm ( )
inlineprotectedinherited
159  {
160  if (!realm.isEnabled()) {
161  event.error(Errors.REALM_DISABLED);
162  throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED);
163  }
164  }
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60

◆ checkRedirectUri()

void org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkRedirectUri ( )
inlineprivate
354  {
355  String redirectUriParam = request.getRedirectUriParam();
356  boolean isOIDCRequest = TokenUtil.isOIDCRequest(request.getScope());
357 
358  event.detail(Details.REDIRECT_URI, redirectUriParam);
359 
360  // redirect_uri parameter is required per OpenID Connect, but optional per OAuth2
361  redirectUri = RedirectUtils.verifyRedirectUri(session.getContext().getUri(), redirectUriParam, realm, client, isOIDCRequest);
362  if (redirectUri == null) {
363  event.error(Errors.INVALID_REDIRECT_URI);
364  throw new ErrorPageException(session, authenticationSession, Response.Status.BAD_REQUEST, Messages.INVALID_PARAMETER, OIDCLoginProtocol.REDIRECT_URI_PARAM);
365  }
366  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
AuthorizationEndpointRequest request
Definition: AuthorizationEndpoint.java:90
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getRedirectUriParam
String getRedirectUriParam()
Definition: AuthorizationEndpointRequest.java:57
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.redirectUri
String redirectUri
Definition: AuthorizationEndpoint.java:91
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getScope
String getScope()
Definition: AuthorizationEndpointRequest.java:73
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.client
ClientModel client
Definition: AuthorizationEndpoint.java:83
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

◆ checkResponseType()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkResponseType ( )
inlineprivate
207  {
208  String responseType = request.getResponseType();
209 
210  if (responseType == null) {
211  ServicesLogger.LOGGER.missingParameter(OAuth2Constants.RESPONSE_TYPE);
212  event.error(Errors.INVALID_REQUEST);
213  return redirectErrorToClient(OIDCResponseMode.QUERY, OAuthErrorException.INVALID_REQUEST, "Missing parameter: response_type");
214  }
215 
216  event.detail(Details.RESPONSE_TYPE, responseType);
217 
218  try {
219  parsedResponseType = OIDCResponseType.parse(responseType);
220  if (action == null) {
221  action = Action.CODE;
222  }
223  } catch (IllegalArgumentException iae) {
224  logger.error(iae.getMessage());
225  event.error(Errors.INVALID_REQUEST);
226  return redirectErrorToClient(OIDCResponseMode.QUERY, OAuthErrorException.UNSUPPORTED_RESPONSE_TYPE, null);
227  }
228 
229  OIDCResponseMode parsedResponseMode = null;
230  try {
231  parsedResponseMode = OIDCResponseMode.parse(request.getResponseMode(), parsedResponseType);
232  } catch (IllegalArgumentException iae) {
233  ServicesLogger.LOGGER.invalidParameter(OIDCLoginProtocol.RESPONSE_MODE_PARAM);
234  event.error(Errors.INVALID_REQUEST);
235  return redirectErrorToClient(OIDCResponseMode.QUERY, OAuthErrorException.INVALID_REQUEST, "Invalid parameter: response_mode");
236  }
237 
238  event.detail(Details.RESPONSE_MODE, parsedResponseMode.toString().toLowerCase());
239 
240  // Disallowed by OIDC specs
241  if (parsedResponseType.isImplicitOrHybridFlow() && parsedResponseMode == OIDCResponseMode.QUERY) {
242  ServicesLogger.LOGGER.responseModeQueryNotAllowed();
243  event.error(Errors.INVALID_REQUEST);
244  return redirectErrorToClient(OIDCResponseMode.QUERY, OAuthErrorException.INVALID_REQUEST, "Response_mode 'query' not allowed for implicit or hybrid flow");
245  }
246 
247  if ((parsedResponseType.hasResponseType(OIDCResponseType.CODE) || parsedResponseType.hasResponseType(OIDCResponseType.NONE)) && !client.isStandardFlowEnabled()) {
248  ServicesLogger.LOGGER.flowNotAllowed("Standard");
249  event.error(Errors.NOT_ALLOWED);
250  return redirectErrorToClient(parsedResponseMode, OAuthErrorException.UNSUPPORTED_RESPONSE_TYPE, "Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client.");
251  }
252 
253  if (parsedResponseType.isImplicitOrHybridFlow() && !client.isImplicitFlowEnabled()) {
254  ServicesLogger.LOGGER.flowNotAllowed("Implicit");
255  event.error(Errors.NOT_ALLOWED);
256  return redirectErrorToClient(parsedResponseMode, OAuthErrorException.UNSUPPORTED_RESPONSE_TYPE, "Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client.");
257  }
258 
259  this.parsedResponseMode = parsedResponseMode;
260 
261  return null;
262  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
AuthorizationEndpointRequest request
Definition: AuthorizationEndpoint.java:90
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.parsedResponseMode
OIDCResponseMode parsedResponseMode
Definition: AuthorizationEndpoint.java:88
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getResponseType
String getResponseType()
Definition: AuthorizationEndpointRequest.java:61
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getResponseMode
String getResponseMode()
Definition: AuthorizationEndpointRequest.java:65
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.parsedResponseType
OIDCResponseType parsedResponseType
Definition: AuthorizationEndpoint.java:87
org.keycloak.protocol.oidc.utils.OIDCResponseMode.parse
static OIDCResponseMode parse(String responseMode, OIDCResponseType responseType)
Definition: OIDCResponseMode.java:27
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.logger
static final Logger logger
Definition: AuthorizationEndpoint.java:64
org.keycloak.protocol.oidc.utils.OIDCResponseType.parse
static OIDCResponseType parse(String responseTypeParam)
Definition: OIDCResponseType.java:46
org.keycloak.protocol.oidc.utils.OIDCResponseType.isImplicitOrHybridFlow
boolean isImplicitOrHybridFlow()
Definition: OIDCResponseType.java:96
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.redirectErrorToClient
Response redirectErrorToClient(OIDCResponseMode responseMode, String error, String errorDescription)
Definition: AuthorizationEndpoint.java:339
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.client
ClientModel client
Definition: AuthorizationEndpoint.java:83
org.keycloak.protocol.oidc.utils.OIDCResponseType.hasResponseType
boolean hasResponseType(String responseType)
Definition: OIDCResponseType.java:91
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.action
Action action
Definition: AuthorizationEndpoint.java:86

◆ checkSsl()

void org.keycloak.protocol.AuthorizationEndpointBase.checkSsl ( )
inlineprotectedinherited
152  {
153  if (!session.getContext().getUri().getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
154  event.error(Errors.SSL_REQUIRED);
155  throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED);
156  }
157  }
org.keycloak.protocol.AuthorizationEndpointBase.clientConnection
ClientConnection clientConnection
Definition: AuthorizationEndpointBase.java:71
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60

◆ createAuthenticationSession()

AuthenticationSessionModel org.keycloak.protocol.AuthorizationEndpointBase.createAuthenticationSession ( ClientModel  client,
String  requestState 
)
inlineprotectedinherited
166  {
167  AuthenticationSessionManager manager = new AuthenticationSessionManager(session);
168  RootAuthenticationSessionModel rootAuthSession = manager.getCurrentRootAuthenticationSession(realm);
169 
170  AuthenticationSessionModel authSession;
171 
172  if (rootAuthSession != null) {
173  authSession = rootAuthSession.createAuthenticationSession(client);
174 
175  logger.debugf("Sent request to authz endpoint. Root authentication session with ID '%s' exists. Client is '%s' . Created new authentication session with tab ID: %s",
176  rootAuthSession.getId(), client.getClientId(), authSession.getTabId());
177  } else {
178  UserSessionCrossDCManager userSessionCrossDCManager = new UserSessionCrossDCManager(session);
179  UserSessionModel userSession = userSessionCrossDCManager.getUserSessionIfExistsRemotely(manager, realm);
180 
181  if (userSession != null) {
182  String userSessionId = userSession.getId();
183  rootAuthSession = session.authenticationSessions().createRootAuthenticationSession(userSessionId, realm);
184  authSession = rootAuthSession.createAuthenticationSession(client);
185  logger.debugf("Sent request to authz endpoint. We don't have root authentication session with ID '%s' but we have userSession." +
186  "Re-created root authentication session with same ID. Client is: %s . New authentication session tab ID: %s", userSessionId, client.getClientId(), authSession.getTabId());
187  } else {
188  rootAuthSession = manager.createAuthenticationSession(realm, true);
189  authSession = rootAuthSession.createAuthenticationSession(client);
190  logger.debugf("Sent request to authz endpoint. Created new root authentication session with ID '%s' . Client: %s . New authentication session tab ID: %s",
191  rootAuthSession.getId(), client.getClientId(), authSession.getTabId());
192  }
193  }
194 
195  session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession);
196 
197  return authSession;
198 
199  }
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.logger
static final Logger logger
Definition: AuthorizationEndpointBase.java:56
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60

◆ createProcessor()

AuthenticationProcessor org.keycloak.protocol.AuthorizationEndpointBase.createProcessor ( AuthenticationSessionModel  authSession,
String  flowId,
String  flowPath 
)
inlineprotectedinherited
78  {
79  AuthenticationProcessor processor = new AuthenticationProcessor();
80  processor.setAuthenticationSession(authSession)
81  .setFlowPath(flowPath)
82  .setFlowId(flowId)
83  .setBrowserFlow(true)
84  .setConnection(clientConnection)
85  .setEventBuilder(event)
86  .setRealm(realm)
87  .setSession(session)
88  .setUriInfo(session.getContext().getUri())
89  .setRequest(httpRequest);
90 
91  authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath);
92 
93  return processor;
94  }
org.keycloak.protocol.AuthorizationEndpointBase.httpRequest
HttpRequest httpRequest
Definition: AuthorizationEndpointBase.java:67
org.keycloak.protocol.AuthorizationEndpointBase.clientConnection
ClientConnection clientConnection
Definition: AuthorizationEndpointBase.java:71
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.event
EventBuilder event
Definition: AuthorizationEndpointBase.java:61
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60

◆ forgotCredentials()

AuthorizationEndpoint org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.forgotCredentials ( )
inline
169  {
170  event.event(EventType.RESET_PASSWORD);
171  action = Action.FORGOT_CREDENTIALS;
172 
173  if (!realm.isResetPasswordAllowed()) {
174  throw new ErrorPageException(session, authenticationSession, Response.Status.BAD_REQUEST, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
175  }
176 
177  return this;
178  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.Action.FORGOT_CREDENTIALS
FORGOT_CREDENTIALS
Definition: AuthorizationEndpoint.java:80
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.action
Action action
Definition: AuthorizationEndpoint.java:86
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

◆ getAuthenticationFlow()

AuthenticationFlowModel org.keycloak.protocol.AuthorizationEndpointBase.getAuthenticationFlow ( AuthenticationSessionModel  authSession)
inlineprotectedinherited
148  {
149  return AuthenticationFlowResolver.resolveBrowserFlow(authSession);
150  }

◆ handleBrowserAuthenticationRequest()

Response org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest ( AuthenticationSessionModel  authSession,
LoginProtocol  protocol,
boolean  isPassive,
boolean  redirectToAuthentication 
)
inlineprotectedinherited

Common method to handle browser authentication request in protocols unified way.

引数
authSessionfor current request
protocolhandler for protocol used to initiate login
isPassiveset to true if login should be passive (without login screen shown)
redirectToAuthenticationif true redirect to flow url. If initial call to protocol is a POST, you probably want to do this. This is so we can disable the back button on browser
戻り値
response to be returned to the browser
105  {
106  AuthenticationFlowModel flow = getAuthenticationFlow(authSession);
107  String flowId = flow.getId();
108  AuthenticationProcessor processor = createProcessor(authSession, flowId, LoginActionsService.AUTHENTICATE_PATH);
109  event.detail(Details.CODE_ID, authSession.getParentSession().getId());
110  if (isPassive) {
111  // OIDC prompt == NONE or SAML 2 IsPassive flag
112  // This means that client is just checking if the user is already completely logged in.
113  // We cancel login if any authentication action or required action is required
114  try {
115  if (processor.authenticateOnly() == null) {
116  // processor.attachSession();
117  } else {
118  Response response = protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED);
119  return response;
120  }
121 
122  AuthenticationManager.setClientScopesInSession(authSession);
123 
124  if (processor.nextRequiredAction() != null) {
125  Response response = protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED);
126  return response;
127  }
128 
129  // Attach session once no requiredActions or other things are required
130  processor.attachSession();
131  } catch (Exception e) {
132  return processor.handleBrowserException(e);
133  }
134  return processor.finishAuthentication(protocol);
135  } else {
136  try {
137  RestartLoginCookie.setRestartCookie(session, realm, clientConnection, session.getContext().getUri(), authSession);
138  if (redirectToAuthentication) {
139  return processor.redirectToFlow();
140  }
141  return processor.authenticate();
142  } catch (Exception e) {
143  return processor.handleBrowserException(e);
144  }
145  }
146  }
org.keycloak.protocol.AuthorizationEndpointBase.clientConnection
ClientConnection clientConnection
Definition: AuthorizationEndpointBase.java:71
org.keycloak.protocol.AuthorizationEndpointBase.getAuthenticationFlow
AuthenticationFlowModel getAuthenticationFlow(AuthenticationSessionModel authSession)
Definition: AuthorizationEndpointBase.java:148
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.createProcessor
AuthenticationProcessor createProcessor(AuthenticationSessionModel authSession, String flowId, String flowPath)
Definition: AuthorizationEndpointBase.java:78
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60

◆ isValidPkceCodeChallenge()

boolean org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.isValidPkceCodeChallenge ( String  codeChallenge)
inlineprivate
326  {
327  if (codeChallenge.length() < OIDCLoginProtocol.PKCE_CODE_CHALLENGE_MIN_LENGTH) {
328  logger.debugf("PKCE codeChallenge length under lower limit , codeChallenge = %s", codeChallenge);
329  return false;
330  }
331  if (codeChallenge.length() > OIDCLoginProtocol.PKCE_CODE_CHALLENGE_MAX_LENGTH) {
332  logger.debugf("PKCE codeChallenge length over upper limit , codeChallenge = %s", codeChallenge);
333  return false;
334  }
335  Matcher m = VALID_CODE_CHALLENGE_PATTERN.matcher(codeChallenge);
336  return m.matches() ? true : false;
337  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.logger
static final Logger logger
Definition: AuthorizationEndpoint.java:64
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.VALID_CODE_CHALLENGE_PATTERN
static final Pattern VALID_CODE_CHALLENGE_PATTERN
Definition: AuthorizationEndpoint.java:77

◆ process()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process ( MultivaluedMap< String, String >  params)
inlineprivate
111  {
112  String clientId = params.getFirst(OIDCLoginProtocol.CLIENT_ID_PARAM);
113 
114  checkSsl();
115  checkRealm();
116  checkClient(clientId);
117 
118  request = AuthorizationEndpointRequestParserProcessor.parseRequest(event, session, client, params);
119 
120  checkRedirectUri();
121  Response errorResponse = checkResponseType();
122  if (errorResponse != null) {
123  return errorResponse;
124  }
125 
126  if (!TokenUtil.isOIDCRequest(request.getScope())) {
127  ServicesLogger.LOGGER.oidcScopeMissing();
128  }
129 
130  errorResponse = checkOIDCParams();
131  if (errorResponse != null) {
132  return errorResponse;
133  }
134 
135  // https://tools.ietf.org/html/rfc7636#section-4
136  errorResponse = checkPKCEParams();
137  if (errorResponse != null) {
138  return errorResponse;
139  }
140 
141  authenticationSession = createAuthenticationSession(client, request.getState());
142  updateAuthenticationSession();
143 
144  // So back button doesn't work
145  CacheControlUtil.noBackButtonCacheControlHeader();
146  switch (action) {
147  case REGISTER:
148  return buildRegister();
149  case FORGOT_CREDENTIALS:
150  return buildForgotCredential();
151  case CODE:
152  return buildAuthorizationCodeAuthorizationResponse();
153  }
154 
155  throw new RuntimeException("Unknown action " + action);
156  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
AuthorizationEndpointRequest request
Definition: AuthorizationEndpoint.java:90
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildRegister
Response buildRegister()
Definition: AuthorizationEndpoint.java:412
org.keycloak.protocol.AuthorizationEndpointBase.createAuthenticationSession
AuthenticationSessionModel createAuthenticationSession(ClientModel client, String requestState)
Definition: AuthorizationEndpointBase.java:166
org.keycloak.protocol.AuthorizationEndpointBase.checkRealm
void checkRealm()
Definition: AuthorizationEndpointBase.java:159
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getState
String getState()
Definition: AuthorizationEndpointRequest.java:69
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkClient
void checkClient(String clientId)
Definition: AuthorizationEndpoint.java:180
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse
Response buildAuthorizationCodeAuthorizationResponse()
Definition: AuthorizationEndpoint.java:405
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildForgotCredential
Response buildForgotCredential()
Definition: AuthorizationEndpoint.java:424
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkResponseType
Response checkResponseType()
Definition: AuthorizationEndpoint.java:207
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkPKCEParams
Response checkPKCEParams()
Definition: AuthorizationEndpoint.java:281
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getScope
String getScope()
Definition: AuthorizationEndpointRequest.java:73
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkRedirectUri
void checkRedirectUri()
Definition: AuthorizationEndpoint.java:354
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.client
ClientModel client
Definition: AuthorizationEndpoint.java:83
org.keycloak.protocol.AuthorizationEndpointBase.checkSsl
void checkSsl()
Definition: AuthorizationEndpointBase.java:152
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkOIDCParams
Response checkOIDCParams()
Definition: AuthorizationEndpoint.java:264
org.keycloak.protocol.AuthorizationEndpointBase.event
EventBuilder event
Definition: AuthorizationEndpointBase.java:61
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.updateAuthenticationSession
void updateAuthenticationSession()
Definition: AuthorizationEndpoint.java:369
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.action
Action action
Definition: AuthorizationEndpoint.java:86
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

◆ redirectErrorToClient()

Response org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.redirectErrorToClient ( OIDCResponseMode  responseMode,
String  error,
String  errorDescription 
)
inlineprivate
339  {
340  OIDCRedirectUriBuilder errorResponseBuilder = OIDCRedirectUriBuilder.fromUri(redirectUri, responseMode)
341  .addParam(OAuth2Constants.ERROR, error);
342 
343  if (errorDescription != null) {
344  errorResponseBuilder.addParam(OAuth2Constants.ERROR_DESCRIPTION, errorDescription);
345  }
346 
347  if (request.getState() != null) {
348  errorResponseBuilder.addParam(OAuth2Constants.STATE, request.getState());
349  }
350 
351  return errorResponseBuilder.build();
352  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
AuthorizationEndpointRequest request
Definition: AuthorizationEndpoint.java:90
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.redirectUri
String redirectUri
Definition: AuthorizationEndpoint.java:91
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getState
String getState()
Definition: AuthorizationEndpointRequest.java:69

◆ register()

AuthorizationEndpoint org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.register ( )
inline
158  {
159  event.event(EventType.REGISTER);
160  action = Action.REGISTER;
161 
162  if (!realm.isRegistrationAllowed()) {
163  throw new ErrorPageException(session, authenticationSession, Response.Status.BAD_REQUEST, Messages.REGISTRATION_NOT_ALLOWED);
164  }
165 
166  return this;
167  }
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.action
Action action
Definition: AuthorizationEndpoint.java:86
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

◆ updateAuthenticationSession()

void org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.updateAuthenticationSession ( )
inlineprivate
369  {
370  authenticationSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
371  authenticationSession.setRedirectUri(redirectUri);
372  authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
373  authenticationSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType());
374  authenticationSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam());
375  authenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
376 
377  if (request.getState() != null) authenticationSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, request.getState());
378  if (request.getNonce() != null) authenticationSession.setClientNote(OIDCLoginProtocol.NONCE_PARAM, request.getNonce());
379  if (request.getMaxAge() != null) authenticationSession.setClientNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(request.getMaxAge()));
380  if (request.getScope() != null) authenticationSession.setClientNote(OIDCLoginProtocol.SCOPE_PARAM, request.getScope());
381  if (request.getLoginHint() != null) authenticationSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, request.getLoginHint());
382  if (request.getPrompt() != null) authenticationSession.setClientNote(OIDCLoginProtocol.PROMPT_PARAM, request.getPrompt());
383  if (request.getIdpHint() != null) authenticationSession.setClientNote(AdapterConstants.KC_IDP_HINT, request.getIdpHint());
384  if (request.getResponseMode() != null) authenticationSession.setClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, request.getResponseMode());
385  if (request.getClaims()!= null) authenticationSession.setClientNote(OIDCLoginProtocol.CLAIMS_PARAM, request.getClaims());
386  if (request.getAcr() != null) authenticationSession.setClientNote(OIDCLoginProtocol.ACR_PARAM, request.getAcr());
387  if (request.getDisplay() != null) authenticationSession.setAuthNote(OAuth2Constants.DISPLAY, request.getDisplay());
388 
389  // https://tools.ietf.org/html/rfc7636#section-4
390  if (request.getCodeChallenge() != null) authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM, request.getCodeChallenge());
391  if (request.getCodeChallengeMethod() != null) {
392  authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, request.getCodeChallengeMethod());
393  } else {
394  authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, OIDCLoginProtocol.PKCE_METHOD_PLAIN);
395  }
396 
397  if (request.getAdditionalReqParams() != null) {
398  for (String paramName : request.getAdditionalReqParams().keySet()) {
399  authenticationSession.setClientNote(LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + paramName, request.getAdditionalReqParams().get(paramName));
400  }
401  }
402  }
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
AuthorizationEndpointRequest request
Definition: AuthorizationEndpoint.java:90
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getRedirectUriParam
String getRedirectUriParam()
Definition: AuthorizationEndpointRequest.java:57
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getClaims
String getClaims()
Definition: AuthorizationEndpointRequest.java:97
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getAcr
String getAcr()
Definition: AuthorizationEndpointRequest.java:49
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getResponseType
String getResponseType()
Definition: AuthorizationEndpointRequest.java:61
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getAdditionalReqParams
Map< String, String > getAdditionalReqParams()
Definition: AuthorizationEndpointRequest.java:101
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getResponseMode
String getResponseMode()
Definition: AuthorizationEndpointRequest.java:65
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getPrompt
String getPrompt()
Definition: AuthorizationEndpointRequest.java:81
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getLoginHint
String getLoginHint()
Definition: AuthorizationEndpointRequest.java:77
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getMaxAge
Integer getMaxAge()
Definition: AuthorizationEndpointRequest.java:89
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getIdpHint
String getIdpHint()
Definition: AuthorizationEndpointRequest.java:93
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getCodeChallenge
String getCodeChallenge()
Definition: AuthorizationEndpointRequest.java:106
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.redirectUri
String redirectUri
Definition: AuthorizationEndpoint.java:91
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getCodeChallengeMethod
String getCodeChallengeMethod()
Definition: AuthorizationEndpointRequest.java:111
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getState
String getState()
Definition: AuthorizationEndpointRequest.java:69
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX
static final String LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX
Definition: AuthorizationEndpoint.java:74
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getDisplay
String getDisplay()
Definition: AuthorizationEndpointRequest.java:115
org.keycloak.protocol.AuthorizationEndpointBase.session
KeycloakSession session
Definition: AuthorizationEndpointBase.java:69
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getScope
String getScope()
Definition: AuthorizationEndpointRequest.java:73
org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest.getNonce
String getNonce()
Definition: AuthorizationEndpointRequest.java:85
org.keycloak.protocol.AuthorizationEndpointBase.realm
RealmModel realm
Definition: AuthorizationEndpointBase.java:60
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
AuthenticationSessionModel authenticationSession
Definition: AuthorizationEndpoint.java:84

メンバ詳解

◆ action

Action org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.action
private

◆ APP_INITIATED_FLOW

final String org.keycloak.protocol.AuthorizationEndpointBase.APP_INITIATED_FLOW = "APP_INITIATED_FLOW"
staticinherited

◆ authenticationSession

AuthenticationSessionModel org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.authenticationSession
private

◆ authManager

AuthenticationManager org.keycloak.protocol.AuthorizationEndpointBase.authManager
protectedinherited

◆ client

ClientModel org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.client
private

◆ clientConnection

ClientConnection org.keycloak.protocol.AuthorizationEndpointBase.clientConnection
protectedinherited

◆ CODE_AUTH_TYPE

final String org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.CODE_AUTH_TYPE = "code"
static

◆ event

EventBuilder org.keycloak.protocol.AuthorizationEndpointBase.event
protectedinherited

◆ headers

HttpHeaders org.keycloak.protocol.AuthorizationEndpointBase.headers
protectedinherited

◆ httpRequest

HttpRequest org.keycloak.protocol.AuthorizationEndpointBase.httpRequest
protectedinherited

◆ logger

final Logger org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.logger = Logger.getLogger(AuthorizationEndpoint.class)
staticprivate

◆ LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX

final String org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX = "client_request_param_"
static

Prefix used to store additional HTTP GET params from original client request into AuthenticationSessionModel note to be available later in Authenticators, RequiredActions etc. Prefix is used to prevent collisions with internally used notes.

参照
AuthenticationSessionModel::getClientNote(String)

◆ parsedResponseMode

OIDCResponseMode org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.parsedResponseMode
private

◆ parsedResponseType

OIDCResponseType org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.parsedResponseType
private

◆ realm

RealmModel org.keycloak.protocol.AuthorizationEndpointBase.realm
protectedinherited

◆ redirectUri

String org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.redirectUri
private

◆ request

AuthorizationEndpointRequest org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.request
private

◆ session

KeycloakSession org.keycloak.protocol.AuthorizationEndpointBase.session
protectedinherited

◆ VALID_CODE_CHALLENGE_PATTERN

final Pattern org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.VALID_CODE_CHALLENGE_PATTERN = Pattern.compile("^[0-9a-zA-Z\\-\\.~_]+$")
staticprivate
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時00分18秒作成 - keycloak-service / 構成:   doxygen 1.8.13