org.keycloak.authentication.ClientAuthenticationFlow クラス

org.keycloak.authentication.ClientAuthenticationFlow の継承関係図

org.keycloak.authentication.ClientAuthenticationFlow 連携図

公開メンバ関数
	ClientAuthenticationFlow (AuthenticationProcessor processor, AuthenticationFlowModel flow)
Response	processAction (String actionExecution)
Response	processFlow ()
Response	sendChallenge (AuthenticationProcessor.Result result, AuthenticationExecutionModel execution)

限定公開メンバ関数
List< AuthenticationExecutionModel >	findExecutionsToRun ()
Response	processResult (AuthenticationProcessor.Result result)

変数
Response	alternativeChallenge = null
AuthenticationProcessor	processor
AuthenticationFlowModel	flow

静的非公開変数類
static final Logger	logger = Logger.getLogger(ClientAuthenticationFlow.class)

詳解

著者

Marek Posolda

構築子と解体子

ClientAuthenticationFlow()

org.keycloak.authentication.ClientAuthenticationFlow.ClientAuthenticationFlow ( AuthenticationProcessor  processor, AuthenticationFlowModel  flow  )

inline

                                                                                                     {
        this.processor = processor;
        this.flow = flow;
    }

関数詳解

findExecutionsToRun()

List<AuthenticationExecutionModel> org.keycloak.authentication.ClientAuthenticationFlow.findExecutionsToRun ( )

inlineprotected

                                                                       {
        List<AuthenticationExecutionModel> executions = processor.getRealm().getAuthenticationExecutions(flow.getId());
        List<AuthenticationExecutionModel> executionsToRun = new ArrayList<>();

        for (AuthenticationExecutionModel execution : executions) {
            if (execution.isRequired()) {
                executionsToRun = Arrays.asList(execution);
                break;
            }

            if (execution.isAlternative()) {
                executionsToRun.add(execution);
            }
        }

        if (logger.isTraceEnabled()) {
            List<String> exIds = new ArrayList<>();
            for (AuthenticationExecutionModel execution : executionsToRun) {
                exIds.add(execution.getId());
            }
            logger.tracef("Using executions for client authentication: %s", exIds.toString());
        }

        return executionsToRun;
    }

processAction()

Response org.keycloak.authentication.ClientAuthenticationFlow.processAction ( String  actionExecution )

inline

                                                          {
        throw new IllegalStateException("Not supposed to be invoked");
    }

processFlow()

Response org.keycloak.authentication.ClientAuthenticationFlow.processFlow ( )

inline

                                  {
        List<AuthenticationExecutionModel> executions = findExecutionsToRun();

        for (AuthenticationExecutionModel model : executions) {
            ClientAuthenticatorFactory factory = (ClientAuthenticatorFactory) processor.getSession().getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, model.getAuthenticator());
            if (factory == null) {
                throw new AuthenticationFlowException("Could not find ClientAuthenticatorFactory for: " + model.getAuthenticator(), AuthenticationFlowError.INTERNAL_ERROR);
            }
            ClientAuthenticator authenticator = factory.create();
            logger.debugv("client authenticator: {0}", factory.getId());

            AuthenticationProcessor.Result context = processor.createClientAuthenticatorContext(model, authenticator, executions);
            authenticator.authenticateClient(context);

            ClientModel client = processor.getClient();
            if (client != null) {
                String expectedClientAuthType = client.getClientAuthenticatorType();

                // Fallback to secret just in case (for backwards compatibility)
                if (expectedClientAuthType == null) {
                    expectedClientAuthType = KeycloakModelUtils.getDefaultClientAuthenticatorType();
                    ServicesLogger.LOGGER.authMethodFallback(client.getClientId(), expectedClientAuthType);
                }

                // Check if client authentication matches
                if (factory.getId().equals(expectedClientAuthType)) {
                    Response response = processResult(context);
                    if (response != null) return response;

                    if (!context.getStatus().equals(FlowStatus.SUCCESS)) {
                        throw new AuthenticationFlowException("Expected success, but for an unknown reason the status was " + context.getStatus(), AuthenticationFlowError.INTERNAL_ERROR);
                    }

                    logger.debugv("Client {0} authenticated by {1}", client.getClientId(), factory.getId());
                    processor.getEvent().detail(Details.CLIENT_AUTH_METHOD, factory.getId());
                    return null;
                }
            }
        }

        // Check if any alternative challenge was identified
        if (alternativeChallenge != null) {
            processor.getEvent().error(Errors.INVALID_CLIENT);
            return alternativeChallenge;
        }
        throw new AuthenticationFlowException("Invalid client credentials", AuthenticationFlowError.INVALID_CREDENTIALS);
    }

processResult()

Response org.keycloak.authentication.ClientAuthenticationFlow.processResult ( AuthenticationProcessor.Result  result )

inlineprotected

                                                                            {
        AuthenticationExecutionModel execution = result.getExecution();
        FlowStatus status = result.getStatus();

        logger.debugv("client authenticator {0}: {1}", status.toString(), execution.getAuthenticator());

        if (status == FlowStatus.SUCCESS) {
            return null;
        }

        if (status == FlowStatus.FAILED) {
            if (result.getChallenge() != null) {
                return sendChallenge(result, execution);
            } else {
                throw new AuthenticationFlowException(result.getError());
            }
        } else if (status == FlowStatus.FORCE_CHALLENGE) {
            return sendChallenge(result, execution);
        } else if (status == FlowStatus.CHALLENGE) {

            // Make sure the first priority alternative challenge is used
            if (alternativeChallenge == null) {
                alternativeChallenge = result.getChallenge();
            }
            return sendChallenge(result, execution);
        } else if (status == FlowStatus.FAILURE_CHALLENGE) {
            return sendChallenge(result, execution);
        } else {
            ServicesLogger.LOGGER.unknownResultStatus();
            throw new AuthenticationFlowException(AuthenticationFlowError.INTERNAL_ERROR);
        }
    }

sendChallenge()

Response org.keycloak.authentication.ClientAuthenticationFlow.sendChallenge ( AuthenticationProcessor.Result  result, AuthenticationExecutionModel  execution  )

inline

                                                                                                                 {
        logger.debugv("client authenticator: sending challenge for authentication execution {0}", execution.getAuthenticator());

        if (result.getError() != null) {
            String errorAsString = result.getError().toString().toLowerCase();
            result.getEvent().error(errorAsString);
        } else {
            if (result.getClient() == null) {
                result.getEvent().error(Errors.INVALID_CLIENT);
            } else {
                result.getEvent().error(Errors.INVALID_CLIENT_CREDENTIALS);
            }
        }

        return result.getChallenge();
    }

メンバ詳解

alternativeChallenge

Response org.keycloak.authentication.ClientAuthenticationFlow.alternativeChallenge = null

package

flow

AuthenticationFlowModel org.keycloak.authentication.ClientAuthenticationFlow.flow

package

logger

final Logger org.keycloak.authentication.ClientAuthenticationFlow.logger = Logger.getLogger(ClientAuthenticationFlow.class)

staticprivate

processor

AuthenticationProcessor org.keycloak.authentication.ClientAuthenticationFlow.processor

package

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/authentication/ClientAuthenticationFlow.java