org.keycloak.services.managers.AuthenticationManager の継承関係図

org.keycloak.services.managers.AuthenticationManager 連携図

クラス
enum	AuthenticationStatus

class	AuthResult

公開メンバ関数
AuthResult	authenticateIdentityCookie (KeycloakSession session, RealmModel realm)

静的公開メンバ関数
static boolean	isSessionValid (RealmModel realm, UserSessionModel userSession)

static boolean	isOfflineSessionValid (RealmModel realm, UserSessionModel userSession)

static void	expireUserSessionCookie (KeycloakSession session, UserSessionModel userSession, RealmModel realm, UriInfo uriInfo, HttpHeaders headers, ClientConnection connection)

static void	backchannelLogout (KeycloakSession session, UserSessionModel userSession, boolean logoutBroker)

static void	backchannelLogout (KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers, boolean logoutBroker)

static void	backchannelLogout (KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers, boolean logoutBroker, boolean offlineSession)

static void	setClientLogoutAction (AuthenticationSessionModel logoutAuthSession, String clientUuid, AuthenticationSessionModel.Action action)

static AuthenticationSessionModel.Action	getClientLogoutAction (AuthenticationSessionModel logoutAuthSession, String clientUuid)

static void	backchannelLogoutUserFromClient (KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, UriInfo uriInfo, HttpHeaders headers)

static Response	browserLogout (KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers)

static Response	finishBrowserLogout (KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers)

static IdentityCookieToken	createIdentityToken (KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer)

static void	createLoginCookie (KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, UriInfo uriInfo, ClientConnection connection)

static void	createRememberMeCookie (RealmModel realm, String username, UriInfo uriInfo, ClientConnection connection)

static String	getRememberMeUsername (RealmModel realm, HttpHeaders headers)

static void	expireIdentityCookie (RealmModel realm, UriInfo uriInfo, ClientConnection connection)

static void	expireOldIdentityCookie (RealmModel realm, UriInfo uriInfo, ClientConnection connection)

static void	expireRememberMeCookie (RealmModel realm, UriInfo uriInfo, ClientConnection connection)

static void	expireOldAuthSessionCookie (RealmModel realm, UriInfo uriInfo, ClientConnection connection)

static String	getRealmCookiePath (RealmModel realm, UriInfo uriInfo)

static String	getOldCookiePath (RealmModel realm, UriInfo uriInfo)

static String	getAccountCookiePath (RealmModel realm, UriInfo uriInfo)

static void	expireCookie (RealmModel realm, String cookieName, String path, boolean httpOnly, ClientConnection connection)

static AuthResult	authenticateIdentityCookie (KeycloakSession session, RealmModel realm, boolean checkActive)

static Response	redirectAfterSuccessfulFlow (KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, String protocol)

static Response	redirectAfterSuccessfulFlow (KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, LoginProtocol protocol)

static boolean	isSSOAuthentication (AuthenticatedClientSessionModel clientSession)

static Response	nextActionAfterAuthentication (KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event)

static Response	redirectToRequiredActions (KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, UriInfo uriInfo, String requiredAction)

static Response	finishedRequiredActions (KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event)

static String	nextRequiredAction (final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event)

static Response	actionRequired (final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event)

static void	setClientScopesInSession (AuthenticationSessionModel authSession)

static RequiredActionProvider	createRequiredAction (RequiredActionContextResult context)

static void	evaluateRequiredActionTriggers (final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event, final RealmModel realm, final UserModel user)

static AuthResult	verifyIdentityToken (KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, boolean isCookie, String tokenString, HttpHeaders headers)

静的公開変数類
static final String	SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS = "SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS"

static final String	END_AFTER_REQUIRED_ACTIONS = "END_AFTER_REQUIRED_ACTIONS"

static final String	INVALIDATE_ACTION_TOKEN = "INVALIDATE_ACTION_TOKEN"

static final String	CLIENT_LOGOUT_STATE = "logout.state."

static final String	AUTH_TIME = "AUTH_TIME"

static final String	SSO_AUTH = "SSO_AUTH"

static final String	FORM_USERNAME = "username"

static final String	KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY"

static final String	KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION"

static final String	KEYCLOAK_REMEMBER_ME = "KEYCLOAK_REMEMBER_ME"

static final String	KEYCLOAK_LOGOUT_PROTOCOL = "KEYCLOAK_LOGOUT_PROTOCOL"

静的限定公開メンバ関数
static String	getIdentityCookiePath (RealmModel realm, UriInfo uriInfo)

static Response	executionActions (KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Set< String > requiredActions)

静的限定公開変数類
static final Logger	logger = Logger.getLogger(AuthenticationManager.class)

静的非公開メンバ関数
static AuthenticationSessionModel	createOrJoinLogoutSession (KeycloakSession session, RealmModel realm, final AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie)

static void	backchannelLogoutAll (KeycloakSession session, RealmModel realm, UserSessionModel userSession, AuthenticationSessionModel logoutAuthSession, UriInfo uriInfo, HttpHeaders headers, boolean logoutBroker)

static boolean	checkUserSessionOnlyHasLoggedOutClients (RealmModel realm, UserSessionModel userSession, AuthenticationSessionModel logoutAuthSession)

static boolean	backchannelLogoutClientSession (KeycloakSession session, RealmModel realm, AuthenticatedClientSessionModel clientSession, AuthenticationSessionModel logoutAuthSession, UriInfo uriInfo, HttpHeaders headers)

static Response	frontchannelLogoutClientSession (KeycloakSession session, RealmModel realm, AuthenticatedClientSessionModel clientSession, AuthenticationSessionModel logoutAuthSession, UriInfo uriInfo, HttpHeaders headers)

static Response	browserLogoutAllClients (UserSessionModel userSession, KeycloakSession session, RealmModel realm, HttpHeaders headers, UriInfo uriInfo, AuthenticationSessionModel logoutAuthSession)

static UserConsentModel	getEffectiveGrantedConsent (KeycloakSession session, AuthenticationSessionModel authSession)

static List< ClientScopeModel >	getClientScopesToApproveOnConsentScreen (RealmModel realm, UserConsentModel grantedConsent, AuthenticationSessionModel authSession)

static List< RequiredActionProviderModel >	sortRequiredActionsByPriority (RealmModel realm, Set< String > requiredActions)

詳解

Stateless object that manages authentication

著者: Bill Burke

バージョン

Revision: 1

クラス詳解

◆ org::keycloak::services::managers::AuthenticationManager::AuthenticationStatus

enum org::keycloak::services::managers::AuthenticationManager::AuthenticationStatus

org.keycloak.services.managers.AuthenticationManager.AuthenticationStatus 連携図

列挙値
ACCOUNT_DISABLED
ACCOUNT_TEMPORARILY_DISABLED
ACTIONS_REQUIRED
FAILED
INVALID_CREDENTIALS
INVALID_USER
MISSING_PASSWORD
MISSING_TOTP
SUCCESS

関数詳解

◆ actionRequired()

static Response org.keycloak.services.managers.AuthenticationManager.actionRequired	(	final KeycloakSession	session,
		final AuthenticationSessionModel	authSession,
		final ClientConnection	clientConnection,
		final HttpRequest	request,
		final UriInfo	uriInfo,
		final EventBuilder	event
	)

inlinestatic

                                                                                                                                      {
         final RealmModel realm = authSession.getRealm();
         final UserModel user = authSession.getAuthenticatedUser();
         final ClientModel client = authSession.getClient();
 
         evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user);
 
 
         logger.debugv("processAccessCode: go to oauth page?: {0}", client.isConsentRequired());
 
         event.detail(Details.CODE_ID, authSession.getParentSession().getId());
 
         Set<String> requiredActions = user.getRequiredActions();
         Response action = executionActions(session, authSession, request, event, realm, user, requiredActions);
         if (action != null) return action;
 
         // executionActions() method should remove any duplicate actions that might be in the clientSession
         requiredActions = authSession.getRequiredActions();
         action = executionActions(session, authSession, request, event, realm, user, requiredActions);
         if (action != null) return action;
 
         if (client.isConsentRequired()) {
 
             UserConsentModel grantedConsent = getEffectiveGrantedConsent(session, authSession);
 
             List<ClientScopeModel> clientScopesToApprove = getClientScopesToApproveOnConsentScreen(realm, grantedConsent, authSession);
 
             // Skip grant screen if everything was already approved by this user
             if (clientScopesToApprove.size() > 0) {
                 String execution = AuthenticatedClientSessionModel.Action.OAUTH_GRANT.name();
 
                 ClientSessionCode<AuthenticationSessionModel> accessCode = new ClientSessionCode<>(session, realm, authSession);
                 accessCode.setAction(AuthenticatedClientSessionModel.Action.REQUIRED_ACTIONS.name());
                 authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution);
 
                 return session.getProvider(LoginFormsProvider.class)
                         .setAuthenticationSession(authSession)
                         .setExecution(execution)
                         .setClientSessionCode(accessCode.getOrGenerateCode())
                         .setAccessRequest(clientScopesToApprove)
                         .createOAuthGrant();
             } else {
                 String consentDetail = (grantedConsent != null) ? Details.CONSENT_VALUE_PERSISTED_CONSENT : Details.CONSENT_VALUE_NO_CONSENT_REQUIRED;
                 event.detail(Details.CONSENT, consentDetail);
             }
         } else {
             event.detail(Details.CONSENT, Details.CONSENT_VALUE_NO_CONSENT_REQUIRED);
         }
         return null;
 
     }

◆ authenticateIdentityCookie() [1/2]

AuthResult org.keycloak.services.managers.AuthenticationManager.authenticateIdentityCookie	(	KeycloakSession	session,
		RealmModel	realm
	)

inline

                                                                                             {
         return authenticateIdentityCookie(session, realm, true);
     }

◆ authenticateIdentityCookie() [2/2]

static AuthResult org.keycloak.services.managers.AuthenticationManager.authenticateIdentityCookie	(	KeycloakSession	session,
		RealmModel	realm,
		boolean	checkActive
	)

inlinestatic

                                                                                                                         {
         Cookie cookie = session.getContext().getRequestHeaders().getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
         if (cookie == null || "".equals(cookie.getValue())) {
             logger.debugv("Could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
             return null;
         }
 
         String tokenString = cookie.getValue();
         AuthResult authResult = verifyIdentityToken(session, realm, session.getContext().getUri(), session.getContext().getConnection(), checkActive, false, true, tokenString, session.getContext().getRequestHeaders());
         if (authResult == null) {
             expireIdentityCookie(realm, session.getContext().getUri(), session.getContext().getConnection());
             expireOldIdentityCookie(realm, session.getContext().getUri(), session.getContext().getConnection());
             return null;
         }
         authResult.getSession().setLastSessionRefresh(Time.currentTime());
         return authResult;
     }

◆ backchannelLogout() [1/3]

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		boolean	logoutBroker
	)

inlinestatic

                                                                                                                       {
         backchannelLogout(
                 session,
                 session.getContext().getRealm(),
                 userSession,
                 session.getContext().getUri(),
                 session.getContext().getConnection(),
                 session.getContext().getRequestHeaders(),
                 logoutBroker
         );
     }

◆ backchannelLogout() [2/3]

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogout	(	KeycloakSession	session,
		RealmModel	realm,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		ClientConnection	connection,
		HttpHeaders	headers,
		boolean	logoutBroker
	)

inlinestatic

                                                                {
         backchannelLogout(session, realm, userSession, uriInfo, connection, headers, logoutBroker, false);
     }

◆ backchannelLogout() [3/3]

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogout	(	KeycloakSession	session,
		RealmModel	realm,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		ClientConnection	connection,
		HttpHeaders	headers,
		boolean	logoutBroker,
		boolean	offlineSession
	)

inlinestatic

引数

session
realm
userSession
uriInfo
connection
headers
logoutBroker
offlineSession

                                                                  {
         if (userSession == null) return;
         UserModel user = userSession.getUser();
         if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
             userSession.setState(UserSessionModel.State.LOGGING_OUT);
         }
 
         logger.debugv("Logging out: {0} ({1}) offline: {2}", user.getUsername(), userSession.getId(), userSession.isOffline());
         expireUserSessionCookie(session, userSession, realm, uriInfo, headers, connection);
 
         final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
         AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, false);
 
         try {
             backchannelLogoutAll(session, realm, userSession, logoutAuthSession, uriInfo, headers, logoutBroker);
             checkUserSessionOnlyHasLoggedOutClients(realm, userSession, logoutAuthSession);
         } finally {
             asm.removeAuthenticationSession(realm, logoutAuthSession, false);
         }
 
         userSession.setState(UserSessionModel.State.LOGGED_OUT);
 
         if (offlineSession) {
             new UserSessionManager(session).revokeOfflineUserSession(userSession);
 
             // Check if "online" session still exists and remove it too
             UserSessionModel onlineUserSession = session.sessions().getUserSession(realm, userSession.getId());
             if (onlineUserSession != null) {
                 session.sessions().removeUserSession(realm, onlineUserSession);
             }
         } else {
             session.sessions().removeUserSession(realm, userSession);
         }
     }

◆ backchannelLogoutAll()

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogoutAll	(	KeycloakSession	session,
		RealmModel	realm,
		UserSessionModel	userSession,
		AuthenticationSessionModel	logoutAuthSession,
		UriInfo	uriInfo,
		HttpHeaders	headers,
		boolean	logoutBroker
	)

inlinestaticprivate

                                                  {
         userSession.getAuthenticatedClientSessions().values().forEach(
           clientSession -> backchannelLogoutClientSession(session, realm, clientSession, logoutAuthSession, uriInfo, headers)
         );
         if (logoutBroker) {
             String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
             if (brokerId != null) {
                 IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);
                 try {
                     identityProvider.backchannelLogout(session, userSession, uriInfo, realm);
                 } catch (Exception e) {
                     logger.warn("Exception at broker backchannel logout for broker " + brokerId, e);
                 }
             }
         }
     }

◆ backchannelLogoutClientSession()

static boolean org.keycloak.services.managers.AuthenticationManager.backchannelLogoutClientSession	(	KeycloakSession	session,
		RealmModel	realm,
		AuthenticatedClientSessionModel	clientSession,
		AuthenticationSessionModel	logoutAuthSession,
		UriInfo	uriInfo,
		HttpHeaders	headers
	)

inlinestaticprivate

Logs out the given client session and records the result into

logoutAuthSession

if set.

引数

session
realm
clientSession
logoutAuthSession	auth session used for recording result of logout. May be null
uriInfo
headers

戻り値: true
if the client was or is already being logged out,
false
if logout failed or it is not known how to log it out.

                                             {
         UserSessionModel userSession = clientSession.getUserSession();
         ClientModel client = clientSession.getClient();
 
         if (client.isFrontchannelLogout() || AuthenticationSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) {
             return false;
         }
 
         final AuthenticationSessionModel.Action logoutState = getClientLogoutAction(logoutAuthSession, client.getId());
 
         if (logoutState == AuthenticationSessionModel.Action.LOGGED_OUT || logoutState == AuthenticationSessionModel.Action.LOGGING_OUT) {
             return true;
         }
 
         try {
             setClientLogoutAction(logoutAuthSession, client.getId(), AuthenticationSessionModel.Action.LOGGING_OUT);
 
             String authMethod = clientSession.getProtocol();
             if (authMethod == null) return true; // must be a keycloak service like account
 
             logger.debugv("backchannel logout to: {0}", client.getClientId());
             LoginProtocol protocol = session.getProvider(LoginProtocol.class, authMethod);
             protocol.setRealm(realm)
                     .setHttpHeaders(headers)
                     .setUriInfo(uriInfo);
             protocol.backchannelLogout(userSession, clientSession);
 
             setClientLogoutAction(logoutAuthSession, client.getId(), AuthenticationSessionModel.Action.LOGGED_OUT);
 
             return true;
         } catch (Exception ex) {
             ServicesLogger.LOGGER.failedToLogoutClient(ex);
             return false;
         }
     }

◆ backchannelLogoutUserFromClient()

static void org.keycloak.services.managers.AuthenticationManager.backchannelLogoutUserFromClient	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user,
		ClientModel	client,
		UriInfo	uriInfo,
		HttpHeaders	headers
	)

inlinestatic

Logout all clientSessions of this user and client

引数

session
realm
user
client
uriInfo
headers

                                                                                                                                                                             {
         List<UserSessionModel> userSessions = session.sessions().getUserSessions(realm, user);
         for (UserSessionModel userSession : userSessions) {
             AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
             if (clientSession != null) {
                 AuthenticationManager.backchannelLogoutClientSession(session, realm, clientSession, null, uriInfo, headers);
                 clientSession.setAction(AuthenticationSessionModel.Action.LOGGED_OUT.name());
                 org.keycloak.protocol.oidc.TokenManager.dettachClientSession(session.sessions(), realm, clientSession);
             }
         }
     }

◆ browserLogout()

static Response org.keycloak.services.managers.AuthenticationManager.browserLogout	(	KeycloakSession	session,
		RealmModel	realm,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		ClientConnection	connection,
		HttpHeaders	headers
	)

inlinestatic

                                                                                                                                                                                      {
         if (userSession == null) return null;
 
         if (logger.isDebugEnabled()) {
             UserModel user = userSession.getUser();
             logger.debugv("Logging out: {0} ({1})", user.getUsername(), userSession.getId());
         }
         
         if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
             userSession.setState(UserSessionModel.State.LOGGING_OUT);
         }
 
         final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
         AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, true);
 
         Response response = browserLogoutAllClients(userSession, session, realm, headers, uriInfo, logoutAuthSession);
         if (response != null) {
             return response;
         }
 
         String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
         if (brokerId != null) {
             IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);
             response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);
             if (response != null) {
                 return response;
             }
         }
 
         return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers);
     }

◆ browserLogoutAllClients()

static Response org.keycloak.services.managers.AuthenticationManager.browserLogoutAllClients	(	UserSessionModel	userSession,
		KeycloakSession	session,
		RealmModel	realm,
		HttpHeaders	headers,
		UriInfo	uriInfo,
		AuthenticationSessionModel	logoutAuthSession
	)

inlinestaticprivate

                                                                                                                                                                                                                  {
         Map<Boolean, List<AuthenticatedClientSessionModel>> acss = userSession.getAuthenticatedClientSessions().values().stream()
           .filter(clientSession -> ! Objects.equals(AuthenticationSessionModel.Action.LOGGED_OUT.name(), clientSession.getAction()))
           .filter(clientSession -> clientSession.getProtocol() != null)
           .collect(Collectors.partitioningBy(clientSession -> clientSession.getClient().isFrontchannelLogout()));
 
         final List<AuthenticatedClientSessionModel> backendLogoutSessions = acss.get(false) == null ? Collections.emptyList() : acss.get(false);
         backendLogoutSessions.forEach(acs -> backchannelLogoutClientSession(session, realm, acs, logoutAuthSession, uriInfo, headers));
 
         final List<AuthenticatedClientSessionModel> redirectClients = acss.get(true) == null ? Collections.emptyList() : acss.get(true);
         for (AuthenticatedClientSessionModel nextRedirectClient : redirectClients) {
             Response response = frontchannelLogoutClientSession(session, realm, nextRedirectClient, logoutAuthSession, uriInfo, headers);
             if (response != null) {
                 return response;
             }
         }
 
         return null;
     }

◆ checkUserSessionOnlyHasLoggedOutClients()

static boolean org.keycloak.services.managers.AuthenticationManager.checkUserSessionOnlyHasLoggedOutClients	(	RealmModel	realm,
		UserSessionModel	userSession,
		AuthenticationSessionModel	logoutAuthSession
	)

inlinestaticprivate

Checks that all sessions have been removed from the user session. The list of logged out clients is determined from the

logoutAuthSession

auth session notes.

引数

realm
userSession
logoutAuthSession

戻り値: true
when all clients have been logged out,
false
otherwise

                                                                                   {
         final Map<String, AuthenticatedClientSessionModel> acs = userSession.getAuthenticatedClientSessions();
         Set<AuthenticatedClientSessionModel> notLoggedOutSessions = acs.entrySet().stream()
           .filter(me -> ! Objects.equals(AuthenticationSessionModel.Action.LOGGED_OUT, getClientLogoutAction(logoutAuthSession, me.getKey())))
           .filter(me -> ! Objects.equals(AuthenticationSessionModel.Action.LOGGED_OUT.name(), me.getValue().getAction()))
           .filter(me -> Objects.nonNull(me.getValue().getProtocol()))   // Keycloak service-like accounts
           .map(Map.Entry::getValue)
           .collect(Collectors.toSet());
 
         boolean allClientsLoggedOut = notLoggedOutSessions.isEmpty();
 
         if (! allClientsLoggedOut) {
             logger.warnf("Some clients have been not been logged out for user %s in %s realm: %s",
               userSession.getUser().getUsername(), realm.getName(),
               notLoggedOutSessions.stream()
                 .map(AuthenticatedClientSessionModel::getClient)
                 .map(ClientModel::getClientId)
                 .sorted()
                 .collect(Collectors.joining(", "))
             );
         } else if (logger.isDebugEnabled()) {
             logger.debugf("All clients have been logged out for user %s in %s realm, session %s",
               userSession.getUser().getUsername(), realm.getName(), userSession.getId());
         }
 
         return allClientsLoggedOut;
     }

◆ createIdentityToken()

static IdentityCookieToken org.keycloak.services.managers.AuthenticationManager.createIdentityToken	(	KeycloakSession	keycloakSession,
		RealmModel	realm,
		UserModel	user,
		UserSessionModel	session,
		String	issuer
	)

inlinestatic

                                                                                                                                                                       {
         IdentityCookieToken token = new IdentityCookieToken();
         token.id(KeycloakModelUtils.generateId());
         token.issuedNow();
         token.subject(user.getId());
         token.issuer(issuer);
         if (session != null) {
             token.setSessionState(session.getId());
         }
         if (realm.getSsoSessionMaxLifespan() > 0) {
             token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespan());
         }
 
         String stateChecker = (String) keycloakSession.getAttribute("state_checker");
         if (stateChecker == null) {
             stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
             keycloakSession.setAttribute("state_checker", stateChecker);
         }
         token.getOtherClaims().put("state_checker", stateChecker);
 
         return token;
     }

◆ createLoginCookie()

static void org.keycloak.services.managers.AuthenticationManager.createLoginCookie	(	KeycloakSession	keycloakSession,
		RealmModel	realm,
		UserModel	user,
		UserSessionModel	session,
		UriInfo	uriInfo,
		ClientConnection	connection
	)

inlinestatic

                                                                                                                                                                                     {
         String cookiePath = getIdentityCookiePath(realm, uriInfo);
         String issuer = Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName());
         IdentityCookieToken identityCookieToken = createIdentityToken(keycloakSession, realm, user, session, issuer);
         String encoded = keycloakSession.tokens().encode(identityCookieToken);
         boolean secureOnly = realm.getSslRequired().isRequired(connection);
         int maxAge = NewCookie.DEFAULT_MAX_AGE;
         if (session != null && session.isRememberMe()) {
             maxAge = realm.getSsoSessionMaxLifespan();
         }
         logger.debugv("Create login cookie - name: {0}, path: {1}, max-age: {2}", KEYCLOAK_IDENTITY_COOKIE, cookiePath, maxAge);
         CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encoded, cookiePath, null, null, maxAge, secureOnly, true);
         //builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);
 
         String sessionCookieValue = realm.getName() + "/" + user.getId();
         if (session != null) {
             sessionCookieValue += "/" + session.getId();
         }
         // THIS SHOULD NOT BE A HTTPONLY COOKIE!  It is used for OpenID Connect Iframe Session support!
         // Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login
         CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, realm.getSsoSessionMaxLifespan(), secureOnly, false);
         P3PHelper.addP3PHeader(keycloakSession);
     }

◆ createOrJoinLogoutSession()

static AuthenticationSessionModel org.keycloak.services.managers.AuthenticationManager.createOrJoinLogoutSession	(	KeycloakSession	session,
		RealmModel	realm,
		final AuthenticationSessionManager	asm,
		UserSessionModel	userSession,
		boolean	browserCookie
	)

inlinestaticprivate

                                                                                                                                                                                                                 {
         // Account management client is used as a placeholder
         ClientModel client = SystemClientUtil.getSystemClient(realm);
 
         String authSessionId;
         RootAuthenticationSessionModel rootLogoutSession = null;
         boolean browserCookiePresent = false;
 
         // Try to lookup current authSessionId from browser cookie. If doesn't exists, use the same as current userSession
         if (browserCookie) {
             rootLogoutSession = asm.getCurrentRootAuthenticationSession(realm);
         }
         if (rootLogoutSession != null) {
             authSessionId = rootLogoutSession.getId();
             browserCookiePresent = true;
         } else {
             authSessionId = userSession.getId();
             rootLogoutSession = session.authenticationSessions().getRootAuthenticationSession(realm, authSessionId);
         }
 
         if (rootLogoutSession == null) {
             rootLogoutSession = session.authenticationSessions().createRootAuthenticationSession(authSessionId, realm);
         }
         if (browserCookie && !browserCookiePresent) {
             // Update cookie if needed
             asm.setAuthSessionCookie(authSessionId, realm);
         }
 
         // See if we have logoutAuthSession inside current rootSession. Create new if not
         Optional<AuthenticationSessionModel> found = rootLogoutSession.getAuthenticationSessions().values().stream().filter((AuthenticationSessionModel authSession) -> {
 
             return client.equals(authSession.getClient()) && Objects.equals(AuthenticationSessionModel.Action.LOGGING_OUT.name(), authSession.getAction());
 
         }).findFirst();
 
         AuthenticationSessionModel logoutAuthSession = found.isPresent() ? found.get() : rootLogoutSession.createAuthenticationSession(client);
 
         logoutAuthSession.setAction(AuthenticationSessionModel.Action.LOGGING_OUT.name());
         return logoutAuthSession;
     }

◆ createRememberMeCookie()

static void org.keycloak.services.managers.AuthenticationManager.createRememberMeCookie	(	RealmModel	realm,
		String	username,
		UriInfo	uriInfo,
		ClientConnection	connection
	)

inlinestatic

                                                                                                                                {
         String path = getIdentityCookiePath(realm, uriInfo);
         boolean secureOnly = realm.getSslRequired().isRequired(connection);
         // remember me cookie should be persistent (hardcoded to 365 days for now)
         //NewCookie cookie = new NewCookie(KEYCLOAK_REMEMBER_ME, "true", path, null, null, realm.getCentralLoginLifespan(), secureOnly);// todo httponly , true);
         CookieHelper.addCookie(KEYCLOAK_REMEMBER_ME, "username:" + username, path, null, null, 31536000, secureOnly, true);
     }

◆ createRequiredAction()

static RequiredActionProvider org.keycloak.services.managers.AuthenticationManager.createRequiredAction ( RequiredActionContextResult context )

inlinestatic

                                                                                                    {
         String display = context.getAuthenticationSession().getAuthNote(OAuth2Constants.DISPLAY);
         if (display == null) return context.getFactory().create(context.getSession());
 
 
         if (context.getFactory() instanceof DisplayTypeRequiredActionFactory) {
             RequiredActionProvider provider = ((DisplayTypeRequiredActionFactory)context.getFactory()).createDisplay(context.getSession(), display);
             if (provider != null) return provider;
         }
         // todo create a provider for handling lack of display support
         if (OAuth2Constants.DISPLAY_CONSOLE.equalsIgnoreCase(display)) {
             context.getAuthenticationSession().removeAuthNote(OAuth2Constants.DISPLAY);
             throw new AuthenticationFlowException(AuthenticationFlowError.DISPLAY_NOT_SUPPORTED, ConsoleDisplayMode.browserContinue(context.getSession(), context.getUriInfo().getRequestUri().toString()));
 
         } else {
             return context.getFactory().create(context.getSession());
         }
     }

◆ evaluateRequiredActionTriggers()

static void org.keycloak.services.managers.AuthenticationManager.evaluateRequiredActionTriggers	(	final KeycloakSession	session,
		final AuthenticationSessionModel	authSession,
		final ClientConnection	clientConnection,
		final HttpRequest	request,
		final UriInfo	uriInfo,
		final EventBuilder	event,
		final RealmModel	realm,
		final UserModel	user
	)

inlinestatic

                                                                                                                                                                                                                                                                                                       {
 
         // see if any required actions need triggering, i.e. an expired password
         for (RequiredActionProviderModel model : realm.getRequiredActionProviders()) {
             if (!model.isEnabled()) continue;
             RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId());
             if (factory == null) {
                 throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?");
             }
             RequiredActionProvider provider = factory.create(session);
             RequiredActionContextResult result = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory) {
                 @Override
                 public void challenge(Response response) {
                     throw new RuntimeException("Not allowed to call challenge() within evaluateTriggers()");
                 }
 
                 @Override
                 public void failure() {
                     throw new RuntimeException("Not allowed to call failure() within evaluateTriggers()");
                 }
 
                 @Override
                 public void success() {
                     throw new RuntimeException("Not allowed to call success() within evaluateTriggers()");
                 }
 
                 @Override
                 public void ignore() {
                     throw new RuntimeException("Not allowed to call ignore() within evaluateTriggers()");
                 }
             };
 
             provider.evaluateTriggers(result);
         }
     }

◆ executionActions()

static Response org.keycloak.services.managers.AuthenticationManager.executionActions	(	KeycloakSession	session,
		AuthenticationSessionModel	authSession,
		HttpRequest	request,
		EventBuilder	event,
		RealmModel	realm,
		UserModel	user,
		Set< String >	requiredActions
	)

inlinestaticprotected

                                                                             {
 
         List<RequiredActionProviderModel> sortedRequiredActions = sortRequiredActionsByPriority(realm, requiredActions);
 
         for (RequiredActionProviderModel model : sortedRequiredActions) {
             RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId());
             if (factory == null) {
                 throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?");
             }
             RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory);
             RequiredActionProvider actionProvider = null;
             try {
                 actionProvider = createRequiredAction(context);
             } catch (AuthenticationFlowException e) {
                 if (e.getResponse() != null) {
                     return e.getResponse();
                 }
                 throw e;
             }
             actionProvider.requiredActionChallenge(context);
 
             if (context.getStatus() == RequiredActionContext.Status.FAILURE) {
                 LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, context.getAuthenticationSession().getProtocol());
                 protocol.setRealm(context.getRealm())
                         .setHttpHeaders(context.getHttpRequest().getHttpHeaders())
                         .setUriInfo(context.getUriInfo())
                         .setEventBuilder(event);
                 Response response = protocol.sendError(context.getAuthenticationSession(), Error.CONSENT_DENIED);
                 event.error(Errors.REJECTED_BY_USER);
                 return response;
             }
             else if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) {
                 authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, model.getProviderId());
                 return context.getChallenge();
             }
             else if (context.getStatus() == RequiredActionContext.Status.SUCCESS) {
                 event.clone().event(EventType.CUSTOM_REQUIRED_ACTION).detail(Details.CUSTOM_REQUIRED_ACTION, factory.getId()).success();
                 // don't have to perform the same action twice, so remove it from both the user and session required actions
                 authSession.getAuthenticatedUser().removeRequiredAction(factory.getId());
                 authSession.removeRequiredAction(factory.getId());
             }
         }
         return null;
     }

◆ expireCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireCookie	(	RealmModel	realm,
		String	cookieName,
		String	path,
		boolean	httpOnly,
		ClientConnection	connection
	)

inlinestatic

                                                                                                                                      {
         logger.debugv("Expiring cookie: {0} path: {1}", cookieName, path);
         boolean secureOnly = realm.getSslRequired().isRequired(connection);;
         CookieHelper.addCookie(cookieName, "", path, null, "Expiring cookie", 0, secureOnly, httpOnly);
     }

◆ expireIdentityCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireIdentityCookie	(	RealmModel	realm,
		UriInfo	uriInfo,
		ClientConnection	connection
	)

inlinestatic

                                                                                                             {
         logger.debug("Expiring identity cookie");
         String path = getIdentityCookiePath(realm, uriInfo);
         expireCookie(realm, KEYCLOAK_IDENTITY_COOKIE, path, true, connection);
         expireCookie(realm, KEYCLOAK_SESSION_COOKIE, path, false, connection);
 
         String oldPath = getOldCookiePath(realm, uriInfo);
         expireCookie(realm, KEYCLOAK_IDENTITY_COOKIE, oldPath, true, connection);
         expireCookie(realm, KEYCLOAK_SESSION_COOKIE, oldPath, false, connection);
     }

◆ expireOldAuthSessionCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireOldAuthSessionCookie	(	RealmModel	realm,
		UriInfo	uriInfo,
		ClientConnection	connection
	)

inlinestatic

                                                                                                                   {
         logger.debugv("Expire {1} cookie .", AuthenticationSessionManager.AUTH_SESSION_ID);
 
         String oldPath = getOldCookiePath(realm, uriInfo);
         expireCookie(realm, AuthenticationSessionManager.AUTH_SESSION_ID, oldPath, true, connection);
     }

◆ expireOldIdentityCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireOldIdentityCookie	(	RealmModel	realm,
		UriInfo	uriInfo,
		ClientConnection	connection
	)

inlinestatic

                                                                                                                {
         logger.debug("Expiring old identity cookie with wrong path");
 
         String oldPath = getOldCookiePath(realm, uriInfo);
         expireCookie(realm, KEYCLOAK_IDENTITY_COOKIE, oldPath, true, connection);
         expireCookie(realm, KEYCLOAK_SESSION_COOKIE, oldPath, false, connection);
     }

◆ expireRememberMeCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireRememberMeCookie	(	RealmModel	realm,
		UriInfo	uriInfo,
		ClientConnection	connection
	)

inlinestatic

                                                                                                               {
         logger.debug("Expiring remember me cookie");
         String path = getIdentityCookiePath(realm, uriInfo);
         String cookieName = KEYCLOAK_REMEMBER_ME;
         expireCookie(realm, cookieName, path, true, connection);
     }

◆ expireUserSessionCookie()

static void org.keycloak.services.managers.AuthenticationManager.expireUserSessionCookie	(	KeycloakSession	session,
		UserSessionModel	userSession,
		RealmModel	realm,
		UriInfo	uriInfo,
		HttpHeaders	headers,
		ClientConnection	connection
	)

inlinestatic

                                                                                                                                                                                            {
         try {
             // check to see if any identity cookie is set with the same session and expire it if necessary
             Cookie cookie = headers.getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
             if (cookie == null) return;
             String tokenString = cookie.getValue();
 
             TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
               .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()))
               .checkActive(false)
               .checkTokenType(false);
 
             String kid = verifier.getHeader().getKeyId();
             String algorithm = verifier.getHeader().getAlgorithm().name();
 
             SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
             verifier.verifierContext(signatureVerifier);
 
             AccessToken token = verifier.verify().getToken();
             UserSessionModel cookieSession = session.sessions().getUserSession(realm, token.getSessionState());
             if (cookieSession == null || !cookieSession.getId().equals(userSession.getId())) return;
             expireIdentityCookie(realm, uriInfo, connection);
         } catch (Exception e) {
         }
 
     }

◆ finishBrowserLogout()

static Response org.keycloak.services.managers.AuthenticationManager.finishBrowserLogout	(	KeycloakSession	session,
		RealmModel	realm,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		ClientConnection	connection,
		HttpHeaders	headers
	)

inlinestatic

                                                                                                                                                                                            {
         final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
         AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, true);
 
         checkUserSessionOnlyHasLoggedOutClients(realm, userSession, logoutAuthSession);
 
         expireIdentityCookie(realm, uriInfo, connection);
         expireRememberMeCookie(realm, uriInfo, connection);
         userSession.setState(UserSessionModel.State.LOGGED_OUT);
         String method = userSession.getNote(KEYCLOAK_LOGOUT_PROTOCOL);
         EventBuilder event = new EventBuilder(realm, session, connection);
         LoginProtocol protocol = session.getProvider(LoginProtocol.class, method);
         protocol.setRealm(realm)
                 .setHttpHeaders(headers)
                 .setUriInfo(uriInfo)
                 .setEventBuilder(event);
         Response response = protocol.finishLogout(userSession);
         session.sessions().removeUserSession(realm, userSession);
         session.authenticationSessions().removeRootAuthenticationSession(realm, logoutAuthSession.getParentSession());
         return response;
     }

◆ finishedRequiredActions()

static Response org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions	(	KeycloakSession	session,
		AuthenticationSessionModel	authSession,
		UserSessionModel	userSession,
		ClientConnection	clientConnection,
		HttpRequest	request,
		UriInfo	uriInfo,
		EventBuilder	event
	)

inlinestatic

                                                                                                                                                 {
         String actionTokenKeyToInvalidate = authSession.getAuthNote(INVALIDATE_ACTION_TOKEN);
         if (actionTokenKeyToInvalidate != null) {
             ActionTokenKeyModel actionTokenKey = DefaultActionTokenKey.from(actionTokenKeyToInvalidate);
             
             if (actionTokenKey != null) {
                 ActionTokenStoreProvider actionTokenStore = session.getProvider(ActionTokenStoreProvider.class);
                 actionTokenStore.put(actionTokenKey, null); // Token is invalidated
             }
         }
 
         if (authSession.getAuthNote(END_AFTER_REQUIRED_ACTIONS) != null) {
             LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
                     .setSuccess(Messages.ACCOUNT_UPDATED);
             if (authSession.getAuthNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) {
                 if (authSession.getRedirectUri() != null) {
                     infoPage.setAttribute("pageRedirectUri", authSession.getRedirectUri());
                 }
 
             } else {
                 infoPage.setAttribute(Constants.SKIP_LINK, true);
             }
             Response response = infoPage
                     .createInfoPage();
 
             new AuthenticationSessionManager(session).removeAuthenticationSession(authSession.getRealm(), authSession, true);
 
             return response;
         }
         RealmModel realm = authSession.getRealm();
 
         ClientSessionContext clientSessionCtx = AuthenticationProcessor.attachSession(authSession, userSession, session, realm, clientConnection, event);
         userSession = clientSessionCtx.getClientSession().getUserSession();
 
         event.event(EventType.LOGIN);
         event.session(userSession);
         event.success();
         return redirectAfterSuccessfulFlow(session, realm, userSession, clientSessionCtx, request, uriInfo, clientConnection, event, authSession.getProtocol());
     }

◆ frontchannelLogoutClientSession()

static Response org.keycloak.services.managers.AuthenticationManager.frontchannelLogoutClientSession	(	KeycloakSession	session,
		RealmModel	realm,
		AuthenticatedClientSessionModel	clientSession,
		AuthenticationSessionModel	logoutAuthSession,
		UriInfo	uriInfo,
		HttpHeaders	headers
	)

inlinestaticprivate

                                             {
         UserSessionModel userSession = clientSession.getUserSession();
         ClientModel client = clientSession.getClient();
 
         if (! client.isFrontchannelLogout() || AuthenticationSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) {
             return null;
         }
 
         final AuthenticationSessionModel.Action logoutState = getClientLogoutAction(logoutAuthSession, client.getId());
 
         if (logoutState == AuthenticationSessionModel.Action.LOGGED_OUT || logoutState == AuthenticationSessionModel.Action.LOGGING_OUT) {
             return null;
         }
 
         try {
             setClientLogoutAction(logoutAuthSession, client.getId(), AuthenticationSessionModel.Action.LOGGING_OUT);
 
             String authMethod = clientSession.getProtocol();
             if (authMethod == null) return null; // must be a keycloak service like account
 
             logger.debugv("frontchannel logout to: {0}", client.getClientId());
             LoginProtocol protocol = session.getProvider(LoginProtocol.class, authMethod);
             protocol.setRealm(realm)
                     .setHttpHeaders(headers)
                     .setUriInfo(uriInfo);
 
             Response response = protocol.frontchannelLogout(userSession, clientSession);
             if (response != null) {
                 logger.debug("returning frontchannel logout request to client");
                 // setting this to logged out cuz I'm not sure protocols can always verify that the client was logged out or not
 
                 setClientLogoutAction(logoutAuthSession, client.getId(), AuthenticationSessionModel.Action.LOGGED_OUT);
 
                 return response;
             }
         } catch (Exception e) {
             ServicesLogger.LOGGER.failedToLogoutClient(e);
         }
 
         return null;
     }

◆ getAccountCookiePath()

static String org.keycloak.services.managers.AuthenticationManager.getAccountCookiePath	(	RealmModel	realm,
		UriInfo	uriInfo
	)

inlinestatic

                                                                                  {
         URI uri = RealmsResource.accountUrl(uriInfo.getBaseUriBuilder()).build(realm.getName());
         return uri.getRawPath();
     }

◆ getClientLogoutAction()

static AuthenticationSessionModel.Action org.keycloak.services.managers.AuthenticationManager.getClientLogoutAction	(	AuthenticationSessionModel	logoutAuthSession,
		String	clientUuid
	)

inlinestatic

Returns the logout state of the particular client as per the

logoutAuthSession

引数

logoutAuthSession	logoutAuthSession. May be null in which case this is a no-op.
clientUuid	Internal ID of the client. Must not be null

戻り値: State if it can be determined,
null
otherwise.

                                                                                                                                            {
         if (logoutAuthSession == null || clientUuid == null) {
             return null;
         }
 
         String state = logoutAuthSession.getAuthNote(CLIENT_LOGOUT_STATE + clientUuid);
         return state == null ? null : AuthenticationSessionModel.Action.valueOf(state);
     }

◆ getClientScopesToApproveOnConsentScreen()

static List<ClientScopeModel> org.keycloak.services.managers.AuthenticationManager.getClientScopesToApproveOnConsentScreen	(	RealmModel	realm,
		UserConsentModel	grantedConsent,
		AuthenticationSessionModel	authSession
	)

inlinestaticprivate

                                                                                                                           {
         // Client Scopes to be displayed on consent screen
         List<ClientScopeModel> clientScopesToDisplay = new LinkedList<>();
 
         for (String clientScopeId : authSession.getClientScopes()) {
             ClientScopeModel clientScope = KeycloakModelUtils.findClientScopeById(realm, clientScopeId);
 
             if (clientScope == null || !clientScope.isDisplayOnConsentScreen()) {
                 continue;
             }
 
             // Check if consent already granted by user
             if (grantedConsent == null || !grantedConsent.isClientScopeGranted(clientScope)) {
                 clientScopesToDisplay.add(clientScope);
             }
         }
 
         return clientScopesToDisplay;
     }

◆ getEffectiveGrantedConsent()

static UserConsentModel org.keycloak.services.managers.AuthenticationManager.getEffectiveGrantedConsent	(	KeycloakSession	session,
		AuthenticationSessionModel	authSession
	)

inlinestaticprivate

                                                                                                                                 {
         // If prompt=consent, we ignore existing persistent consent
         String prompt = authSession.getClientNote(OIDCLoginProtocol.PROMPT_PARAM);
         if (TokenUtil.hasPrompt(prompt, OIDCLoginProtocol.PROMPT_VALUE_CONSENT)) {
             return null;
         } else {
             final RealmModel realm = authSession.getRealm();
             final UserModel user = authSession.getAuthenticatedUser();
             final ClientModel client = authSession.getClient();
 
             return session.users().getConsentByClient(realm, user.getId(), client.getId());
         }
     }

◆ getIdentityCookiePath()

static String org.keycloak.services.managers.AuthenticationManager.getIdentityCookiePath	(	RealmModel	realm,
		UriInfo	uriInfo
	)

inlinestaticprotected

                                                                                      {
         return getRealmCookiePath(realm, uriInfo);
     }

◆ getOldCookiePath()

static String org.keycloak.services.managers.AuthenticationManager.getOldCookiePath	(	RealmModel	realm,
		UriInfo	uriInfo
	)

inlinestatic

                                                                              {
         URI uri = RealmsResource.realmBaseUrl(uriInfo).build(realm.getName());
         return uri.getRawPath();
     }

◆ getRealmCookiePath()

static String org.keycloak.services.managers.AuthenticationManager.getRealmCookiePath	(	RealmModel	realm,
		UriInfo	uriInfo
	)

inlinestatic

                                                                                {
         URI uri = RealmsResource.realmBaseUrl(uriInfo).build(realm.getName());
         // KEYCLOAK-5270
         return uri.getRawPath() + "/";
     }

◆ getRememberMeUsername()

static String org.keycloak.services.managers.AuthenticationManager.getRememberMeUsername	(	RealmModel	realm,
		HttpHeaders	headers
	)

inlinestatic

                                                                                       {
         if (realm.isRememberMe()) {
             Cookie cookie = headers.getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME);
             if (cookie != null) {
                 String value = cookie.getValue();
                 String[] s = value.split(":");
                 if (s[0].equals("username") && s.length == 2) {
                     return s[1];
                 }
             }
         }
         return null;
     }

◆ isOfflineSessionValid()

static boolean org.keycloak.services.managers.AuthenticationManager.isOfflineSessionValid	(	RealmModel	realm,
		UserSessionModel	userSession
	)

inlinestatic

                                                                                                 {
         if (userSession == null) {
             logger.debug("No offline user session");
             return false;
         }
         int currentTime = Time.currentTime();
         // Additional time window is added for the case when session was updated in different DC and the update to current DC was postponed
         int maxIdle = realm.getOfflineSessionIdleTimeout() + SessionTimeoutHelper.IDLE_TIMEOUT_WINDOW_SECONDS;
 
         // KEYCLOAK-7688 Offline Session Max for Offline Token
         if (realm.isOfflineSessionMaxLifespanEnabled()) {
             int max = userSession.getStarted() + realm.getOfflineSessionMaxLifespan();
             return userSession.getLastSessionRefresh() + maxIdle > currentTime && max > currentTime;
         } else {
             return userSession.getLastSessionRefresh() + maxIdle > currentTime;
         }
     }

◆ isSessionValid()

static boolean org.keycloak.services.managers.AuthenticationManager.isSessionValid	(	RealmModel	realm,
		UserSessionModel	userSession
	)

inlinestatic

                                                                                          {
         if (userSession == null) {
             logger.debug("No user session");
             return false;
         }
         int currentTime = Time.currentTime();
         int max = userSession.getStarted() + realm.getSsoSessionMaxLifespan();
 
         // Additional time window is added for the case when session was updated in different DC and the update to current DC was postponed
         int maxIdle = realm.getSsoSessionIdleTimeout() + SessionTimeoutHelper.IDLE_TIMEOUT_WINDOW_SECONDS;
 
         return userSession.getLastSessionRefresh() + maxIdle > currentTime && max > currentTime;
     }

◆ isSSOAuthentication()

static boolean org.keycloak.services.managers.AuthenticationManager.isSSOAuthentication ( AuthenticatedClientSessionModel clientSession )

inlinestatic

                                                                                              {
         String ssoAuth = clientSession.getNote(SSO_AUTH);
         return Boolean.parseBoolean(ssoAuth);
     }

◆ nextActionAfterAuthentication()

static Response org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication	(	KeycloakSession	session,
		AuthenticationSessionModel	authSession,
		ClientConnection	clientConnection,
		HttpRequest	request,
		UriInfo	uriInfo,
		EventBuilder	event
	)

inlinestatic

                                                                                                             {
         Response requiredAction = actionRequired(session, authSession, clientConnection, request, uriInfo, event);
         if (requiredAction != null) return requiredAction;
         return finishedRequiredActions(session, authSession, null, clientConnection, request, uriInfo, event);
 
     }

◆ nextRequiredAction()

static String org.keycloak.services.managers.AuthenticationManager.nextRequiredAction	(	final KeycloakSession	session,
		final AuthenticationSessionModel	authSession,
		final ClientConnection	clientConnection,
		final HttpRequest	request,
		final UriInfo	uriInfo,
		final EventBuilder	event
	)

inlinestatic

                                                                                                                         {
         final RealmModel realm = authSession.getRealm();
         final UserModel user = authSession.getAuthenticatedUser();
         final ClientModel client = authSession.getClient();
 
         evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user);
 
         if (!user.getRequiredActions().isEmpty()) {
             return user.getRequiredActions().iterator().next();
         }
         if (!authSession.getRequiredActions().isEmpty()) {
             return authSession.getRequiredActions().iterator().next();
         }
 
         if (client.isConsentRequired()) {
 
             UserConsentModel grantedConsent = getEffectiveGrantedConsent(session, authSession);
 
             // See if any clientScopes need to be approved on consent screen
             List<ClientScopeModel> clientScopesToApprove = getClientScopesToApproveOnConsentScreen(realm, grantedConsent, authSession);
             if (!clientScopesToApprove.isEmpty()) {
                 return CommonClientSessionModel.Action.OAUTH_GRANT.name();
             }
 
             String consentDetail = (grantedConsent != null) ? Details.CONSENT_VALUE_PERSISTED_CONSENT : Details.CONSENT_VALUE_NO_CONSENT_REQUIRED;
             event.detail(Details.CONSENT, consentDetail);
         } else {
             event.detail(Details.CONSENT, Details.CONSENT_VALUE_NO_CONSENT_REQUIRED);
         }
         return null;
 
     }

◆ redirectAfterSuccessfulFlow() [1/2]

static Response org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow	(	KeycloakSession	session,
		RealmModel	realm,
		UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx,
		HttpRequest	request,
		UriInfo	uriInfo,
		ClientConnection	clientConnection,
		EventBuilder	event,
		String	protocol
	)

inlinestatic

                                                                                      {
         LoginProtocol protocolImpl = session.getProvider(LoginProtocol.class, protocol);
         protocolImpl.setRealm(realm)
                 .setHttpHeaders(request.getHttpHeaders())
                 .setUriInfo(uriInfo)
                 .setEventBuilder(event);
         return redirectAfterSuccessfulFlow(session, realm, userSession, clientSessionCtx, request, uriInfo, clientConnection, event, protocolImpl);
 
     }

◆ redirectAfterSuccessfulFlow() [2/2]

static Response org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow	(	KeycloakSession	session,
		RealmModel	realm,
		UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx,
		HttpRequest	request,
		UriInfo	uriInfo,
		ClientConnection	clientConnection,
		EventBuilder	event,
		LoginProtocol	protocol
	)

inlinestatic

                                                                                                    {
         Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE);
         if (sessionCookie != null) {
 
             String[] split = sessionCookie.getValue().split("/");
             if (split.length >= 3) {
                 String oldSessionId = split[2];
                 if (!oldSessionId.equals(userSession.getId())) {
                     UserSessionModel oldSession = session.sessions().getUserSession(realm, oldSessionId);
                     if (oldSession != null) {
                         logger.debugv("Removing old user session: session: {0}", oldSessionId);
                         session.sessions().removeUserSession(realm, oldSession);
                     }
                 }
             }
         }
 
         // Updates users locale if required
         session.getContext().resolveLocale(userSession.getUser());
 
         // refresh the cookies!
         createLoginCookie(session, realm, userSession.getUser(), userSession, uriInfo, clientConnection);
         if (userSession.getState() != UserSessionModel.State.LOGGED_IN) userSession.setState(UserSessionModel.State.LOGGED_IN);
         if (userSession.isRememberMe()) {
             createRememberMeCookie(realm, userSession.getLoginUsername(), uriInfo, clientConnection);
         } else {
             expireRememberMeCookie(realm, uriInfo, clientConnection);
         }
 
         AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
 
         // Update userSession note with authTime. But just if flag SSO_AUTH is not set
         boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
         if (isSSOAuthentication) {
             clientSession.setNote(SSO_AUTH, "true");
         } else {
             int authTime = Time.currentTime();
             userSession.setNote(AUTH_TIME, String.valueOf(authTime));
             clientSession.removeNote(SSO_AUTH);
         }
 
         return protocol.authenticated(userSession, clientSessionCtx);
 
     }

◆ redirectToRequiredActions()

static Response org.keycloak.services.managers.AuthenticationManager.redirectToRequiredActions	(	KeycloakSession	session,
		RealmModel	realm,
		AuthenticationSessionModel	authSession,
		UriInfo	uriInfo,
		String	requiredAction
	)

inlinestatic

                                                                                                                                                                                 {
         // redirect to non-action url so browser refresh button works without reposting past data
         ClientSessionCode<AuthenticationSessionModel> accessCode = new ClientSessionCode<>(session, realm, authSession);
         accessCode.setAction(AuthenticationSessionModel.Action.REQUIRED_ACTIONS.name());
         authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, LoginActionsService.REQUIRED_ACTION);
         authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, requiredAction);
 
         UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo)
                 .path(LoginActionsService.REQUIRED_ACTION);
 
         if (requiredAction != null) {
             uriBuilder.queryParam(Constants.EXECUTION, requiredAction);
         }
 
         uriBuilder.queryParam(Constants.CLIENT_ID, authSession.getClient().getClientId());
         uriBuilder.queryParam(Constants.TAB_ID, authSession.getTabId());
 
         if (uriInfo.getQueryParameters().containsKey(LoginActionsService.AUTH_SESSION_ID)) {
             uriBuilder.queryParam(LoginActionsService.AUTH_SESSION_ID, authSession.getParentSession().getId());
 
         }
 
         URI redirect = uriBuilder.build(realm.getName());
         return Response.status(302).location(redirect).build();
 
     }

◆ setClientLogoutAction()

static void org.keycloak.services.managers.AuthenticationManager.setClientLogoutAction	(	AuthenticationSessionModel	logoutAuthSession,
		String	clientUuid,
		AuthenticationSessionModel.Action	action
	)

inlinestatic

Sets logout state of the particular client into the

logoutAuthSession

引数

logoutAuthSession	logoutAuthSession. May be null in which case this is a no-op.
clientUuid	Client. Must not be null
action

                                                                                                                                                         {
         if (logoutAuthSession != null && clientUuid != null) {
             logoutAuthSession.setAuthNote(CLIENT_LOGOUT_STATE + clientUuid, action.name());
         }
     }

◆ setClientScopesInSession()

static void org.keycloak.services.managers.AuthenticationManager.setClientScopesInSession ( AuthenticationSessionModel authSession )

inlinestatic

                                                                                         {
         ClientModel client = authSession.getClient();
         UserModel user = authSession.getAuthenticatedUser();
 
         // todo scope param protocol independent
         String scopeParam = authSession.getClientNote(OAuth2Constants.SCOPE);
 
         Set<String> requestedClientScopes = new HashSet<String>();
         for (ClientScopeModel clientScope : org.keycloak.protocol.oidc.TokenManager.getRequestedClientScopes(scopeParam, client)) {
             requestedClientScopes.add(clientScope.getId());
         }
         authSession.setClientScopes(requestedClientScopes);
     }

◆ sortRequiredActionsByPriority()

static List<RequiredActionProviderModel> org.keycloak.services.managers.AuthenticationManager.sortRequiredActionsByPriority	(	RealmModel	realm,
		Set< String >	requiredActions
	)

inlinestaticprivate

                                                                                                                                   {
         List<RequiredActionProviderModel> actions = new ArrayList<>();
         for (String action : requiredActions) {
             RequiredActionProviderModel model = realm.getRequiredActionProviderByAlias(action);
             if (model == null) {
                 logger.warnv("Could not find configuration for Required Action {0}, did you forget to register it?", action);
                 continue;
             }
             if (!model.isEnabled()) {
                 continue;
             }
             actions.add(model);
         }
         Collections.sort(actions, RequiredActionProviderModel.RequiredActionComparator.SINGLETON);
         return actions;
     }

◆ verifyIdentityToken()

static AuthResult org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken	(	KeycloakSession	session,
		RealmModel	realm,
		UriInfo	uriInfo,
		ClientConnection	connection,
		boolean	checkActive,
		boolean	checkTokenType,
		boolean	isCookie,
		String	tokenString,
		HttpHeaders	headers
	)

inlinestatic

                                                                                                                {
         try {
             TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
               .withDefaultChecks()
               .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()))
               .checkActive(checkActive)
               .checkTokenType(checkTokenType);
             String kid = verifier.getHeader().getKeyId();
             String algorithm = verifier.getHeader().getAlgorithm().name();
 
             SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
             verifier.verifierContext(signatureVerifier);
 
             AccessToken token = verifier.verify().getToken();
             if (checkActive) {
                 if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
                     logger.debug("Identity cookie expired");
                     return null;
                 }
             }
 
             UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
             UserModel user = null;
             if (userSession != null) {
                 user = userSession.getUser();
                 if (user == null || !user.isEnabled()) {
                     logger.debug("Unknown user in identity token");
                     return null;
                 }
 
                 int userNotBefore = session.users().getNotBeforeOfUser(realm, user);
                 if (token.getIssuedAt() < userNotBefore) {
                     logger.debug("User notBefore newer than token");
                     return null;
                 }
             }
 
             if (!isSessionValid(realm, userSession)) {
                 // Check if accessToken was for the offline session.
                 if (!isCookie) {
                     UserSessionModel offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState());
                     if (isOfflineSessionValid(realm, offlineUserSession)) {
                         user = offlineUserSession.getUser();
                         return new AuthResult(user, offlineUserSession, token);
                     }
                 }
 
                 if (userSession != null) backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
                 logger.debug("User session not active");
                 return null;
             }
 
             session.setAttribute("state_checker", token.getOtherClaims().get("state_checker"));
 
             return new AuthResult(user, userSession, token);
         } catch (VerificationException e) {
             logger.debugf("Failed to verify identity token: %s", e.getMessage());
         }
         return null;
     }

メンバ詳解

◆ AUTH_TIME

final String org.keycloak.services.managers.AuthenticationManager.AUTH_TIME = "AUTH_TIME"

static

◆ CLIENT_LOGOUT_STATE

final String org.keycloak.services.managers.AuthenticationManager.CLIENT_LOGOUT_STATE = "logout.state."

static

Auth session note on client logout state (when logging out)

◆ END_AFTER_REQUIRED_ACTIONS

final String org.keycloak.services.managers.AuthenticationManager.END_AFTER_REQUIRED_ACTIONS = "END_AFTER_REQUIRED_ACTIONS"

static

◆ FORM_USERNAME

final String org.keycloak.services.managers.AuthenticationManager.FORM_USERNAME = "username"

static

◆ INVALIDATE_ACTION_TOKEN

final String org.keycloak.services.managers.AuthenticationManager.INVALIDATE_ACTION_TOKEN = "INVALIDATE_ACTION_TOKEN"

static

◆ KEYCLOAK_IDENTITY_COOKIE

final String org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY"

static

◆ KEYCLOAK_LOGOUT_PROTOCOL

final String org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL = "KEYCLOAK_LOGOUT_PROTOCOL"

static

◆ KEYCLOAK_REMEMBER_ME

final String org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_REMEMBER_ME = "KEYCLOAK_REMEMBER_ME"

static

◆ KEYCLOAK_SESSION_COOKIE

final String org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION"

static

◆ logger

final Logger org.keycloak.services.managers.AuthenticationManager.logger = Logger.getLogger(AuthenticationManager.class)

staticprotected

◆ SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS

final String org.keycloak.services.managers.AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS = "SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS"

static

◆ SSO_AUTH

final String org.keycloak.services.managers.AuthenticationManager.SSO_AUTH = "SSO_AUTH"

static

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

クラス

公開メンバ関数

静的公開メンバ関数

静的公開変数類

静的限定公開メンバ関数

静的限定公開変数類

静的非公開メンバ関数

詳解

クラス詳解

◆ org::keycloak::services::managers::AuthenticationManager::AuthenticationStatus

関数詳解

◆ actionRequired()

◆ authenticateIdentityCookie() [1/2]

◆ authenticateIdentityCookie() [2/2]

◆ backchannelLogout() [1/3]

◆ backchannelLogout() [2/3]

◆ backchannelLogout() [3/3]

◆ backchannelLogoutAll()

◆ backchannelLogoutClientSession()

◆ backchannelLogoutUserFromClient()

◆ browserLogout()

◆ browserLogoutAllClients()

◆ checkUserSessionOnlyHasLoggedOutClients()

◆ createIdentityToken()

◆ createLoginCookie()

◆ createOrJoinLogoutSession()

◆ createRememberMeCookie()

◆ createRequiredAction()

◆ evaluateRequiredActionTriggers()

◆ executionActions()

◆ expireCookie()

◆ expireIdentityCookie()

◆ expireOldAuthSessionCookie()

◆ expireOldIdentityCookie()

◆ expireRememberMeCookie()

◆ expireUserSessionCookie()

◆ finishBrowserLogout()

◆ finishedRequiredActions()

◆ frontchannelLogoutClientSession()

◆ getAccountCookiePath()

◆ getClientLogoutAction()

◆ getClientScopesToApproveOnConsentScreen()

◆ getEffectiveGrantedConsent()

◆ getIdentityCookiePath()

◆ getOldCookiePath()

◆ getRealmCookiePath()

◆ getRememberMeUsername()

◆ isOfflineSessionValid()

◆ isSessionValid()

◆ isSSOAuthentication()

◆ nextActionAfterAuthentication()

◆ nextRequiredAction()

◆ redirectAfterSuccessfulFlow() [1/2]

◆ redirectAfterSuccessfulFlow() [2/2]

◆ redirectToRequiredActions()

◆ setClientLogoutAction()

◆ setClientScopesInSession()

◆ sortRequiredActionsByPriority()

◆ verifyIdentityToken()

メンバ詳解

◆ AUTH_TIME

◆ CLIENT_LOGOUT_STATE

◆ END_AFTER_REQUIRED_ACTIONS

◆ FORM_USERNAME

◆ INVALIDATE_ACTION_TOKEN

◆ KEYCLOAK_IDENTITY_COOKIE

◆ KEYCLOAK_LOGOUT_PROTOCOL

◆ KEYCLOAK_REMEMBER_ME

◆ KEYCLOAK_SESSION_COOKIE

◆ logger

◆ SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS

◆ SSO_AUTH