org.keycloak.services.resources.LoginActionsService 連携図

公開メンバ関数
	LoginActionsService (RealmModel realm, EventBuilder event)

Response	restartSession (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	authenticate (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	authenticateForm (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	resetCredentialsPOST (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId, @QueryParam(Constants.KEY) String key)

Response	resetCredentialsGET (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	executeActionToken (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(Constants.KEY) String key, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	registerPage (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	processRegister (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	firstBrokerLoginGet (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	firstBrokerLoginPost (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	postBrokerLoginGet (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	postBrokerLoginPost (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	processConsent (final MultivaluedMap< String, String > formData)

Response	requiredActionPOST (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) final String code, @QueryParam(Constants.EXECUTION) String action, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

Response	requiredActionGET (@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) final String code, @QueryParam(Constants.EXECUTION) String action, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId)

静的公開メンバ関数
static UriBuilder	loginActionsBaseUrl (UriInfo uriInfo)

static UriBuilder	authenticationFormProcessor (UriInfo uriInfo)

static UriBuilder	requiredActionProcessor (UriInfo uriInfo)

static UriBuilder	actionTokenProcessor (UriInfo uriInfo)

static UriBuilder	registrationFormProcessor (UriInfo uriInfo)

static UriBuilder	firstBrokerLoginProcessor (UriInfo uriInfo)

static UriBuilder	postBrokerLoginProcessor (UriInfo uriInfo)

static UriBuilder	loginActionsBaseUrl (UriBuilder baseUriBuilder)

static Response	redirectToAfterBrokerLoginEndpoint (KeycloakSession session, RealmModel realm, UriInfo uriInfo, AuthenticationSessionModel authSession, boolean firstBrokerLogin)

静的公開変数類
static final String	AUTHENTICATE_PATH = "authenticate"

static final String	REGISTRATION_PATH = "registration"

static final String	RESET_CREDENTIALS_PATH = "reset-credentials"

static final String	REQUIRED_ACTION = "required-action"

static final String	FIRST_BROKER_LOGIN_PATH = "first-broker-login"

static final String	POST_BROKER_LOGIN_PATH = "post-broker-login"

static final String	RESTART_PATH = "restart"

static final String	FORWARDED_ERROR_MESSAGE_NOTE = "forwardedErrorMessage"

static final String	SESSION_CODE = "session_code"

static final String	AUTH_SESSION_ID = "auth_session_id"

限定公開メンバ関数
URI	getLastExecutionUrl (String flowPath, String executionId, String clientId, String tabId)

Response	processAuthentication (boolean action, String execution, AuthenticationSessionModel authSession, String errorMessage)

Response	processFlow (boolean action, String execution, AuthenticationSessionModel authSession, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor)

Response	resetCredentials (String authSessionId, String code, String execution, String clientId, String tabId)

Response	processResetCredentials (boolean actionRequest, String execution, AuthenticationSessionModel authSession, String errorMessage)

Response	processRegistration (boolean action, String execution, AuthenticationSessionModel authSession, String errorMessage)

Response	brokerLoginFlow (String authSessionId, String code, String execution, String clientId, String tabId, String flowPath)

限定公開変数類
HttpHeaders	headers

Providers	providers

KeycloakSession	session

関数
AuthenticationSessionModel	createAuthenticationSessionForClient () throws UriBuilderException, IllegalArgumentException

protected< T extends JsonWebToken &ActionTokenKeyModel > Response	handleActionToken (String tokenString, String execution, String clientId, String tabId)

private< T extends JsonWebToken > ActionTokenHandler< T >	resolveActionTokenHandler (String actionId) throws VerificationException

非公開メンバ関数
boolean	checkSsl ()

SessionCodeChecks	checksForCode (String authSessionId, String code, String execution, String clientId, String tabId, String flowPath)

Response	processFlowFromPath (String flowPath, AuthenticationSessionModel authSession, String errorMessage)

Response	handleActionTokenVerificationException (ActionTokenContext<?> tokenContext, VerificationException ex, String eventError, String errorMessage)

Response	registerRequest (String authSessionId, String code, String execution, String clientId, String tabId, boolean isPostRequest)

Response	redirectToAfterBrokerLoginEndpoint (AuthenticationSessionModel authSession, boolean firstBrokerLogin)

void	initLoginEvent (AuthenticationSessionModel authSession)

Response	processRequireAction (final String authSessionId, final String code, String action, String clientId, String tabId)

非公開変数類
RealmModel	realm

HttpRequest	request

ClientConnection	clientConnection

EventBuilder	event

静的非公開変数類
static final Logger	logger = Logger.getLogger(LoginActionsService.class)

詳解

著者: Stian Thorgersen

構築子と解体子

◆ LoginActionsService()

org.keycloak.services.resources.LoginActionsService.LoginActionsService	(	RealmModel	realm,
		EventBuilder	event
	)

inline

                                                                      {
         this.realm = realm;
         this.event = event;
         CacheControlUtil.noBackButtonCacheControlHeader();
     }

関数詳解

◆ actionTokenProcessor()

static UriBuilder org.keycloak.services.resources.LoginActionsService.actionTokenProcessor ( UriInfo uriInfo )

inlinestatic

                                                                    {
         return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "executeActionToken");
     }

◆ authenticate()

Response org.keycloak.services.resources.LoginActionsService.authenticate	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

protocol independent login page entry point

引数

code

戻り値

                                                                              {
         event.event(EventType.LOGIN);
 
         SessionCodeChecks checks = checksForCode(authSessionId, code, execution, clientId, tabId, AUTHENTICATE_PATH);
         if (!checks.verifyActiveAndValidAction(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
             return checks.getResponse();
         }
 
         AuthenticationSessionModel authSession = checks.getAuthenticationSession();
         boolean actionRequest = checks.isActionRequest();
 
         return processAuthentication(actionRequest, execution, authSession, null);
     }

◆ authenticateForm()

Response org.keycloak.services.resources.LoginActionsService.authenticateForm	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

URL called after login page. YOU SHOULD NEVER INVOKE THIS DIRECTLY!

引数

code

戻り値

                                                                                  {
         return authenticate(authSessionId, code, execution, clientId, tabId);
     }

◆ authenticationFormProcessor()

static UriBuilder org.keycloak.services.resources.LoginActionsService.authenticationFormProcessor ( UriInfo uriInfo )

inlinestatic

                                                                           {
         return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "authenticateForm");
     }

◆ brokerLoginFlow()

Response org.keycloak.services.resources.LoginActionsService.brokerLoginFlow	(	String	authSessionId,
		String	code,
		String	execution,
		String	clientId,
		String	tabId,
		String	flowPath
	)

inlineprotected

                                                                                                                                             {
         boolean firstBrokerLogin = flowPath.equals(FIRST_BROKER_LOGIN_PATH);
 
         EventType eventType = firstBrokerLogin ? EventType.IDENTITY_PROVIDER_FIRST_LOGIN : EventType.IDENTITY_PROVIDER_POST_LOGIN;
         event.event(eventType);
 
         SessionCodeChecks checks = checksForCode(authSessionId, code, execution, clientId, tabId, flowPath);
         if (!checks.verifyActiveAndValidAction(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
             return checks.getResponse();
         }
         event.detail(Details.CODE_ID, code);
         final AuthenticationSessionModel authSession = checks.getAuthenticationSession();
 
         String noteKey = firstBrokerLogin ? AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE : PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT;
         SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, noteKey);
         if (serializedCtx == null) {
             ServicesLogger.LOGGER.notFoundSerializedCtxInClientSession(noteKey);
             throw new WebApplicationException(ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, "Not found serialized context in authenticationSession."));
         }
         BrokeredIdentityContext brokerContext = serializedCtx.deserialize(session, authSession);
         final String identityProviderAlias = brokerContext.getIdpConfig().getAlias();
 
         String flowId = firstBrokerLogin ? brokerContext.getIdpConfig().getFirstBrokerLoginFlowId() : brokerContext.getIdpConfig().getPostBrokerLoginFlowId();
         if (flowId == null) {
             ServicesLogger.LOGGER.flowNotConfigForIDP(identityProviderAlias);
             throw new WebApplicationException(ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, "Flow not configured for identity provider"));
         }
         AuthenticationFlowModel brokerLoginFlow = realm.getAuthenticationFlowById(flowId);
         if (brokerLoginFlow == null) {
             ServicesLogger.LOGGER.flowNotFoundForIDP(flowId, identityProviderAlias);
             throw new WebApplicationException(ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, "Flow not found for identity provider"));
         }
 
         event.detail(Details.IDENTITY_PROVIDER, identityProviderAlias)
                 .detail(Details.IDENTITY_PROVIDER_USERNAME, brokerContext.getUsername());
 
 
         AuthenticationProcessor processor = new AuthenticationProcessor() {
 
             @Override
             protected Response authenticationComplete() {
                 if (firstBrokerLogin) {
                     authSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, identityProviderAlias);
                 } else {
                     String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + identityProviderAlias;
                     authSession.setAuthNote(authStateNoteKey, "true");
                 }
 
                 return redirectToAfterBrokerLoginEndpoint(authSession, firstBrokerLogin);
             }
 
         };
 
         return processFlow(checks.isActionRequest(), execution, authSession, flowPath, brokerLoginFlow, null, processor);
     }

◆ checksForCode()

SessionCodeChecks org.keycloak.services.resources.LoginActionsService.checksForCode	(	String	authSessionId,
		String	code,
		String	execution,
		String	clientId,
		String	tabId,
		String	flowPath
	)

inlineprivate

                                                                                                                                                  {
         SessionCodeChecks res = new SessionCodeChecks(realm, session.getContext().getUri(), request, clientConnection, session, event, authSessionId, code, execution, clientId, tabId, flowPath);
         res.initialVerify();
         return res;
     }

◆ checkSsl()

boolean org.keycloak.services.resources.LoginActionsService.checkSsl ( )

inlineprivate

                                {
         if (session.getContext().getUri().getBaseUri().getScheme().equals("https")) {
             return true;
         } else {
             return !realm.getSslRequired().isRequired(clientConnection);
         }
     }

◆ createAuthenticationSessionForClient()

AuthenticationSessionModel org.keycloak.services.resources.LoginActionsService.createAuthenticationSessionForClient ( ) throws UriBuilderException, IllegalArgumentException

inlinepackage

                                                            {
         AuthenticationSessionModel authSession;
 
         // set up the account service as the endpoint to call.
         ClientModel client = SystemClientUtil.getSystemClient(realm);
 
         RootAuthenticationSessionModel rootAuthSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, true);
         authSession = rootAuthSession.createAuthenticationSession(client);
 
         authSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
         //authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
         authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
         String redirectUri = Urls.accountBase(session.getContext().getUri().getBaseUri()).path("/").build(realm.getName()).toString();
         authSession.setRedirectUri(redirectUri);
         authSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE);
         authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri);
         authSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
 
         return authSession;
     }

◆ executeActionToken()

Response org.keycloak.services.resources.LoginActionsService.executeActionToken	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(Constants.KEY) String	key,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

Handles a given token using the given token handler. If there is any VerificationException thrown in the handler, it is handled automatically here to reduce boilerplate code.

引数

key
execution

戻り値

                                                                                    {
         return handleActionToken(key, execution, clientId, tabId);
     }

◆ firstBrokerLoginGet()

Response org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

                                                                                     {
         return brokerLoginFlow(authSessionId, code, execution, clientId, tabId, FIRST_BROKER_LOGIN_PATH);
     }

◆ firstBrokerLoginPost()

Response org.keycloak.services.resources.LoginActionsService.firstBrokerLoginPost	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

                                                                                      {
         return brokerLoginFlow(authSessionId, code, execution, clientId, tabId, FIRST_BROKER_LOGIN_PATH);
     }

◆ firstBrokerLoginProcessor()

static UriBuilder org.keycloak.services.resources.LoginActionsService.firstBrokerLoginProcessor ( UriInfo uriInfo )

inlinestatic

                                                                         {
         return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "firstBrokerLoginGet");
     }

◆ getLastExecutionUrl()

URI org.keycloak.services.resources.LoginActionsService.getLastExecutionUrl	(	String	flowPath,
		String	executionId,
		String	clientId,
		String	tabId
	)

inlineprotected

                                                                                                           {
         return new AuthenticationFlowURLHelper(session, realm, session.getContext().getUri())
                 .getLastExecutionUrl(flowPath, executionId, clientId, tabId);
     }

◆ handleActionToken()

protected<T extends JsonWebToken & ActionTokenKeyModel> Response org.keycloak.services.resources.LoginActionsService.handleActionToken	(	String	tokenString,
		String	execution,
		String	clientId,
		String	tabId
	)

inlinepackage

                                                                                                                                                              {
         T token;
         ActionTokenHandler<T> handler;
         ActionTokenContext<T> tokenContext;
         String eventError = null;
         String defaultErrorMessage = null;
 
         AuthenticationSessionModel authSession = null;
 
         // Setup client, so error page will contain "back to application" link
         ClientModel client = null;
         if (clientId != null) {
             client = realm.getClientByClientId(clientId);
         }
         AuthenticationSessionManager authenticationSessionManager = new AuthenticationSessionManager(session);
         if (client != null) {
             session.getContext().setClient(client);
             authSession = authenticationSessionManager.getCurrentAuthenticationSession(realm, client, tabId);
         }
 
         event.event(EventType.EXECUTE_ACTION_TOKEN);
 
         // First resolve action token handler
         try {
             if (tokenString == null) {
                 throw new ExplainedTokenVerificationException(null, Errors.NOT_ALLOWED, Messages.INVALID_REQUEST);
             }
 
             TokenVerifier<DefaultActionTokenKey> tokenVerifier = TokenVerifier.create(tokenString, DefaultActionTokenKey.class);
             DefaultActionTokenKey aToken = tokenVerifier.getToken();
 
             event
               .detail(Details.TOKEN_ID, aToken.getId())
               .detail(Details.ACTION, aToken.getActionId())
               .user(aToken.getUserId());
 
             handler = resolveActionTokenHandler(aToken.getActionId());
             eventError = handler.getDefaultEventError();
             defaultErrorMessage = handler.getDefaultErrorMessage();
 
             if (! realm.isEnabled()) {
                 throw new ExplainedTokenVerificationException(aToken, Errors.REALM_DISABLED, Messages.REALM_NOT_ENABLED);
             }
             if (! checkSsl()) {
                 throw new ExplainedTokenVerificationException(aToken, Errors.SSL_REQUIRED, Messages.HTTPS_REQUIRED);
             }
 
             TokenVerifier<DefaultActionTokenKey> verifier = tokenVerifier
                     .withChecks(
                             // Token introspection checks
                             TokenVerifier.IS_ACTIVE,
                             new TokenVerifier.RealmUrlCheck(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName())),
                             ACTION_TOKEN_BASIC_CHECKS
                     );
 
             String kid = verifier.getHeader().getKeyId();
             String algorithm = verifier.getHeader().getAlgorithm().name();
 
             SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
             verifier.verifierContext(signatureVerifier);
 
             verifier.verify();
 
             token = TokenVerifier.create(tokenString, handler.getTokenClass()).getToken();
         } catch (TokenNotActiveException ex) {
             if (authSession != null) {
                 event.clone().error(Errors.EXPIRED_CODE);
                 String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
                 if (flowPath == null) {
                     flowPath = AUTHENTICATE_PATH;
                 }
                 AuthenticationProcessor.resetFlow(authSession, flowPath);
 
                 // Process correct flow
                 return processFlowFromPath(flowPath, authSession, Messages.EXPIRED_ACTION_TOKEN_SESSION_EXISTS);
             }
 
             return handleActionTokenVerificationException(null, ex, Errors.EXPIRED_CODE, Messages.EXPIRED_ACTION_TOKEN_NO_SESSION);
         } catch (ExplainedTokenVerificationException ex) {
             return handleActionTokenVerificationException(null, ex, ex.getErrorEvent(), ex.getMessage());
         } catch (ExplainedVerificationException ex) {
             return handleActionTokenVerificationException(null, ex, ex.getErrorEvent(), ex.getMessage());
         } catch (VerificationException ex) {
             return handleActionTokenVerificationException(null, ex, eventError, defaultErrorMessage);
         }
 
         // Now proceed with the verification and handle the token
         tokenContext = new ActionTokenContext(session, realm, session.getContext().getUri(), clientConnection, request, event, handler, execution, this::processFlow, this::brokerLoginFlow);
 
         try {
             String tokenAuthSessionCompoundId = handler.getAuthenticationSessionIdFromToken(token, tokenContext, authSession);
 
             if (tokenAuthSessionCompoundId != null) {
                 // This can happen if the token contains ID but user opens the link in a new browser
                 String sessionId = AuthenticationSessionCompoundId.encoded(tokenAuthSessionCompoundId).getRootSessionId();
                 LoginActionsServiceChecks.checkNotLoggedInYet(tokenContext, sessionId);
             }
 
             if (authSession == null) {
                 authSession = handler.startFreshAuthenticationSession(token, tokenContext);
                 tokenContext.setAuthenticationSession(authSession, true);
             } else if (tokenAuthSessionCompoundId == null ||
               ! LoginActionsServiceChecks.doesAuthenticationSessionFromCookieMatchOneFromToken(tokenContext, authSession, tokenAuthSessionCompoundId)) {
                 // There exists an authentication session but no auth session ID was received in the action token
                 logger.debugf("Authentication session in progress but no authentication session ID was found in action token %s, restarting.", token.getId());
                 authenticationSessionManager.removeAuthenticationSession(realm, authSession, false);
 
                 authSession = handler.startFreshAuthenticationSession(token, tokenContext);
                 tokenContext.setAuthenticationSession(authSession, true);
             }
 
             initLoginEvent(authSession);
             event.event(handler.eventType());
 
             LoginActionsServiceChecks.checkIsUserValid(token, tokenContext);
             LoginActionsServiceChecks.checkIsClientValid(token, tokenContext);
             
             session.getContext().setClient(authSession.getClient());
 
             TokenVerifier.createWithoutSignature(token)
               .withChecks(handler.getVerifiers(tokenContext))
               .verify();
 
             authSession = tokenContext.getAuthenticationSession();
             event = tokenContext.getEvent();
             event.event(handler.eventType());
 
             if (! handler.canUseTokenRepeatedly(token, tokenContext)) {
                 LoginActionsServiceChecks.checkTokenWasNotUsedYet(token, tokenContext);
                 authSession.setAuthNote(AuthenticationManager.INVALIDATE_ACTION_TOKEN, token.serializeKey());
             }
 
             authSession.setAuthNote(DefaultActionTokenKey.ACTION_TOKEN_USER_ID, token.getUserId());
 
             authSession.setAuthNote(Constants.KEY, tokenString);
 
             return handler.handleToken(token, tokenContext);
         } catch (ExplainedTokenVerificationException ex) {
             return handleActionTokenVerificationException(tokenContext, ex, ex.getErrorEvent(), ex.getMessage());
         } catch (LoginActionsServiceException ex) {
             Response response = ex.getResponse();
             return response == null
               ? handleActionTokenVerificationException(tokenContext, ex, eventError, defaultErrorMessage)
               : response;
         } catch (VerificationException ex) {
             return handleActionTokenVerificationException(tokenContext, ex, eventError, defaultErrorMessage);
         }
     }

◆ handleActionTokenVerificationException()

Response org.keycloak.services.resources.LoginActionsService.handleActionTokenVerificationException	(	ActionTokenContext<?>	tokenContext,
		VerificationException	ex,
		String	eventError,
		String	errorMessage
	)

inlineprivate

                                                                                                                                                                   {
         if (tokenContext != null && tokenContext.getAuthenticationSession() != null) {
             new AuthenticationSessionManager(session).removeAuthenticationSession(realm, tokenContext.getAuthenticationSession(), true);
         }
 
         event
           .detail(Details.REASON, ex == null ? "<unknown>" : ex.getMessage())
           .error(eventError == null ? Errors.INVALID_CODE : eventError);
         return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, errorMessage == null ? Messages.INVALID_CODE : errorMessage);
     }

◆ initLoginEvent()

void org.keycloak.services.resources.LoginActionsService.initLoginEvent ( AuthenticationSessionModel authSession )

inlineprivate

                                                                         {
         String responseType = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM);
         if (responseType == null) {
             responseType = "code";
         }
         String respMode = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM);
         OIDCResponseMode responseMode = OIDCResponseMode.parse(respMode, OIDCResponseType.parse(responseType));
 
         event.event(EventType.LOGIN).client(authSession.getClient())
                 .detail(Details.CODE_ID, authSession.getParentSession().getId())
                 .detail(Details.REDIRECT_URI, authSession.getRedirectUri())
                 .detail(Details.AUTH_METHOD, authSession.getProtocol())
                 .detail(Details.RESPONSE_TYPE, responseType)
                 .detail(Details.RESPONSE_MODE, responseMode.toString().toLowerCase());
 
         UserModel authenticatedUser = authSession.getAuthenticatedUser();
         if (authenticatedUser != null) {
             event.user(authenticatedUser)
                     .detail(Details.USERNAME, authenticatedUser.getUsername());
         }
 
         String attemptedUsername = authSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME);
         if (attemptedUsername != null) {
             event.detail(Details.USERNAME, attemptedUsername);
         }
 
         String rememberMe = authSession.getAuthNote(Details.REMEMBER_ME);
         if (rememberMe==null || !rememberMe.equalsIgnoreCase("true")) {
             rememberMe = "false";
         }
         event.detail(Details.REMEMBER_ME, rememberMe);
 
         Map<String, String> userSessionNotes = authSession.getUserSessionNotes();
         String identityProvider = userSessionNotes.get(Details.IDENTITY_PROVIDER);
         if (identityProvider != null) {
             event.detail(Details.IDENTITY_PROVIDER, identityProvider)
                     .detail(Details.IDENTITY_PROVIDER_USERNAME, userSessionNotes.get(Details.IDENTITY_PROVIDER_USERNAME));
         }
     }

◆ loginActionsBaseUrl() [1/2]

static UriBuilder org.keycloak.services.resources.LoginActionsService.loginActionsBaseUrl ( UriInfo uriInfo )

inlinestatic

                                                                   {
         UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
         return loginActionsBaseUrl(baseUriBuilder);
     }

◆ loginActionsBaseUrl() [2/2]

static UriBuilder org.keycloak.services.resources.LoginActionsService.loginActionsBaseUrl ( UriBuilder baseUriBuilder )

inlinestatic

                                                                             {
         return baseUriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getLoginActionsService");
     }

◆ postBrokerLoginGet()

Response org.keycloak.services.resources.LoginActionsService.postBrokerLoginGet	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

                                                                                    {
         return brokerLoginFlow(authSessionId, code, execution, clientId, tabId, POST_BROKER_LOGIN_PATH);
     }

◆ postBrokerLoginPost()

Response org.keycloak.services.resources.LoginActionsService.postBrokerLoginPost	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

                                                                                     {
         return brokerLoginFlow(authSessionId, code, execution, clientId, tabId, POST_BROKER_LOGIN_PATH);
     }

◆ postBrokerLoginProcessor()

static UriBuilder org.keycloak.services.resources.LoginActionsService.postBrokerLoginProcessor ( UriInfo uriInfo )

inlinestatic

                                                                        {
         return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "postBrokerLoginGet");
     }

◆ processAuthentication()

Response org.keycloak.services.resources.LoginActionsService.processAuthentication	(	boolean	action,
		String	execution,
		AuthenticationSessionModel	authSession,
		String	errorMessage
	)

inlineprotected

                                                                                                                                             {
         return processFlow(action, execution, authSession, AUTHENTICATE_PATH, AuthenticationFlowResolver.resolveBrowserFlow(authSession), errorMessage, new AuthenticationProcessor());
     }

◆ processConsent()

Response org.keycloak.services.resources.LoginActionsService.processConsent ( final MultivaluedMap< String, String > formData )

inline

OAuth grant page. You should not invoked this directly!

引数

formData

戻り値

                                                                                   {
         event.event(EventType.LOGIN);
         String code = formData.getFirst(SESSION_CODE);
         String clientId = session.getContext().getUri().getQueryParameters().getFirst(Constants.CLIENT_ID);
         String tabId = session.getContext().getUri().getQueryParameters().getFirst(Constants.TAB_ID);
         SessionCodeChecks checks = checksForCode(null, code, null, clientId, tabId, REQUIRED_ACTION);
         if (!checks.verifyRequiredAction(AuthenticationSessionModel.Action.OAUTH_GRANT.name())) {
             return checks.getResponse();
         }
 
         AuthenticationSessionModel authSession = checks.getAuthenticationSession();
 
         initLoginEvent(authSession);
 
         UserModel user = authSession.getAuthenticatedUser();
         ClientModel client = authSession.getClient();
 
 
         if (formData.containsKey("cancel")) {
             LoginProtocol protocol = session.getProvider(LoginProtocol.class, authSession.getProtocol());
             protocol.setRealm(realm)
                     .setHttpHeaders(headers)
                     .setUriInfo(session.getContext().getUri())
                     .setEventBuilder(event);
             Response response = protocol.sendError(authSession, Error.CONSENT_DENIED);
             event.error(Errors.REJECTED_BY_USER);
             return response;
         }
 
         UserConsentModel grantedConsent = session.users().getConsentByClient(realm, user.getId(), client.getId());
         if (grantedConsent == null) {
             grantedConsent = new UserConsentModel(client);
             session.users().addConsent(realm, user.getId(), grantedConsent);
         }
 
         // Update may not be required if all clientScopes were already granted (May happen for example with prompt=consent)
         boolean updateConsentRequired = false;
 
         for (String clientScopeId : authSession.getClientScopes()) {
             ClientScopeModel clientScope = KeycloakModelUtils.findClientScopeById(realm, clientScopeId);
             if (clientScope != null) {
                 if (!grantedConsent.isClientScopeGranted(clientScope)) {
                     grantedConsent.addGrantedClientScope(clientScope);
                     updateConsentRequired = true;
                 }
             } else {
                 logger.warnf("Client scope with ID '%s' not found", clientScopeId);
             }
         }
 
         if (updateConsentRequired) {
             session.users().updateConsent(realm, user.getId(), grantedConsent);
         }
 
         event.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED);
         event.success();
 
         ClientSessionContext clientSessionCtx = AuthenticationProcessor.attachSession(authSession, null, session, realm, clientConnection, event);
         return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSessionCtx.getClientSession().getUserSession(), clientSessionCtx, request, session.getContext().getUri(), clientConnection, event, authSession.getProtocol());
     }

◆ processFlow()

Response org.keycloak.services.resources.LoginActionsService.processFlow	(	boolean	action,
		String	execution,
		AuthenticationSessionModel	authSession,
		String	flowPath,
		AuthenticationFlowModel	flow,
		String	errorMessage,
		AuthenticationProcessor	processor
	)

inlineprotected

                                                                                                                                                                                                                     {
         processor.setAuthenticationSession(authSession)
                 .setFlowPath(flowPath)
                 .setBrowserFlow(true)
                 .setFlowId(flow.getId())
                 .setConnection(clientConnection)
                 .setEventBuilder(event)
                 .setRealm(realm)
                 .setSession(session)
                 .setUriInfo(session.getContext().getUri())
                 .setRequest(request);
         if (errorMessage != null) {
             processor.setForwardedErrorMessage(new FormMessage(null, errorMessage));
         }
 
         // Check the forwarded error message, which was set by previous HTTP request
         String forwardedErrorMessage = authSession.getAuthNote(FORWARDED_ERROR_MESSAGE_NOTE);
         if (forwardedErrorMessage != null) {
             authSession.removeAuthNote(FORWARDED_ERROR_MESSAGE_NOTE);
             processor.setForwardedErrorMessage(new FormMessage(null, forwardedErrorMessage));
         }
 
 
         Response response;
         try {
             if (action) {
                 response = processor.authenticationAction(execution);
             } else {
                 response = processor.authenticate();
             }
         } catch (WebApplicationException e) {
             response = e.getResponse();
             authSession = processor.getAuthenticationSession();
         } catch (Exception e) {
             response = processor.handleBrowserException(e);
             authSession = processor.getAuthenticationSession(); // Could be changed (eg. Forked flow)
         }
 
         return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(session, authSession, response, action, request);
     }

◆ processFlowFromPath()

Response org.keycloak.services.resources.LoginActionsService.processFlowFromPath	(	String	flowPath,
		AuthenticationSessionModel	authSession,
		String	errorMessage
	)

inlineprivate

                                                                                                                        {
         if (AUTHENTICATE_PATH.equals(flowPath)) {
             return processAuthentication(false, null, authSession, errorMessage);
         } else if (REGISTRATION_PATH.equals(flowPath)) {
             return processRegistration(false, null, authSession, errorMessage);
         } else if (RESET_CREDENTIALS_PATH.equals(flowPath)) {
             return processResetCredentials(false, null, authSession, errorMessage);
         } else {
             return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, errorMessage == null ? Messages.INVALID_REQUEST : errorMessage);
         }
     }

◆ processRegister()

Response org.keycloak.services.resources.LoginActionsService.processRegister	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

Registration

引数

code

戻り値

                                                                                 {
         return registerRequest(authSessionId, code, execution, clientId,  tabId,true);
     }

◆ processRegistration()

Response org.keycloak.services.resources.LoginActionsService.processRegistration	(	boolean	action,
		String	execution,
		AuthenticationSessionModel	authSession,
		String	errorMessage
	)

inlineprotected

                                                                                                                                           {
         return processFlow(action, execution, authSession, REGISTRATION_PATH, realm.getRegistrationFlow(), errorMessage, new AuthenticationProcessor());
     }

◆ processRequireAction()

Response org.keycloak.services.resources.LoginActionsService.processRequireAction	(	final String	authSessionId,
		final String	code,
		String	action,
		String	clientId,
		String	tabId
	)

inlineprivate

                                                                                                                                        {
         event.event(EventType.CUSTOM_REQUIRED_ACTION);
 
         SessionCodeChecks checks = checksForCode(authSessionId, code, action, clientId, tabId, REQUIRED_ACTION);
         if (!checks.verifyRequiredAction(action)) {
             return checks.getResponse();
         }
 
         AuthenticationSessionModel authSession = checks.getAuthenticationSession();
         if (!checks.isActionRequest()) {
             initLoginEvent(authSession);
             event.event(EventType.CUSTOM_REQUIRED_ACTION);
             return AuthenticationManager.nextActionAfterAuthentication(session, authSession, clientConnection, request, session.getContext().getUri(), event);
         }
 
         initLoginEvent(authSession);
         event.event(EventType.CUSTOM_REQUIRED_ACTION);
         event.detail(Details.CUSTOM_REQUIRED_ACTION, action);
 
         RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, action);
         if (factory == null) {
             ServicesLogger.LOGGER.actionProviderNull();
             event.error(Errors.INVALID_CODE);
             throw new WebApplicationException(ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.INVALID_CODE));
         }
         RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, authSession.getAuthenticatedUser(), factory) {
             @Override
             public void ignore() {
                 throw new RuntimeException("Cannot call ignore within processAction()");
             }
         };
         RequiredActionProvider provider = null;
         try {
             provider = AuthenticationManager.createRequiredAction(context);
         }  catch (AuthenticationFlowException e) {
             if (e.getResponse() != null) {
                 return e.getResponse();
             }
             throw new WebApplicationException(ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.DISPLAY_UNSUPPORTED));
         }
 
 
         Response response;
         provider.processAction(context);
 
         if (action != null) {
             authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, action);
         }
 
         if (context.getStatus() == RequiredActionContext.Status.SUCCESS) {
             event.clone().success();
             initLoginEvent(authSession);
             event.event(EventType.LOGIN);
             authSession.removeRequiredAction(factory.getId());
             authSession.getAuthenticatedUser().removeRequiredAction(factory.getId());
             authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
 
             response = AuthenticationManager.nextActionAfterAuthentication(session, authSession, clientConnection, request, session.getContext().getUri(), event);
         } else if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) {
             response = context.getChallenge();
         } else if (context.getStatus() == RequiredActionContext.Status.FAILURE) {
             LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, authSession.getProtocol());
             protocol.setRealm(context.getRealm())
                     .setHttpHeaders(context.getHttpRequest().getHttpHeaders())
                     .setUriInfo(context.getUriInfo())
                     .setEventBuilder(event);
 
             event.detail(Details.CUSTOM_REQUIRED_ACTION, action);
             response = protocol.sendError(authSession, Error.CONSENT_DENIED);
             event.error(Errors.REJECTED_BY_USER);
         } else {
             throw new RuntimeException("Unreachable");
         }
 
         return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(session, authSession, response, true, request);
     }

◆ processResetCredentials()

Response org.keycloak.services.resources.LoginActionsService.processResetCredentials	(	boolean	actionRequest,
		String	execution,
		AuthenticationSessionModel	authSession,
		String	errorMessage
	)

inlineprotected

                                                                                                                                                      {
         AuthenticationProcessor authProcessor = new ResetCredentialsActionTokenHandler.ResetCredsAuthenticationProcessor();
 
         return processFlow(actionRequest, execution, authSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), errorMessage, authProcessor);
     }

◆ redirectToAfterBrokerLoginEndpoint() [1/2]

Response org.keycloak.services.resources.LoginActionsService.redirectToAfterBrokerLoginEndpoint	(	AuthenticationSessionModel	authSession,
		boolean	firstBrokerLogin
	)

inlineprivate

                                                                                                                           {
         return redirectToAfterBrokerLoginEndpoint(session, realm, session.getContext().getUri(), authSession, firstBrokerLogin);
     }

◆ redirectToAfterBrokerLoginEndpoint() [2/2]

static Response org.keycloak.services.resources.LoginActionsService.redirectToAfterBrokerLoginEndpoint	(	KeycloakSession	session,
		RealmModel	realm,
		UriInfo	uriInfo,
		AuthenticationSessionModel	authSession,
		boolean	firstBrokerLogin
	)

inlinestatic

                                                                                                                                                                                             {
         ClientSessionCode<AuthenticationSessionModel> accessCode = new ClientSessionCode<>(session, realm, authSession);
         authSession.getParentSession().setTimestamp(Time.currentTime());
 
         String clientId = authSession.getClient().getClientId();
         String tabId = authSession.getTabId();
         URI redirect = firstBrokerLogin ? Urls.identityProviderAfterFirstBrokerLogin(uriInfo.getBaseUri(), realm.getName(), accessCode.getOrGenerateCode(), clientId, tabId) :
                 Urls.identityProviderAfterPostBrokerLogin(uriInfo.getBaseUri(), realm.getName(), accessCode.getOrGenerateCode(), clientId, tabId) ;
         logger.debugf("Redirecting to '%s' ", redirect);
 
         return Response.status(302).location(redirect).build();
     }

◆ registerPage()

Response org.keycloak.services.resources.LoginActionsService.registerPage	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

protocol independent registration page entry point

引数

code

戻り値

                                                                              {
         return registerRequest(authSessionId, code, execution, clientId,  tabId,false);
     }

◆ registerRequest()

Response org.keycloak.services.resources.LoginActionsService.registerRequest	(	String	authSessionId,
		String	code,
		String	execution,
		String	clientId,
		String	tabId,
		boolean	isPostRequest
	)

inlineprivate

                                                                                                                                                 {
         event.event(EventType.REGISTER);
         if (!realm.isRegistrationAllowed()) {
             event.error(Errors.REGISTRATION_DISABLED);
             return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.REGISTRATION_NOT_ALLOWED);
         }
 
         SessionCodeChecks checks = checksForCode(authSessionId, code, execution, clientId, tabId, REGISTRATION_PATH);
         if (!checks.verifyActiveAndValidAction(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
             return checks.getResponse();
         }
 
         AuthenticationSessionModel authSession = checks.getAuthenticationSession();
 
         AuthenticationManager.expireIdentityCookie(realm, session.getContext().getUri(), clientConnection);
 
         return processRegistration(checks.isActionRequest(), execution, authSession, null);
     }

◆ registrationFormProcessor()

static UriBuilder org.keycloak.services.resources.LoginActionsService.registrationFormProcessor ( UriInfo uriInfo )

inlinestatic

                                                                         {
         return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "processRegister");
     }

◆ requiredActionGET()

Response org.keycloak.services.resources.LoginActionsService.requiredActionGET	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) final String	code,
		@QueryParam(Constants.EXECUTION) String	action,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

                                                                                   {
         return processRequireAction(authSessionId, code, action, clientId, tabId);
     }

◆ requiredActionPOST()

Response org.keycloak.services.resources.LoginActionsService.requiredActionPOST	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) final String	code,
		@QueryParam(Constants.EXECUTION) String	action,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

                                                                                    {
         return processRequireAction(authSessionId, code, action, clientId, tabId);
     }

◆ requiredActionProcessor()

static UriBuilder org.keycloak.services.resources.LoginActionsService.requiredActionProcessor ( UriInfo uriInfo )

inlinestatic

                                                                       {
         return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "requiredActionPOST");
     }

◆ resetCredentials()

Response org.keycloak.services.resources.LoginActionsService.resetCredentials	(	String	authSessionId,
		String	code,
		String	execution,
		String	clientId,
		String	tabId
	)

inlineprotected

引数

code
execution

戻り値

                                                                                                                             {
         SessionCodeChecks checks = checksForCode(authSessionId, code, execution, clientId, tabId, RESET_CREDENTIALS_PATH);
         if (!checks.verifyActiveAndValidAction(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) {
             return checks.getResponse();
         }
         final AuthenticationSessionModel authSession = checks.getAuthenticationSession();
 
         if (!realm.isResetPasswordAllowed()) {
             event.error(Errors.NOT_ALLOWED);
             return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
 
         }
 
         return processResetCredentials(checks.isActionRequest(), execution, authSession, null);
     }

◆ resetCredentialsGET()

Response org.keycloak.services.resources.LoginActionsService.resetCredentialsGET	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

Endpoint for executing reset credentials flow. If token is null, a authentication session is created with the account service as the client. Successful reset sends you to the account page. Note, account service must be enabled.

引数

code
execution

戻り値

                                                                                     {
         ClientModel client = realm.getClientByClientId(clientId);
         AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm, client, tabId);
 
         // we allow applications to link to reset credentials without going through OAuth or SAML handshakes
         if (authSession == null && code == null) {
             if (!realm.isResetPasswordAllowed()) {
                 event.event(EventType.RESET_PASSWORD);
                 event.error(Errors.NOT_ALLOWED);
                 return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
 
             }
             authSession = createAuthenticationSessionForClient();
             return processResetCredentials(false, null, authSession, null);
         }
 
         event.event(EventType.RESET_PASSWORD);
         return resetCredentials(authSessionId, code, execution, clientId, tabId);
     }

◆ resetCredentialsPOST()

Response org.keycloak.services.resources.LoginActionsService.resetCredentialsPOST	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(SESSION_CODE) String	code,
		@QueryParam(Constants.EXECUTION) String	execution,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId,
		@QueryParam(Constants.KEY) String	key
	)

inline

                                                                                 {
         if (key != null) {
             return handleActionToken(key, execution, clientId, tabId);
         }
 
         event.event(EventType.RESET_PASSWORD);
 
         return resetCredentials(authSessionId, code, execution, clientId, tabId);
     }

◆ resolveActionTokenHandler()

private<T extends JsonWebToken> ActionTokenHandler<T> org.keycloak.services.resources.LoginActionsService.resolveActionTokenHandler ( String actionId ) throws VerificationException

inlinepackage

                                                                                                                                    {
         if (actionId == null) {
             throw new VerificationException("Action token operation not set");
         }
         ActionTokenHandler<T> handler = session.getProvider(ActionTokenHandler.class, actionId);
 
         if (handler == null) {
             throw new VerificationException("Invalid action token operation");
         }
         return handler;
     }

◆ restartSession()

Response org.keycloak.services.resources.LoginActionsService.restartSession	(	@QueryParam(AUTH_SESSION_ID) String	authSessionId,
		@QueryParam(Constants.CLIENT_ID) String	clientId,
		@QueryParam(Constants.TAB_ID) String	tabId
	)

inline

protocol independent page for restart of the flow

戻り値

                                                                                {
         event.event(EventType.RESTART_AUTHENTICATION);
         SessionCodeChecks checks = new SessionCodeChecks(realm, session.getContext().getUri(), request, clientConnection, session, event, authSessionId, null, null, clientId,  tabId, null);
 
         AuthenticationSessionModel authSession = checks.initialVerifyAuthSession();
         if (authSession == null) {
             return checks.getResponse();
         }
 
         String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
         if (flowPath == null) {
             flowPath = AUTHENTICATE_PATH;
         }
 
         AuthenticationProcessor.resetFlow(authSession, flowPath);
 
         URI redirectUri = getLastExecutionUrl(flowPath, null, authSession.getClient().getClientId(), tabId);
         logger.debugf("Flow restart requested. Redirecting to %s", redirectUri);
         return Response.status(Response.Status.FOUND).location(redirectUri).build();
     }

メンバ詳解

◆ AUTH_SESSION_ID

final String org.keycloak.services.resources.LoginActionsService.AUTH_SESSION_ID = "auth_session_id"

static

◆ AUTHENTICATE_PATH

final String org.keycloak.services.resources.LoginActionsService.AUTHENTICATE_PATH = "authenticate"

static

◆ clientConnection

ClientConnection org.keycloak.services.resources.LoginActionsService.clientConnection

private

◆ event

EventBuilder org.keycloak.services.resources.LoginActionsService.event

private

◆ FIRST_BROKER_LOGIN_PATH

final String org.keycloak.services.resources.LoginActionsService.FIRST_BROKER_LOGIN_PATH = "first-broker-login"

static

◆ FORWARDED_ERROR_MESSAGE_NOTE

final String org.keycloak.services.resources.LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE = "forwardedErrorMessage"

static

◆ headers

HttpHeaders org.keycloak.services.resources.LoginActionsService.headers

protected

◆ logger

final Logger org.keycloak.services.resources.LoginActionsService.logger = Logger.getLogger(LoginActionsService.class)

staticprivate

◆ POST_BROKER_LOGIN_PATH

final String org.keycloak.services.resources.LoginActionsService.POST_BROKER_LOGIN_PATH = "post-broker-login"

static

◆ providers

Providers org.keycloak.services.resources.LoginActionsService.providers

protected

◆ realm

RealmModel org.keycloak.services.resources.LoginActionsService.realm

private

◆ REGISTRATION_PATH

final String org.keycloak.services.resources.LoginActionsService.REGISTRATION_PATH = "registration"

static

◆ request

HttpRequest org.keycloak.services.resources.LoginActionsService.request

private

◆ REQUIRED_ACTION

final String org.keycloak.services.resources.LoginActionsService.REQUIRED_ACTION = "required-action"

static

◆ RESET_CREDENTIALS_PATH

final String org.keycloak.services.resources.LoginActionsService.RESET_CREDENTIALS_PATH = "reset-credentials"

static

◆ RESTART_PATH

final String org.keycloak.services.resources.LoginActionsService.RESTART_PATH = "restart"

static

◆ session

KeycloakSession org.keycloak.services.resources.LoginActionsService.session

protected

◆ SESSION_CODE

final String org.keycloak.services.resources.LoginActionsService.SESSION_CODE = "session_code"

static

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java

公開メンバ関数

静的公開メンバ関数

静的公開変数類

限定公開メンバ関数

限定公開変数類

関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ LoginActionsService()

関数詳解

◆ actionTokenProcessor()

◆ authenticate()

◆ authenticateForm()

◆ authenticationFormProcessor()

◆ brokerLoginFlow()

◆ checksForCode()

◆ checkSsl()

◆ createAuthenticationSessionForClient()

◆ executeActionToken()

◆ firstBrokerLoginGet()

◆ firstBrokerLoginPost()

◆ firstBrokerLoginProcessor()

◆ getLastExecutionUrl()

◆ handleActionToken()

◆ handleActionTokenVerificationException()

◆ initLoginEvent()

◆ loginActionsBaseUrl() [1/2]

◆ loginActionsBaseUrl() [2/2]

◆ postBrokerLoginGet()

◆ postBrokerLoginPost()

◆ postBrokerLoginProcessor()

◆ processAuthentication()

◆ processConsent()

◆ processFlow()

◆ processFlowFromPath()

◆ processRegister()

◆ processRegistration()

◆ processRequireAction()

◆ processResetCredentials()

◆ redirectToAfterBrokerLoginEndpoint() [1/2]

◆ redirectToAfterBrokerLoginEndpoint() [2/2]

◆ registerPage()

◆ registerRequest()

◆ registrationFormProcessor()

◆ requiredActionGET()

◆ requiredActionPOST()

◆ requiredActionProcessor()

◆ resetCredentials()

◆ resetCredentialsGET()

◆ resetCredentialsPOST()

◆ resolveActionTokenHandler()

◆ restartSession()

メンバ詳解

◆ AUTH_SESSION_ID

◆ AUTHENTICATE_PATH

◆ clientConnection

◆ event

◆ FIRST_BROKER_LOGIN_PATH

◆ FORWARDED_ERROR_MESSAGE_NOTE

◆ headers

◆ logger

◆ POST_BROKER_LOGIN_PATH

◆ providers

◆ realm

◆ REGISTRATION_PATH

◆ request

◆ REQUIRED_ACTION

◆ RESET_CREDENTIALS_PATH

◆ RESTART_PATH

◆ session

◆ SESSION_CODE