437 ActionTokenHandler<T> handler;
438 ActionTokenContext<T> tokenContext;
439 String eventError = null;
440 String defaultErrorMessage = null;
442 AuthenticationSessionModel authSession = null;
445 ClientModel client = null;
446 if (clientId != null) {
447 client =
realm.getClientByClientId(clientId);
449 AuthenticationSessionManager authenticationSessionManager =
new AuthenticationSessionManager(
session);
450 if (client != null) {
451 session.getContext().setClient(client);
452 authSession = authenticationSessionManager.getCurrentAuthenticationSession(
realm, client, tabId);
455 event.event(EventType.EXECUTE_ACTION_TOKEN);
459 if (tokenString == null) {
460 throw new ExplainedTokenVerificationException(null, Errors.NOT_ALLOWED, Messages.INVALID_REQUEST);
463 TokenVerifier<DefaultActionTokenKey> tokenVerifier = TokenVerifier.create(tokenString, DefaultActionTokenKey.class);
464 DefaultActionTokenKey aToken = tokenVerifier.getToken();
467 .detail(Details.TOKEN_ID, aToken.getId())
468 .detail(Details.ACTION, aToken.getActionId())
469 .user(aToken.getUserId());
473 defaultErrorMessage = handler.getDefaultErrorMessage();
475 if (!
realm.isEnabled()) {
476 throw new ExplainedTokenVerificationException(aToken, Errors.REALM_DISABLED, Messages.REALM_NOT_ENABLED);
479 throw new ExplainedTokenVerificationException(aToken, Errors.SSL_REQUIRED, Messages.HTTPS_REQUIRED);
482 TokenVerifier<DefaultActionTokenKey> verifier = tokenVerifier
485 TokenVerifier.IS_ACTIVE,
486 new TokenVerifier.RealmUrlCheck(Urls.realmIssuer(
session.getContext().getUri().getBaseUri(),
realm.getName())),
487 ACTION_TOKEN_BASIC_CHECKS
490 String kid = verifier.getHeader().getKeyId();
491 String algorithm = verifier.getHeader().getAlgorithm().name();
493 SignatureVerifierContext signatureVerifier =
session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
494 verifier.verifierContext(signatureVerifier);
498 token = TokenVerifier.create(tokenString, handler.getTokenClass()).getToken();
499 }
catch (TokenNotActiveException ex) {
500 if (authSession != null) {
501 event.clone().error(Errors.EXPIRED_CODE);
502 String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
503 if (flowPath == null) {
506 AuthenticationProcessor.resetFlow(authSession, flowPath);
509 return processFlowFromPath(flowPath, authSession, Messages.EXPIRED_ACTION_TOKEN_SESSION_EXISTS);
513 }
catch (ExplainedTokenVerificationException ex) {
515 }
catch (ExplainedVerificationException ex) {
517 }
catch (VerificationException ex) {
525 String tokenAuthSessionCompoundId = handler.getAuthenticationSessionIdFromToken(token, tokenContext, authSession);
527 if (tokenAuthSessionCompoundId != null) {
529 String sessionId = AuthenticationSessionCompoundId.encoded(tokenAuthSessionCompoundId).getRootSessionId();
530 LoginActionsServiceChecks.checkNotLoggedInYet(tokenContext, sessionId);
533 if (authSession == null) {
534 authSession = handler.startFreshAuthenticationSession(token, tokenContext);
535 tokenContext.setAuthenticationSession(authSession,
true);
536 }
else if (tokenAuthSessionCompoundId == null ||
537 ! LoginActionsServiceChecks.doesAuthenticationSessionFromCookieMatchOneFromToken(tokenContext, authSession, tokenAuthSessionCompoundId)) {
539 logger.debugf(
"Authentication session in progress but no authentication session ID was found in action token %s, restarting.", token.getId());
540 authenticationSessionManager.removeAuthenticationSession(
realm, authSession,
false);
542 authSession = handler.startFreshAuthenticationSession(token, tokenContext);
543 tokenContext.setAuthenticationSession(authSession,
true);
547 event.event(handler.eventType());
549 LoginActionsServiceChecks.checkIsUserValid(token, tokenContext);
550 LoginActionsServiceChecks.checkIsClientValid(token, tokenContext);
552 session.getContext().setClient(authSession.getClient());
554 TokenVerifier.createWithoutSignature(token)
555 .withChecks(handler.getVerifiers(tokenContext))
558 authSession = tokenContext.getAuthenticationSession();
559 event = tokenContext.getEvent();
560 event.event(handler.eventType());
562 if (! handler.canUseTokenRepeatedly(token, tokenContext)) {
563 LoginActionsServiceChecks.checkTokenWasNotUsedYet(token, tokenContext);
564 authSession.setAuthNote(AuthenticationManager.INVALIDATE_ACTION_TOKEN, token.serializeKey());
567 authSession.setAuthNote(DefaultActionTokenKey.ACTION_TOKEN_USER_ID, token.getUserId());
569 authSession.setAuthNote(Constants.KEY, tokenString);
571 return handler.handleToken(token, tokenContext);
572 }
catch (ExplainedTokenVerificationException ex) {
574 }
catch (LoginActionsServiceException ex) {
575 Response response = ex.getResponse();
576 return response == null
579 }
catch (VerificationException ex) {
private< T extends JsonWebToken > ActionTokenHandler< T > resolveActionTokenHandler(String actionId)
Definition: LoginActionsService.java:596
Response processFlowFromPath(String flowPath, AuthenticationSessionModel authSession, String errorMessage)
Definition: LoginActionsService.java:584
HttpRequest request
Definition: LoginActionsService.java:129
void initLoginEvent(AuthenticationSessionModel authSession)
Definition: LoginActionsService.java:870
ClientConnection clientConnection
Definition: LoginActionsService.java:135
EventBuilder event
Definition: LoginActionsService.java:143
boolean checkSsl()
Definition: LoginActionsService.java:184
static final String AUTHENTICATE_PATH
Definition: LoginActionsService.java:112
RealmModel realm
Definition: LoginActionsService.java:126
Response handleActionTokenVerificationException(ActionTokenContext<?> tokenContext, VerificationException ex, String eventError, String errorMessage)
Definition: LoginActionsService.java:608
KeycloakSession session
Definition: LoginActionsService.java:141
static final Logger logger
Definition: LoginActionsService.java:110
String getDefaultEventError()