org.keycloak.services.resources.IdentityBrokerService クラス

org.keycloak.services.resources.IdentityBrokerService の継承関係図

org.keycloak.services.resources.IdentityBrokerService 連携図

クラス
class	ParsedCodeContext

公開メンバ関数
	IdentityBrokerService (RealmModel realmModel)
void	init ()
Response	clientIntiatedAccountLinkingPreflight (@PathParam("provider_id") String providerId)
Response	clientInitiatedAccountLinking (@PathParam("provider_id") String providerId, @QueryParam("redirect_uri") String redirectUri, @QueryParam("client_id") String clientId, @QueryParam("nonce") String nonce, @QueryParam("hash") String hash)
Response	performPostLogin (@PathParam("provider_id") String providerId, @QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId)
Response	performLogin (@PathParam("provider_id") String providerId, @QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId)
Object	getEndpoint (@PathParam("provider_id") String providerId)
Response	retrieveTokenPreflight ()
Response	retrieveToken (@PathParam("provider_id") String providerId)
Response	authenticated (BrokeredIdentityContext context)
Response	validateUser (AuthenticationSessionModel authSession, UserModel user, RealmModel realm)
Response	afterFirstBrokerLogin (@QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId)
Response	afterPostBrokerLoginFlow (@QueryParam(LoginActionsService.SESSION_CODE) String code, @QueryParam("client_id") String clientId, @QueryParam(Constants.TAB_ID) String tabId)
Response	cancelled (String code)
Response	error (String code, String message)

静的公開メンバ関数
static IdentityProvider	getIdentityProvider (KeycloakSession session, RealmModel realm, String alias)
static IdentityProviderFactory	getIdentityProviderFactory (KeycloakSession session, IdentityProviderModel model)

限定公開メンバ関数
Response	browserAuthentication (AuthenticationSessionModel authSession, String errorMessage)

非公開メンバ関数
void	checkRealm ()
ClientModel	checkClient (String clientId)
boolean	canReadBrokerToken (AccessToken token)
Response	getToken (String providerId, boolean forceRetrieval)
Response	afterFirstBrokerLogin (ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Response	finishOrRedirectToPostBrokerLogin (AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Response	afterPostBrokerLoginFlowSuccess (AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
Response	finishBrokerAuthentication (BrokeredIdentityContext context, UserModel federatedUser, AuthenticationSessionModel authSession, String providerId)
boolean	shouldPerformAccountLinking (AuthenticationSessionModel authSession, UserSessionModel userSession, String providerId)
Response	performAccountLinking (AuthenticationSessionModel authSession, UserSessionModel userSession, BrokeredIdentityContext context, FederatedIdentityModel newModel, UserModel federatedUser)
Response	redirectToErrorWhenLinkingFailed (AuthenticationSessionModel authSession, String message, Object... parameters)
void	updateFederatedIdentity (BrokeredIdentityContext context, UserModel federatedUser)
void	updateToken (BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel)
ParsedCodeContext	parseEncodedSessionCode (String encodedCode)
ParsedCodeContext	parseSessionCode (String code, String clientId, String tabId)
ParsedCodeContext	samlIdpInitiatedSSO (final String clientUrlName)
Response	checkAccountManagementFailedLinking (AuthenticationSessionModel authSession, String error, Object... parameters)
AuthenticationRequest	createAuthenticationRequest (String providerId, ClientSessionCode< AuthenticationSessionModel > clientSessionCode)
String	getRedirectUri (String providerId)
Response	redirectToErrorPage (AuthenticationSessionModel authSession, Response.Status status, String message, Object ... parameters)
Response	redirectToErrorPage (Response.Status status, String message, Object ... parameters)
Response	redirectToErrorPage (AuthenticationSessionModel authSession, Response.Status status, String message, Throwable throwable, Object ... parameters)
Response	redirectToAccountErrorPage (AuthenticationSessionModel authSession, String message, Object ... parameters)
Response	badRequest (String message)
Response	forbidden (String message)
IdentityProviderModel	getIdentityProviderConfig (String providerId)
Response	corsResponse (Response response, ClientModel clientModel)
void	fireErrorEvent (String message, Throwable throwable)
void	fireErrorEvent (String message)
boolean	isDebugEnabled ()
void	rollback ()

非公開変数類
final RealmModel	realmModel
KeycloakSession	session
ClientConnection	clientConnection
HttpRequest	request
HttpHeaders	headers
EventBuilder	event

静的非公開変数類
static final String	LINKING_IDENTITY_PROVIDER = "LINKING_IDENTITY_PROVIDER"
static final Logger	logger = Logger.getLogger(IdentityBrokerService.class)

詳解

著者

Pedro Igor

構築子と解体子

IdentityBrokerService()

org.keycloak.services.resources.IdentityBrokerService.IdentityBrokerService ( RealmModel  realmModel )

inline

                                                        {
        if (realmModel == null) {
            throw new IllegalArgumentException("Realm can not be null.");
        }
        this.realmModel = realmModel;
    }

関数詳解

afterFirstBrokerLogin() [1/2]

Response org.keycloak.services.resources.IdentityBrokerService.afterFirstBrokerLogin ( @QueryParam(LoginActionsService.SESSION_CODE) String  code, @QueryParam("client_id") String  clientId, @QueryParam(Constants.TAB_ID) String  tabId  )

inline

                                                                                      {
        ParsedCodeContext parsedCode = parseSessionCode(code, clientId, tabId);
        if (parsedCode.response != null) {
            return parsedCode.response;
        }
        return afterFirstBrokerLogin(parsedCode.clientSessionCode);
    }

afterFirstBrokerLogin() [2/2]

Response org.keycloak.services.resources.IdentityBrokerService.afterFirstBrokerLogin ( ClientSessionCode< AuthenticationSessionModel >  clientSessionCode )

inlineprivate

                                                                                                            {
        AuthenticationSessionModel authSession = clientSessionCode.getClientSession();

        try {
            this.event.detail(Details.CODE_ID, authSession.getParentSession().getId())
                    .removeDetail("auth_method");

            SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
            if (serializedCtx == null) {
                throw new IdentityBrokerException("Not found serialized context in clientSession");
            }
            BrokeredIdentityContext context = serializedCtx.deserialize(session, authSession);
            String providerId = context.getIdpConfig().getAlias();

            event.detail(Details.IDENTITY_PROVIDER, providerId);
            event.detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername());

            // Ensure the first-broker-login flow was successfully finished
            String authProvider = authSession.getAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS);
            if (authProvider == null || !authProvider.equals(providerId)) {
                throw new IdentityBrokerException("Invalid request. Not found the flag that first-broker-login flow was finished");
            }

            // firstBrokerLogin workflow finished. Removing note now
            authSession.removeAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);

            UserModel federatedUser = authSession.getAuthenticatedUser();
            if (federatedUser == null) {
                throw new IdentityBrokerException("Couldn't found authenticated federatedUser in authentication session");
            }

            event.user(federatedUser);
            event.detail(Details.USERNAME, federatedUser.getUsername());

            if (context.getIdpConfig().isAddReadTokenRoleOnCreate()) {
                ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID);
                if (brokerClient == null) {
                    throw new IdentityBrokerException("Client 'broker' not available. Maybe realm has not migrated to support the broker token exchange service");
                }
                RoleModel readTokenRole = brokerClient.getRole(Constants.READ_TOKEN_ROLE);
                federatedUser.grantRole(readTokenRole);
            }

            // Add federated identity link here
            FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(context.getIdpConfig().getAlias(), context.getId(),
                    context.getUsername(), context.getToken());
            session.users().addFederatedIdentity(realmModel, federatedUser, federatedIdentityModel);


            String isRegisteredNewUser = authSession.getAuthNote(AbstractIdpAuthenticator.BROKER_REGISTERED_NEW_USER);
            if (Boolean.parseBoolean(isRegisteredNewUser)) {

                logger.debugf("Registered new user '%s' after first login with identity provider '%s'. Identity provider username is '%s' . ", federatedUser.getUsername(), providerId, context.getUsername());

                context.getIdp().importNewUser(session, realmModel, federatedUser, context);
                Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(providerId);
                if (mappers != null) {
                    KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
                    for (IdentityProviderMapperModel mapper : mappers) {
                        IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
                        target.importNewUser(session, realmModel, federatedUser, mapper, context);
                    }
                }

                if (context.getIdpConfig().isTrustEmail() && !Validation.isBlank(federatedUser.getEmail()) && !Boolean.parseBoolean(authSession.getAuthNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) {
                    logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", federatedUser.getUsername(), context.getIdpConfig().getAlias());
                    federatedUser.setEmailVerified(true);
                }

                event.event(EventType.REGISTER)
                        .detail(Details.REGISTER_METHOD, "broker")
                        .detail(Details.EMAIL, federatedUser.getEmail())
                        .success();

            } else {
                logger.debugf("Linked existing keycloak user '%s' with identity provider '%s' . Identity provider username is '%s' .", federatedUser.getUsername(), providerId, context.getUsername());

                event.event(EventType.FEDERATED_IDENTITY_LINK)
                        .success();

                updateFederatedIdentity(context, federatedUser);
            }

            return finishOrRedirectToPostBrokerLogin(authSession, context, true, clientSessionCode);

        }  catch (Exception e) {
            return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
        }
    }

afterPostBrokerLoginFlow()

Response org.keycloak.services.resources.IdentityBrokerService.afterPostBrokerLoginFlow ( @QueryParam(LoginActionsService.SESSION_CODE) String  code, @QueryParam("client_id") String  clientId, @QueryParam(Constants.TAB_ID) String  tabId  )

inline

                                                                                         {
        ParsedCodeContext parsedCode = parseSessionCode(code, clientId, tabId);
        if (parsedCode.response != null) {
            return parsedCode.response;
        }
        AuthenticationSessionModel authenticationSession = parsedCode.clientSessionCode.getClientSession();

        try {
            SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
            if (serializedCtx == null) {
                throw new IdentityBrokerException("Not found serialized context in clientSession. Note " + PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT + " was null");
            }
            BrokeredIdentityContext context = serializedCtx.deserialize(session, authenticationSession);

            String wasFirstBrokerLoginNote = authenticationSession.getAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN);
            boolean wasFirstBrokerLogin = Boolean.parseBoolean(wasFirstBrokerLoginNote);

            // Ensure the post-broker-login flow was successfully finished
            String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + context.getIdpConfig().getAlias();
            String authState = authenticationSession.getAuthNote(authStateNoteKey);
            if (!Boolean.parseBoolean(authState)) {
                throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished");
            }

            // remove notes
            authenticationSession.removeAuthNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
            authenticationSession.removeAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN);

            return afterPostBrokerLoginFlowSuccess(authenticationSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode);
        } catch (IdentityBrokerException e) {
            return redirectToErrorPage(authenticationSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
        }
    }

afterPostBrokerLoginFlowSuccess()

Response org.keycloak.services.resources.IdentityBrokerService.afterPostBrokerLoginFlowSuccess ( AuthenticationSessionModel  authSession, BrokeredIdentityContext  context, boolean  wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel >  clientSessionCode  )

inlineprivate

                                                                                                                                                                                                                            {
        String providerId = context.getIdpConfig().getAlias();
        UserModel federatedUser = authSession.getAuthenticatedUser();

        if (wasFirstBrokerLogin) {
            return finishBrokerAuthentication(context, federatedUser, authSession, providerId);
        } else {

            boolean firstBrokerLoginInProgress = (authSession.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null);
            if (firstBrokerLoginInProgress) {
                logger.debugf("Reauthenticated with broker '%s' when linking user '%s' with other broker", context.getIdpConfig().getAlias(), federatedUser.getUsername());

                UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, authSession);
                if (!linkingUser.getId().equals(federatedUser.getId())) {
                    return redirectToErrorPage(authSession, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername());
                }

                SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
                authSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, serializedCtx.getIdentityProviderId());

                return afterFirstBrokerLogin(clientSessionCode);
            } else {
                return finishBrokerAuthentication(context, federatedUser, authSession, providerId);
            }
        }
    }

authenticated()

Response org.keycloak.services.resources.IdentityBrokerService.authenticated ( BrokeredIdentityContext  context )

inline

                                                                   {
        IdentityProviderModel identityProviderConfig = context.getIdpConfig();

        final ParsedCodeContext parsedCode;
        if (context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID) != null) {
            parsedCode = samlIdpInitiatedSSO((String) context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID));
        } else {
            parsedCode = parseEncodedSessionCode(context.getCode());
        }
        if (parsedCode.response != null) {
            return parsedCode.response;
        }
        ClientSessionCode<AuthenticationSessionModel> clientCode = parsedCode.clientSessionCode;

        String providerId = identityProviderConfig.getAlias();
        if (!identityProviderConfig.isStoreToken()) {
            if (isDebugEnabled()) {
                logger.debugf("Token will not be stored for identity provider [%s].", providerId);
            }
            context.setToken(null);
        }

        AuthenticationSessionModel authenticationSession = clientCode.getClientSession();
        context.setAuthenticationSession(authenticationSession);

        session.getContext().setClient(authenticationSession.getClient());

        context.getIdp().preprocessFederatedIdentity(session, realmModel, context);
        Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
        if (mappers != null) {
            KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
            for (IdentityProviderMapperModel mapper : mappers) {
                IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
                target.preprocessFederatedIdentity(session, realmModel, mapper, context);
            }
        }

        FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(providerId, context.getId(),
                context.getUsername(), context.getToken());

        this.event.event(EventType.IDENTITY_PROVIDER_LOGIN)
                .detail(Details.REDIRECT_URI, authenticationSession.getRedirectUri())
                .detail(Details.IDENTITY_PROVIDER, providerId)
                .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername());

        UserModel federatedUser = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel);

        // Check if federatedUser is already authenticated (this means linking social into existing federatedUser account)
        UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authenticationSession);
        if (shouldPerformAccountLinking(authenticationSession, userSession, providerId)) {
            return performAccountLinking(authenticationSession, userSession, context, federatedIdentityModel, federatedUser);
        }

        if (federatedUser == null) {

            logger.debugf("Federated user not found for provider '%s' and broker username '%s' . Redirecting to flow for firstBrokerLogin", providerId, context.getUsername());

            String username = context.getModelUsername();
            if (username == null) {
                if (this.realmModel.isRegistrationEmailAsUsername() && !Validation.isBlank(context.getEmail())) {
                    username = context.getEmail();
                } else if (context.getUsername() == null) {
                    username = context.getIdpConfig().getAlias() + "." + context.getId();
                } else {
                    username = context.getUsername();
                }
            }
            username = username.trim();
            context.setModelUsername(username);

            // Redirect to firstBrokerLogin after successful login and ensure that previous authentication state removed
            AuthenticationProcessor.resetFlow(authenticationSession, LoginActionsService.FIRST_BROKER_LOGIN_PATH);

            SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context);
            ctx.saveToAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);

            URI redirect = LoginActionsService.firstBrokerLoginProcessor(session.getContext().getUri())
                    .queryParam(Constants.CLIENT_ID, authenticationSession.getClient().getClientId())
                    .queryParam(Constants.TAB_ID, authenticationSession.getTabId())
                    .build(realmModel.getName());
            return Response.status(302).location(redirect).build();

        } else {
            Response response = validateUser(authenticationSession, federatedUser, realmModel);
            if (response != null) {
                return response;
            }

            updateFederatedIdentity(context, federatedUser);
            authenticationSession.setAuthenticatedUser(federatedUser);

            return finishOrRedirectToPostBrokerLogin(authenticationSession, context, false, parsedCode.clientSessionCode);
        }
    }

badRequest()

Response org.keycloak.services.resources.IdentityBrokerService.badRequest ( String  message )

inlineprivate

                                                {
        fireErrorEvent(message);
        return ErrorResponse.error(message, Response.Status.BAD_REQUEST);
    }

browserAuthentication()

Response org.keycloak.services.resources.IdentityBrokerService.browserAuthentication ( AuthenticationSessionModel  authSession, String  errorMessage  )

inlineprotected

                                                                                                          {
        this.event.event(EventType.LOGIN);
        AuthenticationFlowModel flow = AuthenticationFlowResolver.resolveBrowserFlow(authSession);
        String flowId = flow.getId();
        AuthenticationProcessor processor = new AuthenticationProcessor();
        processor.setAuthenticationSession(authSession)
                .setFlowPath(LoginActionsService.AUTHENTICATE_PATH)
                .setFlowId(flowId)
                .setBrowserFlow(true)
                .setConnection(clientConnection)
                .setEventBuilder(event)
                .setRealm(realmModel)
                .setSession(session)
                .setUriInfo(session.getContext().getUri())
                .setRequest(request);
        if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage));

        try {
            CacheControlUtil.noBackButtonCacheControlHeader();
            return processor.authenticate();
        } catch (Exception e) {
            return processor.handleBrowserException(e);
        }
    }

cancelled()

Response org.keycloak.services.resources.IdentityBrokerService.cancelled ( String  code )

inline

                                           {
        ParsedCodeContext parsedCode = parseEncodedSessionCode(code);
        if (parsedCode.response != null) {
            return parsedCode.response;
        }
        ClientSessionCode<AuthenticationSessionModel> clientCode = parsedCode.clientSessionCode;

        Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.CONSENT_DENIED);
        if (accountManagementFailedLinking != null) {
            return accountManagementFailedLinking;
        }

        return browserAuthentication(clientCode.getClientSession(), null);
    }

canReadBrokerToken()

boolean org.keycloak.services.resources.IdentityBrokerService.canReadBrokerToken ( AccessToken  token )

inlineprivate

                                                          {
        Map<String, AccessToken.Access> resourceAccess = token.getResourceAccess();
        AccessToken.Access brokerRoles = resourceAccess == null ? null : resourceAccess.get(Constants.BROKER_SERVICE_CLIENT_ID);
        return brokerRoles != null && brokerRoles.isUserInRole(Constants.READ_TOKEN_ROLE);
    }

checkAccountManagementFailedLinking()

Response org.keycloak.services.resources.IdentityBrokerService.checkAccountManagementFailedLinking ( AuthenticationSessionModel  authSession, String  error, Object...  parameters  )

inlineprivate

                                                                                                                                     {
        UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authSession);
        if (userSession != null && authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) {

            this.event.event(EventType.FEDERATED_IDENTITY_LINK);
            UserModel user = userSession.getUser();
            this.event.user(user);
            this.event.detail(Details.USERNAME, user.getUsername());

            return redirectToAccountErrorPage(authSession, error, parameters);
        } else {
            return null;
        }
    }

checkClient()

ClientModel org.keycloak.services.resources.IdentityBrokerService.checkClient ( String  clientId )

inlineprivate

                                                     {
        if (clientId == null) {
            event.error(Errors.INVALID_REQUEST);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
        }

        event.client(clientId);

        ClientModel client = realmModel.getClientByClientId(clientId);
        if (client == null) {
            event.error(Errors.CLIENT_NOT_FOUND);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
        }

        if (!client.isEnabled()) {
            event.error(Errors.CLIENT_DISABLED);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
        }
        return client;

    }

checkRealm()

void org.keycloak.services.resources.IdentityBrokerService.checkRealm ( )

inlineprivate

                              {
        if (!realmModel.isEnabled()) {
            event.error(Errors.REALM_DISABLED);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED);
        }
    }

clientInitiatedAccountLinking()

Response org.keycloak.services.resources.IdentityBrokerService.clientInitiatedAccountLinking ( @PathParam("provider_id") String  providerId, @QueryParam("redirect_uri") String  redirectUri, @QueryParam("client_id") String  clientId, @QueryParam("nonce") String  nonce, @QueryParam("hash") String  hash  )

inline

      {
        this.event.event(EventType.CLIENT_INITIATED_ACCOUNT_LINKING);
        checkRealm();
        ClientModel client = checkClient(clientId);
        redirectUri = RedirectUtils.verifyRedirectUri(session.getContext().getUri(), redirectUri, realmModel, client);
        if (redirectUri == null) {
            event.error(Errors.INVALID_REDIRECT_URI);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
        }

        event.detail(Details.REDIRECT_URI, redirectUri);

        if (nonce == null || hash == null) {
            event.error(Errors.INVALID_REDIRECT_URI);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);

        }

        AuthenticationManager.AuthResult cookieResult = AuthenticationManager.authenticateIdentityCookie(session, realmModel, true);
        String errorParam = "link_error";
        if (cookieResult == null) {
            event.error(Errors.NOT_LOGGED_IN);
            UriBuilder builder = UriBuilder.fromUri(redirectUri)
                    .queryParam(errorParam, Errors.NOT_LOGGED_IN)
                    .queryParam("nonce", nonce);

            return Response.status(302).location(builder.build()).build();
        }

        cookieResult.getSession();
        event.session(cookieResult.getSession());
        event.user(cookieResult.getUser());
        event.detail(Details.USERNAME, cookieResult.getUser().getUsername());

        AuthenticatedClientSessionModel clientSession = null;
        for (AuthenticatedClientSessionModel cs : cookieResult.getSession().getAuthenticatedClientSessions().values()) {
            if (cs.getClient().getClientId().equals(clientId)) {
                byte[] decoded = Base64Url.decode(hash);
                MessageDigest md = null;
                try {
                    md = MessageDigest.getInstance("SHA-256");
                } catch (NoSuchAlgorithmException e) {
                    throw new ErrorPageException(session, Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST);
                }
                String input = nonce + cookieResult.getSession().getId() + clientId + providerId;
                byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
                if (MessageDigest.isEqual(decoded, check)) {
                    clientSession = cs;
                    break;
                }
            }
        }
        if (clientSession == null) {
            event.error(Errors.INVALID_TOKEN);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
        }

        event.detail(Details.IDENTITY_PROVIDER, providerId);

        ClientModel accountService = this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        if (!accountService.getId().equals(client.getId())) {
            RoleModel manageAccountRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT);

            // Ensure user has role and client has "role scope" for this role
            ClientSessionContext ctx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession);
            Set<RoleModel> userAccountRoles = ctx.getRoles();

            if (!userAccountRoles.contains(manageAccountRole)) {
                RoleModel linkRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT_LINKS);
                if (!userAccountRoles.contains(linkRole)) {
                    event.error(Errors.NOT_ALLOWED);
                    UriBuilder builder = UriBuilder.fromUri(redirectUri)
                            .queryParam(errorParam, Errors.NOT_ALLOWED)
                            .queryParam("nonce", nonce);
                    return Response.status(302).location(builder.build()).build();
                }
            }
        }


        IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId);
        if (identityProviderModel == null) {
            event.error(Errors.UNKNOWN_IDENTITY_PROVIDER);
            UriBuilder builder = UriBuilder.fromUri(redirectUri)
                    .queryParam(errorParam, Errors.UNKNOWN_IDENTITY_PROVIDER)
                    .queryParam("nonce", nonce);
            return Response.status(302).location(builder.build()).build();

        }


        // Create AuthenticationSessionModel with same ID like userSession and refresh cookie
        UserSessionModel userSession = cookieResult.getSession();

        // Auth session with ID corresponding to our userSession may already exists in some rare cases (EG. if some client tried to login in another browser tab with "prompt=login")
        RootAuthenticationSessionModel rootAuthSession = session.authenticationSessions().getRootAuthenticationSession(realmModel, userSession.getId());
        if (rootAuthSession == null) {
            rootAuthSession = session.authenticationSessions().createRootAuthenticationSession(userSession.getId(), realmModel);
        }

        AuthenticationSessionModel authSession = rootAuthSession.createAuthenticationSession(client);

        // Refresh the cookie
        new AuthenticationSessionManager(session).setAuthSessionCookie(userSession.getId(), realmModel);

        ClientSessionCode<AuthenticationSessionModel> clientSessionCode = new ClientSessionCode<>(session, realmModel, authSession);
        clientSessionCode.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
        clientSessionCode.getOrGenerateCode();
        authSession.setProtocol(client.getProtocol());
        authSession.setRedirectUri(redirectUri);
        authSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString());
        authSession.setAuthNote(LINKING_IDENTITY_PROVIDER, cookieResult.getSession().getId() + clientId + providerId);

        event.detail(Details.CODE_ID, userSession.getId());
        event.success();

        try {
            IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId);
            Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode));

            if (response != null) {
                if (isDebugEnabled()) {
                    logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response);
                }
                return response;
            }
        } catch (IdentityBrokerException e) {
            return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId);
        } catch (Exception e) {
            return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId);
        }

        return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST);

    }

clientIntiatedAccountLinkingPreflight()

Response org.keycloak.services.resources.IdentityBrokerService.clientIntiatedAccountLinkingPreflight ( @PathParam("provider_id") String  providerId )

inline

Closes off CORS preflight requests for account linking

引数

providerId

戻り値

                                                                                                       {
        return Response.status(403).build(); // don't allow preflight
    }

corsResponse()

Response org.keycloak.services.resources.IdentityBrokerService.corsResponse ( Response  response, ClientModel  clientModel  )

inlineprivate

                                                                              {
        return Cors.add(this.request, Response.fromResponse(response)).auth().allowedOrigins(session.getContext().getUri(), clientModel).build();
    }

createAuthenticationRequest()

AuthenticationRequest org.keycloak.services.resources.IdentityBrokerService.createAuthenticationRequest ( String  providerId, ClientSessionCode< AuthenticationSessionModel >  clientSessionCode  )

inlineprivate

                                                                                                                                                  {
        AuthenticationSessionModel authSession = null;
        IdentityBrokerState encodedState = null;

        if (clientSessionCode != null) {
            authSession = clientSessionCode.getClientSession();
            String relayState = clientSessionCode.getOrGenerateCode();
            encodedState = IdentityBrokerState.decoded(relayState, authSession.getClient().getClientId(), authSession.getTabId());
        }

        return new AuthenticationRequest(this.session, this.realmModel, authSession, this.request, this.session.getContext().getUri(), encodedState, getRedirectUri(providerId));
    }

error()

Response org.keycloak.services.resources.IdentityBrokerService.error ( String  code, String  message  )

inline

                                                       {
        ParsedCodeContext parsedCode = parseEncodedSessionCode(code);
        if (parsedCode.response != null) {
            return parsedCode.response;
        }
        ClientSessionCode<AuthenticationSessionModel> clientCode = parsedCode.clientSessionCode;

        Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), message);
        if (accountManagementFailedLinking != null) {
            return accountManagementFailedLinking;
        }

        return browserAuthentication(clientCode.getClientSession(), message);
    }

finishBrokerAuthentication()

Response org.keycloak.services.resources.IdentityBrokerService.finishBrokerAuthentication ( BrokeredIdentityContext  context, UserModel  federatedUser, AuthenticationSessionModel  authSession, String  providerId  )

inlineprivate

                                                                                                                                                                     {
        authSession.setAuthNote(AuthenticationProcessor.BROKER_SESSION_ID, context.getBrokerSessionId());
        authSession.setAuthNote(AuthenticationProcessor.BROKER_USER_ID, context.getBrokerUserId());

        this.event.user(federatedUser);

        context.getIdp().authenticationFinished(authSession, context);
        authSession.setUserSessionNote(Details.IDENTITY_PROVIDER, providerId);
        authSession.setUserSessionNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername());

        event.detail(Details.IDENTITY_PROVIDER, providerId)
                .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername());

        if (isDebugEnabled()) {
            logger.debugf("Performing local authentication for user [%s].", federatedUser);
        }

        AuthenticationManager.setClientScopesInSession(authSession);

        String nextRequiredAction = AuthenticationManager.nextRequiredAction(session, authSession, clientConnection, request, session.getContext().getUri(), event);
        if (nextRequiredAction != null) {
            return AuthenticationManager.redirectToRequiredActions(session, realmModel, authSession, session.getContext().getUri(), nextRequiredAction);
        } else {
            event.detail(Details.CODE_ID, authSession.getParentSession().getId());  // todo This should be set elsewhere.  find out why tests fail.  Don't know where this is supposed to be set
            return AuthenticationManager.finishedRequiredActions(session, authSession, null, clientConnection, request, session.getContext().getUri(), event);
        }
    }

finishOrRedirectToPostBrokerLogin()

Response org.keycloak.services.resources.IdentityBrokerService.finishOrRedirectToPostBrokerLogin ( AuthenticationSessionModel  authSession, BrokeredIdentityContext  context, boolean  wasFirstBrokerLogin, ClientSessionCode< AuthenticationSessionModel >  clientSessionCode  )

inlineprivate

                                                                                                                                                                                                                              {
        String postBrokerLoginFlowId = context.getIdpConfig().getPostBrokerLoginFlowId();
        if (postBrokerLoginFlowId == null) {

            logger.debugf("Skip redirect to postBrokerLogin flow. PostBrokerLogin flow not set for identityProvider '%s'.", context.getIdpConfig().getAlias());
            return afterPostBrokerLoginFlowSuccess(authSession, context, wasFirstBrokerLogin, clientSessionCode);
        } else {

            logger.debugf("Redirect to postBrokerLogin flow after authentication with identityProvider '%s'.", context.getIdpConfig().getAlias());

            authSession.getParentSession().setTimestamp(Time.currentTime());

            SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context);
            ctx.saveToAuthenticationSession(authSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);

            authSession.setAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN, String.valueOf(wasFirstBrokerLogin));

            URI redirect = LoginActionsService.postBrokerLoginProcessor(session.getContext().getUri())
                    .queryParam(Constants.CLIENT_ID, authSession.getClient().getClientId())
                    .queryParam(Constants.TAB_ID, authSession.getTabId())
                    .build(realmModel.getName());
            return Response.status(302).location(redirect).build();
        }
    }

fireErrorEvent() [1/2]

void org.keycloak.services.resources.IdentityBrokerService.fireErrorEvent ( String  message, Throwable  throwable  )

inlineprivate

                                                                     {
        if (!this.event.getEvent().getType().toString().endsWith("_ERROR")) {
            boolean newTransaction = !this.session.getTransactionManager().isActive();

            try {
                if (newTransaction) {
                    this.session.getTransactionManager().begin();
                }

                this.event.error(message);

                if (newTransaction) {
                    this.session.getTransactionManager().commit();
                }
            } catch (Exception e) {
                ServicesLogger.LOGGER.couldNotFireEvent(e);
                rollback();
            }
        }

        if (throwable != null) {
            logger.error(message, throwable);
        } else {
            logger.error(message);
        }
    }

fireErrorEvent() [2/2]

void org.keycloak.services.resources.IdentityBrokerService.fireErrorEvent ( String  message )

inlineprivate

                                                {
        fireErrorEvent(message, null);
    }

forbidden()

Response org.keycloak.services.resources.IdentityBrokerService.forbidden ( String  message )

inlineprivate

                                               {
        fireErrorEvent(message);
        return ErrorResponse.error(message, Response.Status.FORBIDDEN);
    }

getEndpoint()

Object org.keycloak.services.resources.IdentityBrokerService.getEndpoint ( @PathParam("provider_id") String  providerId )

inline

                                                                           {
        IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId);
        Object callback = identityProvider.callback(realmModel, this, event);
        ResteasyProviderFactory.getInstance().injectProperties(callback);
        //resourceContext.initResource(brokerService);
        return callback;


    }

getIdentityProvider()

static IdentityProvider org.keycloak.services.resources.IdentityBrokerService.getIdentityProvider ( KeycloakSession  session, RealmModel  realm, String  alias  )

inlinestatic

                                                                                                                {
        IdentityProviderModel identityProviderModel = realm.getIdentityProviderByAlias(alias);

        if (identityProviderModel != null) {
            IdentityProviderFactory providerFactory = getIdentityProviderFactory(session, identityProviderModel);

            if (providerFactory == null) {
                throw new IdentityBrokerException("Could not find factory for identity provider [" + alias + "].");
            }

            return providerFactory.create(session, identityProviderModel);
        }

        throw new IdentityBrokerException("Identity Provider [" + alias + "] not found.");
    }

getIdentityProviderConfig()

IdentityProviderModel org.keycloak.services.resources.IdentityBrokerService.getIdentityProviderConfig ( String  providerId )

inlineprivate

                                                                               {
        IdentityProviderModel model = this.realmModel.getIdentityProviderByAlias(providerId);
        if (model == null) {
            throw new IdentityBrokerException("Configuration for identity provider [" + providerId + "] not found.");
        }
        return model;
    }

getIdentityProviderFactory()

static IdentityProviderFactory org.keycloak.services.resources.IdentityBrokerService.getIdentityProviderFactory ( KeycloakSession  session, IdentityProviderModel  model  )

inlinestatic

                                                                                                                           {
        Map<String, IdentityProviderFactory> availableProviders = new HashMap<String, IdentityProviderFactory>();
        List<ProviderFactory> allProviders = new ArrayList<ProviderFactory>();

        allProviders.addAll(session.getKeycloakSessionFactory().getProviderFactories(IdentityProvider.class));
        allProviders.addAll(session.getKeycloakSessionFactory().getProviderFactories(SocialIdentityProvider.class));

        for (ProviderFactory providerFactory : allProviders) {
            availableProviders.put(providerFactory.getId(), (IdentityProviderFactory) providerFactory);
        }

        return availableProviders.get(model.getProviderId());
    }

getRedirectUri()

String org.keycloak.services.resources.IdentityBrokerService.getRedirectUri ( String  providerId )

inlineprivate

                                                     {
        return Urls.identityProviderAuthnResponse(this.session.getContext().getUri().getBaseUri(), providerId, this.realmModel.getName()).toString();
    }

getToken()

Response org.keycloak.services.resources.IdentityBrokerService.getToken ( String  providerId, boolean  forceRetrieval  )

inlineprivate

                                                                         {
        this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN);

        try {
            AppAuthManager authManager = new AppAuthManager();
            AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(this.session, this.realmModel, this.session.getContext().getUri(), this.clientConnection, this.request.getHttpHeaders());

            if (authResult != null) {
                AccessToken token = authResult.getToken();
                String[] audience = token.getAudience();
                ClientModel clientModel = this.realmModel.getClientByClientId(audience[0]);

                if (clientModel == null) {
                    return badRequest("Invalid client.");
                }

                session.getContext().setClient(clientModel);

                ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID);
                if (brokerClient == null) {
                    return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), clientModel);

                }
                if (!canReadBrokerToken(token)) {
                    return corsResponse(forbidden("Client [" + clientModel.getClientId() + "] not authorized to retrieve tokens from identity provider [" + providerId + "]."), clientModel);

                }

                IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId);
                IdentityProviderModel identityProviderConfig = getIdentityProviderConfig(providerId);

                if (identityProviderConfig.isStoreToken()) {
                    FederatedIdentityModel identity = this.session.users().getFederatedIdentity(authResult.getUser(), providerId, this.realmModel);

                    if (identity == null) {
                        return corsResponse(badRequest("User [" + authResult.getUser().getId() + "] is not associated with identity provider [" + providerId + "]."), clientModel);
                    }

                    this.event.success();

                    return corsResponse(identityProvider.retrieveToken(session, identity), clientModel);
                }

                return corsResponse(badRequest("Identity Provider [" + providerId + "] does not support this operation."), clientModel);
            }

            return badRequest("Invalid token.");
        } catch (IdentityBrokerException e) {
            return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.COULD_NOT_OBTAIN_TOKEN, e, providerId);
        }  catch (Exception e) {
            return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e, providerId);
        }
    }

init()

void org.keycloak.services.resources.IdentityBrokerService.init ( )

inline

                       {
        this.event = new EventBuilder(realmModel, session, clientConnection).event(EventType.IDENTITY_PROVIDER_LOGIN);
    }

isDebugEnabled()

boolean org.keycloak.services.resources.IdentityBrokerService.isDebugEnabled ( )

inlineprivate

                                     {
        return logger.isDebugEnabled();
    }

parseEncodedSessionCode()

ParsedCodeContext org.keycloak.services.resources.IdentityBrokerService.parseEncodedSessionCode ( String  encodedCode )

inlineprivate

                                                                          {
        IdentityBrokerState state = IdentityBrokerState.encoded(encodedCode);
        String code = state.getDecodedState();
        String clientId = state.getClientId();
        String tabId = state.getTabId();
        return parseSessionCode(code, clientId, tabId);
    }

parseSessionCode()

ParsedCodeContext org.keycloak.services.resources.IdentityBrokerService.parseSessionCode ( String  code, String  clientId, String  tabId  )

inlineprivate

                                                                                           {
        if (code == null || clientId == null || tabId == null) {
            logger.debugf("Invalid request. Authorization code, clientId or tabId was null. Code=%s, clientId=%s, tabID=%s", code, clientId, tabId);
            Response staleCodeError = redirectToErrorPage(Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
            return ParsedCodeContext.response(staleCodeError);
        }

        SessionCodeChecks checks = new SessionCodeChecks(realmModel, session.getContext().getUri(), request, clientConnection, session, event, null, code, null, clientId, tabId, LoginActionsService.AUTHENTICATE_PATH);
        checks.initialVerify();
        if (!checks.verifyActiveAndValidAction(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {

            AuthenticationSessionModel authSession = checks.getAuthenticationSession();
            if (authSession != null) {
                // Check if error happened during login or during linking from account management
                Response accountManagementFailedLinking = checkAccountManagementFailedLinking(authSession, Messages.STALE_CODE_ACCOUNT);
                if (accountManagementFailedLinking != null) {
                    return ParsedCodeContext.response(accountManagementFailedLinking);
                } else {
                    Response errorResponse = checks.getResponse();

                    // Remove "code" from browser history
                    errorResponse = BrowserHistoryHelper.getInstance().saveResponseAndRedirect(session, authSession, errorResponse, true, request);
                    return ParsedCodeContext.response(errorResponse);
                }
            } else {
                return ParsedCodeContext.response(checks.getResponse());
            }
        } else {
            if (isDebugEnabled()) {
                logger.debugf("Authorization code is valid.");
            }

            return ParsedCodeContext.clientSessionCode(checks.getClientCode());
        }
    }

performAccountLinking()

Response org.keycloak.services.resources.IdentityBrokerService.performAccountLinking ( AuthenticationSessionModel  authSession, UserSessionModel  userSession, BrokeredIdentityContext  context, FederatedIdentityModel  newModel, UserModel  federatedUser  )

inlineprivate

                                                                                                                                                                                                            {
        logger.debugf("Will try to link identity provider [%s] to user [%s]", context.getIdpConfig().getAlias(), userSession.getUser().getUsername());

        this.event.event(EventType.FEDERATED_IDENTITY_LINK);



        UserModel authenticatedUser = userSession.getUser();
        authSession.setAuthenticatedUser(authenticatedUser);

        if (federatedUser != null && !authenticatedUser.getId().equals(federatedUser.getId())) {
            return redirectToErrorWhenLinkingFailed(authSession, Messages.IDENTITY_PROVIDER_ALREADY_LINKED, context.getIdpConfig().getAlias());
        }

        if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.MANAGE_ACCOUNT))) {
            return redirectToErrorPage(authSession, Response.Status.FORBIDDEN, Messages.INSUFFICIENT_PERMISSION);
        }

        if (!authenticatedUser.isEnabled()) {
            return redirectToErrorWhenLinkingFailed(authSession, Messages.ACCOUNT_DISABLED);
        }



        if (federatedUser != null) {
            if (context.getIdpConfig().isStoreToken()) {
                FederatedIdentityModel oldModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel);
                if (!ObjectUtil.isEqualOrBothNull(context.getToken(), oldModel.getToken())) {
                    this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, newModel);
                    if (isDebugEnabled()) {
                        logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias());
                    }
                }
            }
        } else {
            this.session.users().addFederatedIdentity(this.realmModel, authenticatedUser, newModel);
        }
        context.getIdp().authenticationFinished(authSession, context);

        AuthenticationManager.setClientScopesInSession(authSession);
        TokenManager.attachAuthenticationSession(session, userSession, authSession);

        if (isDebugEnabled()) {
            logger.debugf("Linking account [%s] from identity provider [%s] to user [%s].", newModel, context.getIdpConfig().getAlias(), authenticatedUser);
        }

        this.event.user(authenticatedUser)
                .detail(Details.USERNAME, authenticatedUser.getUsername())
                .detail(Details.IDENTITY_PROVIDER, newModel.getIdentityProvider())
                .detail(Details.IDENTITY_PROVIDER_USERNAME, newModel.getUserName())
                .success();

        // we do this to make sure that the parent IDP is logged out when this user session is complete.
        // But for the case when userSession was previously authenticated with broker1 and now is linked to another broker2, we shouldn't override broker1 notes with the broker2 for sure.
        // Maybe broker logout should be rather always skiped in case of broker-linking
        if (userSession.getNote(Details.IDENTITY_PROVIDER) == null) {
            userSession.setNote(Details.IDENTITY_PROVIDER, context.getIdpConfig().getAlias());
            userSession.setNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername());
        }

        return Response.status(302).location(UriBuilder.fromUri(authSession.getRedirectUri()).build()).build();
    }

performLogin()

Response org.keycloak.services.resources.IdentityBrokerService.performLogin ( @PathParam("provider_id") String  providerId, @QueryParam(LoginActionsService.SESSION_CODE) String  code, @QueryParam("client_id") String  clientId, @QueryParam(Constants.TAB_ID) String  tabId  )

inline

                                                                             {
        this.event.detail(Details.IDENTITY_PROVIDER, providerId);

        if (isDebugEnabled()) {
            logger.debugf("Sending authentication request to identity provider [%s].", providerId);
        }

        try {
            ParsedCodeContext parsedCode = parseSessionCode(code, clientId, tabId);
            if (parsedCode.response != null) {
                return parsedCode.response;
            }

            ClientSessionCode clientSessionCode = parsedCode.clientSessionCode;
            IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId);
            if (identityProviderModel == null) {
                throw new IdentityBrokerException("Identity Provider [" + providerId + "] not found.");
            }
            if (identityProviderModel.isLinkOnly()) {
                throw new IdentityBrokerException("Identity Provider [" + providerId + "] is not allowed to perform a login.");

            }
            IdentityProviderFactory providerFactory = getIdentityProviderFactory(session, identityProviderModel);

            IdentityProvider identityProvider = providerFactory.create(session, identityProviderModel);

            Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode));

            if (response != null) {
                if (isDebugEnabled()) {
                    logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response);
                }
                return response;
            }
        } catch (IdentityBrokerException e) {
            return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId);
        } catch (Exception e) {
            return redirectToErrorPage(Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId);
        }

        return redirectToErrorPage(Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST);
    }

performPostLogin()

Response org.keycloak.services.resources.IdentityBrokerService.performPostLogin ( @PathParam("provider_id") String  providerId, @QueryParam(LoginActionsService.SESSION_CODE) String  code, @QueryParam("client_id") String  clientId, @QueryParam(Constants.TAB_ID) String  tabId  )

inline

                                                                                 {
        return performLogin(providerId, code, clientId, tabId);
    }

redirectToAccountErrorPage()

Response org.keycloak.services.resources.IdentityBrokerService.redirectToAccountErrorPage ( AuthenticationSessionModel  authSession, String  message, Object ...  parameters  )

inlineprivate

                                                                                                                               {
        fireErrorEvent(message);

        FormMessage errorMessage = new FormMessage(message, parameters);
        try {
            String serializedError = JsonSerialization.writeValueAsString(errorMessage);
            authSession.setAuthNote(AccountFormService.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, serializedError);
        } catch (IOException ioe) {
            throw new RuntimeException(ioe);
        }

        URI accountServiceUri = UriBuilder.fromUri(authSession.getRedirectUri()).queryParam(Constants.TAB_ID, authSession.getTabId()).build();
        return Response.status(302).location(accountServiceUri).build();
    }

redirectToErrorPage() [1/3]

Response org.keycloak.services.resources.IdentityBrokerService.redirectToErrorPage ( AuthenticationSessionModel  authSession, Response.Status  status, String  message, Object ...  parameters  )

inlineprivate

                                                                                                                                                {
        return redirectToErrorPage(authSession, status, message, null, parameters);
    }

redirectToErrorPage() [2/3]

Response org.keycloak.services.resources.IdentityBrokerService.redirectToErrorPage ( Response.Status  status, String  message, Object ...  parameters  )

inlineprivate

                                                                                                        {
        return redirectToErrorPage(null, status, message, null, parameters);
    }

redirectToErrorPage() [3/3]

Response org.keycloak.services.resources.IdentityBrokerService.redirectToErrorPage ( AuthenticationSessionModel  authSession, Response.Status  status, String  message, Throwable  throwable, Object ...  parameters  )

inlineprivate

                                                                                                                                                                     {
        if (message == null) {
            message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR;
        }

        fireErrorEvent(message, throwable);

        if (throwable != null && throwable instanceof WebApplicationException) {
            WebApplicationException webEx = (WebApplicationException) throwable;
            return webEx.getResponse();
        }

        return ErrorPage.error(this.session, authSession, status, message, parameters);
    }

redirectToErrorWhenLinkingFailed()

Response org.keycloak.services.resources.IdentityBrokerService.redirectToErrorWhenLinkingFailed ( AuthenticationSessionModel  authSession, String  message, Object...  parameters  )

inlineprivate

                                                                                                                                    {
        if (authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) {
            return redirectToAccountErrorPage(authSession, message, parameters);
        } else {
            return redirectToErrorPage(authSession, Response.Status.BAD_REQUEST, message, parameters); // Should rather redirect to app instead and display error here?
        }
    }

retrieveToken()

Response org.keycloak.services.resources.IdentityBrokerService.retrieveToken ( @PathParam("provider_id") String  providerId )

inline

                                                                               {
        return getToken(providerId, false);
    }

retrieveTokenPreflight()

Response org.keycloak.services.resources.IdentityBrokerService.retrieveTokenPreflight ( )

inline

                                             {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

rollback()

void org.keycloak.services.resources.IdentityBrokerService.rollback ( )

inlineprivate

                            {
        if (this.session.getTransactionManager().isActive()) {
            this.session.getTransactionManager().rollback();
        }
    }

samlIdpInitiatedSSO()

ParsedCodeContext org.keycloak.services.resources.IdentityBrokerService.samlIdpInitiatedSSO ( final String  clientUrlName )

inlineprivate

If there is a client whose SAML IDP-initiated SSO URL name is set to the given

clientUrlName 

, creates a fresh client session for that client and returns a ParsedCodeContext object with that session. Otherwise returns "client not found" response.

引数

clientUrlName

戻り値

see description

                                                                              {
        event.event(EventType.LOGIN);
        CacheControlUtil.noBackButtonCacheControlHeader();
        Optional<ClientModel> oClient = this.realmModel.getClients().stream()
          .filter(c -> Objects.equals(c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME), clientUrlName))
          .findFirst();

        if (! oClient.isPresent()) {
            event.error(Errors.CLIENT_NOT_FOUND);
            return ParsedCodeContext.response(redirectToErrorPage(Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND));
        }

        LoginProtocolFactory factory = (LoginProtocolFactory) session.getKeycloakSessionFactory().getProviderFactory(LoginProtocol.class, SamlProtocol.LOGIN_PROTOCOL);
        SamlService samlService = (SamlService) factory.createProtocolEndpoint(realmModel, event);
        ResteasyProviderFactory.getInstance().injectProperties(samlService);
        AuthenticationSessionModel authSession = samlService.getOrCreateLoginSessionForIdpInitiatedSso(session, realmModel, oClient.get(), null);

        return ParsedCodeContext.clientSessionCode(new ClientSessionCode<>(session, this.realmModel, authSession));
    }

shouldPerformAccountLinking()

boolean org.keycloak.services.resources.IdentityBrokerService.shouldPerformAccountLinking ( AuthenticationSessionModel  authSession, UserSessionModel  userSession, String  providerId  )

inlineprivate

                                                                                                                                         {
        String noteFromSession = authSession.getAuthNote(LINKING_IDENTITY_PROVIDER);
        if (noteFromSession == null) {
            return false;
        }

        boolean linkingValid;
        if (userSession == null) {
            linkingValid = false;
        } else {
            String expectedNote = userSession.getId() + authSession.getClient().getClientId() + providerId;
            linkingValid = expectedNote.equals(noteFromSession);
        }

        if (linkingValid) {
            authSession.removeAuthNote(LINKING_IDENTITY_PROVIDER);
            return true;
        } else {
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.BROKER_LINKING_SESSION_EXPIRED);
        }
    }

updateFederatedIdentity()

void org.keycloak.services.resources.IdentityBrokerService.updateFederatedIdentity ( BrokeredIdentityContext  context, UserModel  federatedUser  )

inlineprivate

                                                                                                   {
        FederatedIdentityModel federatedIdentityModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel);

        // Skip DB write if tokens are null or equal
        updateToken(context, federatedUser, federatedIdentityModel);
        context.getIdp().updateBrokeredUser(session, realmModel, federatedUser, context);
        Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
        if (mappers != null) {
            KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
            for (IdentityProviderMapperModel mapper : mappers) {
                IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
                target.updateBrokeredUser(session, realmModel, federatedUser, mapper, context);
            }
        }

    }

updateToken()

void org.keycloak.services.resources.IdentityBrokerService.updateToken ( BrokeredIdentityContext  context, UserModel  federatedUser, FederatedIdentityModel  federatedIdentityModel  )

inlineprivate

                                                                                                                                      {
        if (context.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(context.getToken(), federatedIdentityModel.getToken())) {
            federatedIdentityModel.setToken(context.getToken());

            this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel);

            if (isDebugEnabled()) {
                logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias());
            }
        }
    }

validateUser()

Response org.keycloak.services.resources.IdentityBrokerService.validateUser ( AuthenticationSessionModel  authSession, UserModel  user, RealmModel  realm  )

inline

                                                                                                           {
        if (!user.isEnabled()) {
            event.error(Errors.USER_DISABLED);
            return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.ACCOUNT_DISABLED);
        }
        if (realm.isBruteForceProtected()) {
            if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) {
                event.error(Errors.USER_TEMPORARILY_DISABLED);
                return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.ACCOUNT_DISABLED);
            }
        }
        return null;
    }

メンバ詳解

clientConnection

ClientConnection org.keycloak.services.resources.IdentityBrokerService.clientConnection

private

event

EventBuilder org.keycloak.services.resources.IdentityBrokerService.event

private

headers

HttpHeaders org.keycloak.services.resources.IdentityBrokerService.headers

private

LINKING_IDENTITY_PROVIDER

final String org.keycloak.services.resources.IdentityBrokerService.LINKING_IDENTITY_PROVIDER = "LINKING_IDENTITY_PROVIDER"

staticprivate

logger

final Logger org.keycloak.services.resources.IdentityBrokerService.logger = Logger.getLogger(IdentityBrokerService.class)

staticprivate

realmModel

final RealmModel org.keycloak.services.resources.IdentityBrokerService.realmModel

private

request

HttpRequest org.keycloak.services.resources.IdentityBrokerService.request

private

session

KeycloakSession org.keycloak.services.resources.IdentityBrokerService.session

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java