keycloak-service
クラス | 静的公開メンバ関数 | 静的非公開変数類 | 全メンバ一覧
org.keycloak.services.resources.LoginActionsServiceChecks クラス
org.keycloak.services.resources.LoginActionsServiceChecks 連携図
Collaboration graph

クラス

class  AuthenticationSessionUserIdMatchesOneFromToken
 
class  IsActionRequired
 
class  IsRedirectValid
 

静的公開メンバ関数

static< T extends JsonWebToken > void checkNotLoggedInYet (ActionTokenContext< T > context, String authSessionId) throws VerificationException
 
static void checkIsUserValid (KeycloakSession session, RealmModel realm, String userId, Consumer< UserModel > userSetter) throws VerificationException
 
static< T extends JsonWebToken &ActionTokenKeyModel > void checkIsUserValid (T token, ActionTokenContext< T > context) throws VerificationException
 
static void checkIsClientValid (KeycloakSession session, ClientModel client) throws VerificationException
 
static< T extends JsonWebToken > void checkIsClientValid (T token, ActionTokenContext< T > context) throws VerificationException
 
static< T extends JsonWebToken > boolean doesAuthenticationSessionFromCookieMatchOneFromToken (ActionTokenContext< T > context, AuthenticationSessionModel authSessionFromCookie, String authSessionCompoundIdFromToken) throws VerificationException
 
static< T extends JsonWebToken &ActionTokenKeyModel > void checkTokenWasNotUsedYet (T token, ActionTokenContext< T > context) throws VerificationException
 

静的非公開変数類

static final Logger LOG = Logger.getLogger(LoginActionsServiceChecks.class.getName())
 

詳解

著者
hmlnarik

関数詳解

◆ checkIsClientValid() [1/2]

static void org.keycloak.services.resources.LoginActionsServiceChecks.checkIsClientValid ( KeycloakSession  session,
ClientModel  client 
) throws VerificationException
inlinestatic

Verifies whether the client denoted by client ID in token's

iss

(

issuedFor

) field both exists and is enabled.

168  {
169  if (client == null) {
170  throw new ExplainedVerificationException(Errors.CLIENT_NOT_FOUND, Messages.UNKNOWN_LOGIN_REQUESTER);
171  }
172 
173  if (! client.isEnabled()) {
174  throw new ExplainedVerificationException(Errors.CLIENT_NOT_FOUND, Messages.LOGIN_REQUESTER_NOT_ENABLED);
175  }
176  }

◆ checkIsClientValid() [2/2]

static <T extends JsonWebToken> void org.keycloak.services.resources.LoginActionsServiceChecks.checkIsClientValid ( token,
ActionTokenContext< T >  context 
) throws VerificationException
inlinestatic

Verifies whether the client denoted by client ID in token's

iss

(

issuedFor

) field both exists and is enabled.

182  {
183  String clientId = token.getIssuedFor();
184  AuthenticationSessionModel authSession = context.getAuthenticationSession();
185  ClientModel client = authSession == null ? null : authSession.getClient();
186 
187  try {
188  checkIsClientValid(context.getSession(), client);
189 
190  if (clientId != null && ! Objects.equals(client.getClientId(), clientId)) {
191  throw new ExplainedTokenVerificationException(token, Errors.CLIENT_NOT_FOUND, Messages.UNKNOWN_LOGIN_REQUESTER);
192  }
193  } catch (ExplainedVerificationException ex) {
194  throw new ExplainedTokenVerificationException(token, ex);
195  }
196  }
org.keycloak.services.resources.LoginActionsServiceChecks.checkIsClientValid
static void checkIsClientValid(KeycloakSession session, ClientModel client)
Definition: LoginActionsServiceChecks.java:168

◆ checkIsUserValid() [1/2]

static void org.keycloak.services.resources.LoginActionsServiceChecks.checkIsUserValid ( KeycloakSession  session,
RealmModel  realm,
String  userId,
Consumer< UserModel >  userSetter 
) throws VerificationException
inlinestatic

Verifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).

136  {
137  UserModel user = userId == null ? null : session.users().getUserById(userId, realm);
138 
139  if (user == null) {
140  throw new ExplainedVerificationException(Errors.USER_NOT_FOUND, Messages.INVALID_USER);
141  }
142 
143  if (! user.isEnabled()) {
144  throw new ExplainedVerificationException(Errors.USER_DISABLED, Messages.INVALID_USER);
145  }
146 
147  if (userSetter != null) {
148  userSetter.accept(user);
149  }
150  }

◆ checkIsUserValid() [2/2]

static <T extends JsonWebToken & ActionTokenKeyModel> void org.keycloak.services.resources.LoginActionsServiceChecks.checkIsUserValid ( token,
ActionTokenContext< T >  context 
) throws VerificationException
inlinestatic

Verifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).

156  {
157  try {
158  checkIsUserValid(context.getSession(), context.getRealm(), token.getUserId(), context.getAuthenticationSession()::setAuthenticatedUser);
159  } catch (ExplainedVerificationException ex) {
160  throw new ExplainedTokenVerificationException(token, ex);
161  }
162  }
org.keycloak.services.resources.LoginActionsServiceChecks.checkIsUserValid
static void checkIsUserValid(KeycloakSession session, RealmModel realm, String userId, Consumer< UserModel > userSetter)
Definition: LoginActionsServiceChecks.java:136

◆ checkNotLoggedInYet()

static <T extends JsonWebToken> void org.keycloak.services.resources.LoginActionsServiceChecks.checkNotLoggedInYet ( ActionTokenContext< T >  context,
String  authSessionId 
) throws VerificationException
inlinestatic

Verifies that the authentication session has not yet been converted to user session, in other words that the user has not yet completed authentication and logged in.

114  {
115  if (authSessionId == null) {
116  return;
117  }
118 
119  UserSessionModel userSession = context.getSession().sessions().getUserSession(context.getRealm(), authSessionId);
120  if (userSession != null && userSession.getUser().getRequiredActions().isEmpty()) {
121  LoginFormsProvider loginForm = context.getSession().getProvider(LoginFormsProvider.class).setAuthenticationSession(context.getAuthenticationSession())
122  .setSuccess(Messages.ALREADY_LOGGED_IN);
123 
124  if (context.getSession().getContext().getClient() == null) {
125  loginForm.setAttribute(Constants.SKIP_LINK, true);
126  }
127 
128  throw new LoginActionsServiceException(loginForm.createInfoPage());
129  }
130  }

◆ checkTokenWasNotUsedYet()

static <T extends JsonWebToken & ActionTokenKeyModel> void org.keycloak.services.resources.LoginActionsServiceChecks.checkTokenWasNotUsedYet ( token,
ActionTokenContext< T >  context 
) throws VerificationException
inlinestatic
290  {
291  ActionTokenStoreProvider actionTokenStore = context.getSession().getProvider(ActionTokenStoreProvider.class);
292 
293  if (actionTokenStore.get(token) != null) {
294  throw new ExplainedTokenVerificationException(token, Errors.EXPIRED_CODE, Messages.EXPIRED_ACTION);
295  }
296  }

◆ doesAuthenticationSessionFromCookieMatchOneFromToken()

static <T extends JsonWebToken> boolean org.keycloak.services.resources.LoginActionsServiceChecks.doesAuthenticationSessionFromCookieMatchOneFromToken ( ActionTokenContext< T >  context,
AuthenticationSessionModel  authSessionFromCookie,
String  authSessionCompoundIdFromToken 
) throws VerificationException
inlinestatic

This check verifies that current authentication session is consistent with the one specified in token. Examples:

  • 1. Email from administrator with reset e-mail - token does not contain auth session ID
  • 2. Email from "verify e-mail" step within flow - token contains auth session ID.
  • 3. User clicked the link in an e-mail and gets to a new browser - authentication session cookie is not set
  • 4. User clicked the link in an e-mail while having authentication running - authentication session cookie is already set in the browser
  • For combinations 1 and 3, 1 and 4, and 2 and 3: Requests next step
  • For combination 2 and 4:
    • If the auth session IDs from token and cookie match, pass
    • Else if the auth session from cookie was forked and its parent auth session ID matches that of token, replaces current auth session with that of parent and passes
    • Else requests restart by throwing RestartFlow exception

When the check passes, it also sets the authentication session in token context accordingly.

引数
<T>
256  {
257  if (authSessionCompoundIdFromToken == null) {
258  return false;
259  }
260 
261 
262  if (Objects.equals(AuthenticationSessionCompoundId.fromAuthSession(authSessionFromCookie).getEncodedId(), authSessionCompoundIdFromToken)) {
263  context.setAuthenticationSession(authSessionFromCookie, false);
264  return true;
265  }
266 
267  // Check if it's forked session. It would have same parent (rootSession) as our browser authenticationSession
268  String parentTabId = authSessionFromCookie.getAuthNote(AuthenticationProcessor.FORKED_FROM);
269  if (parentTabId == null) {
270  return false;
271  }
272 
273 
274  AuthenticationSessionModel authSessionFromParent = authSessionFromCookie.getParentSession().getAuthenticationSession(authSessionFromCookie.getClient(), parentTabId);
275  if (authSessionFromParent == null) {
276  return false;
277  }
278 
279  // It's the correct browser. We won't continue login
280  // from the login form (browser flow) but from the token's flow
281  // Don't expire KC_RESTART cookie at this point
282  LOG.debugf("Switched to forked tab: %s from: %s . Root session: %s", authSessionFromParent.getTabId(), authSessionFromCookie.getTabId(), authSessionFromCookie.getParentSession().getId());
283 
284  context.setAuthenticationSession(authSessionFromParent, false);
285  context.setExecutionId(authSessionFromParent.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION));
286 
287  return true;
288  }
org.keycloak.services.resources.LoginActionsServiceChecks.LOG
static final Logger LOG
Definition: LoginActionsServiceChecks.java:47

メンバ詳解

◆ LOG

final Logger org.keycloak.services.resources.LoginActionsServiceChecks.LOG = Logger.getLogger(LoginActionsServiceChecks.class.getName())
staticprivate
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時00分29秒作成 - keycloak-service / 構成:   doxygen 1.8.13