Example 96 with UserSessionModel
use of org.keycloak.models.UserSessionModel in project keycloak by keycloak.
the class IdentityBrokerService method checkAccountManagementFailedLinking.
private Response checkAccountManagementFailedLinking(AuthenticationSessionModel authSession, String error, Object... parameters) {
UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authSession);
if (userSession != null && authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) {
this.event.event(EventType.FEDERATED_IDENTITY_LINK);
UserModel user = userSession.getUser();
this.event.user(user);
this.event.detail(Details.USERNAME, user.getUsername());
return redirectToAccountErrorPage(authSession, error, parameters);
} else {
return null;
}
}
Also used :
AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager)
UserModel(org.keycloak.models.UserModel)
UserSessionModel(org.keycloak.models.UserSessionModel)
Example 97 with UserSessionModel
use of org.keycloak.models.UserSessionModel in project keycloak by keycloak.
the class IdentityBrokerService method clientInitiatedAccountLinking.
@GET
@NoCache
@Path("/{provider_id}/link")
public Response clientInitiatedAccountLinking(@PathParam("provider_id") String providerId, @QueryParam("redirect_uri") String redirectUri, @QueryParam("client_id") String clientId, @QueryParam("nonce") String nonce, @QueryParam("hash") String hash) {
this.event.event(EventType.CLIENT_INITIATED_ACCOUNT_LINKING);
checkRealm();
ClientModel client = checkClient(clientId);
redirectUri = RedirectUtils.verifyRedirectUri(session, redirectUri, client);
if (redirectUri == null) {
event.error(Errors.INVALID_REDIRECT_URI);
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
}
event.detail(Details.REDIRECT_URI, redirectUri);
if (nonce == null || hash == null) {
event.error(Errors.INVALID_REDIRECT_URI);
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
}
AuthenticationManager.AuthResult cookieResult = AuthenticationManager.authenticateIdentityCookie(session, realmModel, true);
String errorParam = "link_error";
if (cookieResult == null) {
event.error(Errors.NOT_LOGGED_IN);
UriBuilder builder = UriBuilder.fromUri(redirectUri).queryParam(errorParam, Errors.NOT_LOGGED_IN).queryParam("nonce", nonce);
return Response.status(302).location(builder.build()).build();
}
cookieResult.getSession();
event.session(cookieResult.getSession());
event.user(cookieResult.getUser());
event.detail(Details.USERNAME, cookieResult.getUser().getUsername());
AuthenticatedClientSessionModel clientSession = null;
for (AuthenticatedClientSessionModel cs : cookieResult.getSession().getAuthenticatedClientSessions().values()) {
if (cs.getClient().getClientId().equals(clientId)) {
byte[] decoded = Base64Url.decode(hash);
MessageDigest md = null;
try {
md = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException e) {
throw new ErrorPageException(session, Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST);
}
String input = nonce + cookieResult.getSession().getId() + clientId + providerId;
byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
if (MessageDigest.isEqual(decoded, check)) {
clientSession = cs;
break;
}
}
}
if (clientSession == null) {
event.error(Errors.INVALID_TOKEN);
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
}
event.detail(Details.IDENTITY_PROVIDER, providerId);
ClientModel accountService = this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
if (!accountService.getId().equals(client.getId())) {
RoleModel manageAccountRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT);
// Ensure user has role and client has "role scope" for this role
ClientSessionContext ctx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession, session);
Set<RoleModel> userAccountRoles = ctx.getRolesStream().collect(Collectors.toSet());
if (!userAccountRoles.contains(manageAccountRole)) {
RoleModel linkRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT_LINKS);
if (!userAccountRoles.contains(linkRole)) {
event.error(Errors.NOT_ALLOWED);
UriBuilder builder = UriBuilder.fromUri(redirectUri).queryParam(errorParam, Errors.NOT_ALLOWED).queryParam("nonce", nonce);
return Response.status(302).location(builder.build()).build();
}
}
}
IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId);
if (identityProviderModel == null) {
event.error(Errors.UNKNOWN_IDENTITY_PROVIDER);
UriBuilder builder = UriBuilder.fromUri(redirectUri).queryParam(errorParam, Errors.UNKNOWN_IDENTITY_PROVIDER).queryParam("nonce", nonce);
return Response.status(302).location(builder.build()).build();
}
// Create AuthenticationSessionModel with same ID like userSession and refresh cookie
UserSessionModel userSession = cookieResult.getSession();
// Auth session with ID corresponding to our userSession may already exists in some rare cases (EG. if some client tried to login in another browser tab with "prompt=login")
RootAuthenticationSessionModel rootAuthSession = session.authenticationSessions().getRootAuthenticationSession(realmModel, userSession.getId());
if (rootAuthSession == null) {
rootAuthSession = session.authenticationSessions().createRootAuthenticationSession(realmModel, userSession.getId());
}
AuthenticationSessionModel authSession = rootAuthSession.createAuthenticationSession(client);
// Refresh the cookie
new AuthenticationSessionManager(session).setAuthSessionCookie(userSession.getId(), realmModel);
ClientSessionCode<AuthenticationSessionModel> clientSessionCode = new ClientSessionCode<>(session, realmModel, authSession);
clientSessionCode.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
clientSessionCode.getOrGenerateCode();
authSession.setProtocol(client.getProtocol());
authSession.setRedirectUri(redirectUri);
authSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString());
authSession.setAuthNote(LINKING_IDENTITY_PROVIDER, cookieResult.getSession().getId() + clientId + providerId);
event.detail(Details.CODE_ID, userSession.getId());
event.success();
try {
IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId);
Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode));
if (response != null) {
if (isDebugEnabled()) {
logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response);
}
return response;
}
} catch (IdentityBrokerException e) {
return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId);
} catch (Exception e) {
return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId);
}
return redirectToErrorPage(authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST);
}
Also used :
UserSessionModel(org.keycloak.models.UserSessionModel)
AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel)
RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
RoleModel(org.keycloak.models.RoleModel)
SocialIdentityProvider(org.keycloak.broker.social.SocialIdentityProvider)
IdentityProvider(org.keycloak.broker.provider.IdentityProvider)
ErrorPageException(org.keycloak.services.ErrorPageException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IdentityProviderModel(org.keycloak.models.IdentityProviderModel)
ClientSessionCode(org.keycloak.services.managers.ClientSessionCode)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
WebApplicationException(javax.ws.rs.WebApplicationException)
IOException(java.io.IOException)
IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException)
OAuthErrorException(org.keycloak.OAuthErrorException)
NotFoundException(javax.ws.rs.NotFoundException)
ErrorPageException(org.keycloak.services.ErrorPageException)
AuthenticationManager(org.keycloak.services.managers.AuthenticationManager)
AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager)
Response(javax.ws.rs.core.Response)
ErrorResponse(org.keycloak.services.ErrorResponse)
ClientModel(org.keycloak.models.ClientModel)
DefaultClientSessionContext(org.keycloak.services.util.DefaultClientSessionContext)
ClientSessionContext(org.keycloak.models.ClientSessionContext)
RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)
IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException)
UriBuilder(javax.ws.rs.core.UriBuilder)
MessageDigest(java.security.MessageDigest)
Path(javax.ws.rs.Path)
GET(javax.ws.rs.GET)
NoCache(org.jboss.resteasy.annotations.cache.NoCache)
Example 98 with UserSessionModel
use of org.keycloak.models.UserSessionModel in project keycloak by keycloak.
the class AuthenticationManager method finishBrowserLogout.
public static Response finishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers) {
final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, true);
checkUserSessionOnlyHasLoggedOutClients(realm, userSession, logoutAuthSession);
// For resolving artifact we don't need any cookie, all details are stored in session storage so we can remove
expireIdentityCookie(realm, uriInfo, connection);
expireRememberMeCookie(realm, uriInfo, connection);
String method = userSession.getNote(KEYCLOAK_LOGOUT_PROTOCOL);
EventBuilder event = new EventBuilder(realm, session, connection);
LoginProtocol protocol = session.getProvider(LoginProtocol.class, method);
protocol.setRealm(realm).setHttpHeaders(headers).setUriInfo(uriInfo).setEventBuilder(event);
Response response = protocol.finishLogout(userSession);
// It may be possible that there are some client sessions that are still in LOGGING_OUT state
long numberOfUnconfirmedSessions = userSession.getAuthenticatedClientSessions().values().stream().filter(clientSessionModel -> CommonClientSessionModel.Action.LOGGING_OUT.name().equals(clientSessionModel.getAction())).count();
// If logout flow end up correctly there should be at maximum 1 client session in LOGGING_OUT action, if there are more, something went wrong
if (numberOfUnconfirmedSessions > 1) {
logger.warnf("There are more than one clientSession in logging_out state. Perhaps some client did not finish logout flow correctly.");
}
// LOGGED_OUT action can remove UserSession
if (numberOfUnconfirmedSessions >= 1) {
userSession.setState(UserSessionModel.State.LOGGED_OUT_UNCONFIRMED);
} else {
userSession.setState(UserSessionModel.State.LOGGED_OUT);
}
// Do not remove user session, it will be removed when last clientSession will be logged out
if (numberOfUnconfirmedSessions < 1) {
session.sessions().removeUserSession(realm, userSession);
}
session.authenticationSessions().removeRootAuthenticationSession(realm, logoutAuthSession.getParentSession());
return response;
}
Also used :
BackchannelLogoutResponse(org.keycloak.protocol.oidc.BackchannelLogoutResponse)
Response(javax.ws.rs.core.Response)
DefaultClientSessionContext(org.keycloak.services.util.DefaultClientSessionContext)
ActionTokenStoreProvider(org.keycloak.models.ActionTokenStoreProvider)
Error(org.keycloak.protocol.LoginProtocol.Error)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
Map(java.util.Map)
ClientConnection(org.keycloak.common.ClientConnection)
UriBuilder(javax.ws.rs.core.UriBuilder)
Time(org.keycloak.common.util.Time)
AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel)
AuthenticationProcessor(org.keycloak.authentication.AuthenticationProcessor)
Set(java.util.Set)
AbstractUsernameFormAuthenticator(org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator)
SecretGenerator(org.keycloak.common.util.SecretGenerator)
Stream(java.util.stream.Stream)
AuthenticationFlowException(org.keycloak.authentication.AuthenticationFlowException)
SessionTimeoutHelper(org.keycloak.models.utils.SessionTimeoutHelper)
LoginActionsService(org.keycloak.services.resources.LoginActionsService)
UriInfo(javax.ws.rs.core.UriInfo)
OAuth2Constants(org.keycloak.OAuth2Constants)
LoginProtocol(org.keycloak.protocol.LoginProtocol)
Constants(org.keycloak.models.Constants)
TokenManager(org.keycloak.protocol.oidc.TokenManager)
TokenUtil(org.keycloak.util.TokenUtil)
UserModel(org.keycloak.models.UserModel)
ClientSessionContext(org.keycloak.models.ClientSessionContext)
Predicate(org.keycloak.TokenVerifier.Predicate)
TokenVerifier(org.keycloak.TokenVerifier)
CommonClientSessionModel(org.keycloak.sessions.CommonClientSessionModel)
Base64Url(org.keycloak.common.util.Base64Url)
BackchannelLogoutResponse(org.keycloak.protocol.oidc.BackchannelLogoutResponse)
AuthenticationFlowError(org.keycloak.authentication.AuthenticationFlowError)
ConsoleDisplayMode(org.keycloak.authentication.ConsoleDisplayMode)
IdentityBrokerService(org.keycloak.services.resources.IdentityBrokerService)
KeycloakSession(org.keycloak.models.KeycloakSession)
AuthorizationDetails(org.keycloak.rar.AuthorizationDetails)
HttpRequest(org.jboss.resteasy.spi.HttpRequest)
EventType(org.keycloak.events.EventType)
P3PHelper(org.keycloak.services.util.P3PHelper)
RequiredActionProvider(org.keycloak.authentication.RequiredActionProvider)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
LoginFormsProvider(org.keycloak.forms.login.LoginFormsProvider)
URLDecoder(java.net.URLDecoder)
ActionTokenKeyModel(org.keycloak.models.ActionTokenKeyModel)
RequiredActionContextResult(org.keycloak.authentication.RequiredActionContextResult)
RequiredActionFactory(org.keycloak.authentication.RequiredActionFactory)
NewCookie(javax.ws.rs.core.NewCookie)
Messages(org.keycloak.services.messages.Messages)
DefaultActionTokenKey(org.keycloak.authentication.actiontoken.DefaultActionTokenKey)
SignatureVerifierContext(org.keycloak.crypto.SignatureVerifierContext)
AccessToken(org.keycloak.representations.AccessToken)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
URI(java.net.URI)
SystemClientUtil(org.keycloak.models.utils.SystemClientUtil)
VerificationException(org.keycloak.common.VerificationException)
DeviceGrantType.isOAuth2DeviceVerificationFlow(org.keycloak.protocol.oidc.grants.device.DeviceGrantType.isOAuth2DeviceVerificationFlow)
ClientScopeModel(org.keycloak.models.ClientScopeModel)
RealmModel(org.keycloak.models.RealmModel)
InitiatedActionSupport(org.keycloak.authentication.InitiatedActionSupport)
AuthenticatorUtil(org.keycloak.authentication.AuthenticatorUtil)
Collectors(java.util.stream.Collectors)
Cookie(javax.ws.rs.core.Cookie)
Objects(java.util.Objects)
List(java.util.List)
HttpHeaders(javax.ws.rs.core.HttpHeaders)
Response(javax.ws.rs.core.Response)
Details(org.keycloak.events.Details)
RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)
OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol)
Optional(java.util.Optional)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
RequiredActionProviderModel(org.keycloak.models.RequiredActionProviderModel)
ClientModel(org.keycloak.models.ClientModel)
RealmsResource(org.keycloak.services.resources.RealmsResource)
Profile(org.keycloak.common.Profile)
SameSiteAttributeValue(org.keycloak.common.util.ServerCookie.SameSiteAttributeValue)
KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils)
Logger(org.jboss.logging.Logger)
ServicesLogger(org.keycloak.services.ServicesLogger)
TokenTypeCheck(org.keycloak.TokenVerifier.TokenTypeCheck)
RequiredActionContext(org.keycloak.authentication.RequiredActionContext)
SignatureProvider(org.keycloak.crypto.SignatureProvider)
EventBuilder(org.keycloak.events.EventBuilder)
CookieHelper(org.keycloak.services.util.CookieHelper)
UserConsentModel(org.keycloak.models.UserConsentModel)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
LinkedList(java.util.LinkedList)
DisplayTypeRequiredActionFactory(org.keycloak.authentication.DisplayTypeRequiredActionFactory)
IdentityProvider(org.keycloak.broker.provider.IdentityProvider)
Errors(org.keycloak.events.Errors)
CORRESPONDING_SESSION_ID(org.keycloak.models.UserSessionModel.CORRESPONDING_SESSION_ID)
UserSessionModel(org.keycloak.models.UserSessionModel)
AuthorizationContextUtil(org.keycloak.services.util.AuthorizationContextUtil)
URLEncoder(java.net.URLEncoder)
LogoutRequestContext(org.keycloak.services.clientpolicy.context.LogoutRequestContext)
CookieHelper.getCookie(org.keycloak.services.util.CookieHelper.getCookie)
Urls(org.keycloak.services.Urls)
Collections(java.util.Collections)
AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel)
RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)
EventBuilder(org.keycloak.events.EventBuilder)
LoginProtocol(org.keycloak.protocol.LoginProtocol)
OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol)
Example 99 with UserSessionModel
use of org.keycloak.models.UserSessionModel in project keycloak by keycloak.
the class AuthenticationManager method redirectAfterSuccessfulFlow.
public static Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol) {
Cookie sessionCookie = getCookie(request.getHttpHeaders().getCookies(), AuthenticationManager.KEYCLOAK_SESSION_COOKIE);
if (sessionCookie != null) {
String[] split = sessionCookie.getValue().split("/");
if (split.length >= 3) {
String oldSessionId = split[2];
if (!oldSessionId.equals(userSession.getId())) {
UserSessionModel oldSession = session.sessions().getUserSession(realm, oldSessionId);
if (oldSession != null) {
logger.debugv("Removing old user session: session: {0}", oldSessionId);
session.sessions().removeUserSession(realm, oldSession);
}
}
}
}
// Updates users locale if required
session.getContext().resolveLocale(userSession.getUser());
// refresh the cookies!
createLoginCookie(session, realm, userSession.getUser(), userSession, uriInfo, clientConnection);
if (userSession.getState() != UserSessionModel.State.LOGGED_IN)
userSession.setState(UserSessionModel.State.LOGGED_IN);
if (userSession.isRememberMe()) {
createRememberMeCookie(realm, userSession.getLoginUsername(), uriInfo, clientConnection);
} else {
expireRememberMeCookie(realm, uriInfo, clientConnection);
}
AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
// Update userSession note with authTime. But just if flag SSO_AUTH is not set
boolean isSSOAuthentication = AuthenticatorUtil.isSSOAuthentication(authSession);
if (isSSOAuthentication) {
clientSession.setNote(SSO_AUTH, "true");
authSession.removeAuthNote(SSO_AUTH);
} else {
int authTime = Time.currentTime();
userSession.setNote(AUTH_TIME, String.valueOf(authTime));
clientSession.removeNote(SSO_AUTH);
}
// The user has successfully logged in and we can clear his/her previous login failure attempts.
logSuccess(session, authSession);
return protocol.authenticated(authSession, userSession, clientSessionCtx);
}
Also used :
NewCookie(javax.ws.rs.core.NewCookie)
Cookie(javax.ws.rs.core.Cookie)
CookieHelper.getCookie(org.keycloak.services.util.CookieHelper.getCookie)
UserSessionModel(org.keycloak.models.UserSessionModel)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
Example 100 with UserSessionModel
use of org.keycloak.models.UserSessionModel in project keycloak by keycloak.
the class AuthenticationManager method verifyIdentityToken.
public static AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, HttpHeaders headers, Predicate<? super AccessToken>... additionalChecks) {
try {
TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class).withDefaultChecks().realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())).checkActive(checkActive).checkTokenType(checkTokenType).withChecks(additionalChecks);
if (checkAudience != null) {
verifier.audience(checkAudience);
}
// Check token revocation in case of access token
if (checkTokenType) {
verifier.withChecks(new TokenManager.TokenRevocationCheck(session));
}
String kid = verifier.getHeader().getKeyId();
String algorithm = verifier.getHeader().getAlgorithm().name();
SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
verifier.verifierContext(signatureVerifier);
AccessToken token = verifier.verify().getToken();
if (checkActive) {
if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
logger.debug("Identity cookie expired");
return null;
}
}
UserSessionModel userSession = null;
UserModel user = null;
if (token.getSessionState() == null) {
user = TokenManager.lookupUserFromStatelessToken(session, realm, token);
if (!isUserValid(session, realm, user, token)) {
return null;
}
} else {
userSession = session.sessions().getUserSession(realm, token.getSessionState());
if (userSession != null) {
user = userSession.getUser();
if (!isUserValid(session, realm, user, token)) {
return null;
}
}
}
if (token.getSessionState() != null && !isSessionValid(realm, userSession)) {
// Check if accessToken was for the offline session.
if (!isCookie) {
UserSessionModel offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState());
if (isOfflineSessionValid(realm, offlineUserSession)) {
user = offlineUserSession.getUser();
ClientModel client = realm.getClientByClientId(token.getIssuedFor());
if (!isClientValid(offlineUserSession, client, token)) {
return null;
}
return new AuthResult(user, offlineUserSession, token, client);
}
}
if (userSession != null)
backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true);
logger.debug("User session not active");
return null;
}
session.setAttribute("state_checker", token.getOtherClaims().get("state_checker"));
ClientModel client;
if (isCookie) {
client = null;
} else {
client = realm.getClientByClientId(token.getIssuedFor());
if (!isClientValid(userSession, client, token)) {
return null;
}
}
return new AuthResult(user, userSession, token, client);
} catch (VerificationException e) {
logger.debugf("Failed to verify identity token: %s", e.getMessage());
}
return null;
}
Also used :
UserModel(org.keycloak.models.UserModel)
SignatureProvider(org.keycloak.crypto.SignatureProvider)
ClientModel(org.keycloak.models.ClientModel)
UserSessionModel(org.keycloak.models.UserSessionModel)
SignatureVerifierContext(org.keycloak.crypto.SignatureVerifierContext)
AccessToken(org.keycloak.representations.AccessToken)
VerificationException(org.keycloak.common.VerificationException)
TokenManager(org.keycloak.protocol.oidc.TokenManager)
Aggregations
UserSessionModel (org.keycloak.models.UserSessionModel)133
RealmModel (org.keycloak.models.RealmModel)68
Test (org.junit.Test)53
ClientModel (org.keycloak.models.ClientModel)44
UserModel (org.keycloak.models.UserModel)43
AuthenticatedClientSessionModel (org.keycloak.models.AuthenticatedClientSessionModel)38
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)29
KeycloakSession (org.keycloak.models.KeycloakSession)26
ModelTest (org.keycloak.testsuite.arquillian.annotation.ModelTest)26
AuthenticationSessionModel (org.keycloak.sessions.AuthenticationSessionModel)21
ClientSessionContext (org.keycloak.models.ClientSessionContext)20
AtomicReference (java.util.concurrent.atomic.AtomicReference)18
RootAuthenticationSessionModel (org.keycloak.sessions.RootAuthenticationSessionModel)17
KeycloakModelTest (org.keycloak.testsuite.model.KeycloakModelTest)17
Response (javax.ws.rs.core.Response)15
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)14
List (java.util.List)13
CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)13
Map (java.util.Map)12
UserSessionPersisterProvider (org.keycloak.models.session.UserSessionPersisterProvider)12
