Example 1 with ErrorPageException
use of org.keycloak.services.ErrorPageException in project keycloak by keycloak.
the class AuthenticationProcessor method attachSession.
// May create new userSession too (if userSession argument is null)
public static ClientSessionContext attachSession(AuthenticationSessionModel authSession, UserSessionModel userSession, KeycloakSession session, RealmModel realm, ClientConnection connection, EventBuilder event) {
String username = authSession.getAuthenticatedUser().getUsername();
String attemptedUsername = authSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME);
if (attemptedUsername != null)
username = attemptedUsername;
String rememberMe = authSession.getAuthNote(Details.REMEMBER_ME);
boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("true");
String brokerSessionId = authSession.getAuthNote(BROKER_SESSION_ID);
String brokerUserId = authSession.getAuthNote(BROKER_USER_ID);
if (userSession == null) {
// if no authenticator attached a usersession
userSession = session.sessions().getUserSession(realm, authSession.getParentSession().getId());
if (userSession == null) {
UserSessionModel.SessionPersistenceState persistenceState = UserSessionModel.SessionPersistenceState.fromString(authSession.getClientNote(AuthenticationManager.USER_SESSION_PERSISTENT_STATE));
userSession = session.sessions().createUserSession(authSession.getParentSession().getId(), realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol(), remember, brokerSessionId, brokerUserId, persistenceState);
} else if (userSession.getUser() == null || !AuthenticationManager.isSessionValid(realm, userSession)) {
userSession.restartSession(realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol(), remember, brokerSessionId, brokerUserId);
} else {
// We have existing userSession even if it wasn't attached to authenticator. Could happen if SSO authentication was ignored (eg. prompt=login) and in some other cases.
// We need to handle case when different user was used
logger.debugf("No SSO login, but found existing userSession with ID '%s' after finished authentication.", userSession.getId());
if (!authSession.getAuthenticatedUser().equals(userSession.getUser())) {
event.detail(Details.EXISTING_USER, userSession.getUser().getId());
event.error(Errors.DIFFERENT_USER_AUTHENTICATED);
throw new ErrorPageException(session, authSession, Response.Status.BAD_REQUEST, Messages.DIFFERENT_USER_AUTHENTICATED, userSession.getUser().getUsername());
}
}
userSession.setState(UserSessionModel.State.LOGGED_IN);
}
if (remember) {
event.detail(Details.REMEMBER_ME, "true");
}
ClientSessionContext clientSessionCtx = TokenManager.attachAuthenticationSession(session, userSession, authSession);
event.user(userSession.getUser()).detail(Details.USERNAME, username).session(userSession);
return clientSessionCtx;
}
Also used :
UserSessionModel(org.keycloak.models.UserSessionModel)
ClientSessionContext(org.keycloak.models.ClientSessionContext)
ErrorPageException(org.keycloak.services.ErrorPageException)
Example 2 with ErrorPageException
use of org.keycloak.services.ErrorPageException in project keycloak by keycloak.
the class DeviceEndpoint method checkClient.
private ClientModel checkClient(String clientId) {
if (clientId == null) {
event.error(Errors.INVALID_REQUEST);
throw new ErrorPageException(session, null, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
}
event.client(clientId);
ClientModel client = realm.getClientByClientId(clientId);
if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND);
throw new ErrorPageException(session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND);
}
if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED);
throw new ErrorPageException(session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED);
}
if (!realm.getOAuth2DeviceConfig().isOAuth2DeviceAuthorizationGrantEnabled(client)) {
event.error(Errors.NOT_ALLOWED);
throw new ErrorPageException(session, null, Response.Status.BAD_REQUEST, Messages.OAUTH2_DEVICE_AUTHORIZATION_GRANT_DISABLED);
}
if (client.isBearerOnly()) {
event.error(Errors.NOT_ALLOWED);
throw new ErrorPageException(session, null, Response.Status.FORBIDDEN, Messages.BEARER_ONLY);
}
String protocol = client.getProtocol();
if (protocol == null) {
logger.warnf("Client '%s' doesn't have protocol set. Fallback to openid-connect. Please fix client configuration", clientId);
protocol = OIDCLoginProtocol.LOGIN_PROTOCOL;
}
if (!protocol.equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
event.error(Errors.INVALID_CLIENT);
throw new ErrorPageException(session, null, Response.Status.BAD_REQUEST, "Wrong client protocol.");
}
session.getContext().setClient(client);
return client;
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
ErrorPageException(org.keycloak.services.ErrorPageException)
Example 3 with ErrorPageException
use of org.keycloak.services.ErrorPageException in project keycloak by keycloak.
the class DeviceEndpoint method authenticateClient.
private ClientModel authenticateClient() {
// https://tools.ietf.org/html/draft-ietf-oauth-device-flow-15#section-3.1
// The spec says "The client authentication requirements of Section 3.2.1 of [RFC6749]
// apply to requests on this endpoint".
AuthorizeClientUtil.ClientAuthResult clientAuth = AuthorizeClientUtil.authorizeClient(session, event, cors);
ClientModel client = clientAuth.getClient();
if (client == null) {
event.error(Errors.INVALID_REQUEST);
throw new ErrorPageException(session, null, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
}
checkClient(client.getClientId());
return client;
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
ErrorPageException(org.keycloak.services.ErrorPageException)
AuthorizeClientUtil(org.keycloak.protocol.oidc.utils.AuthorizeClientUtil)
Example 4 with ErrorPageException
use of org.keycloak.services.ErrorPageException in project keycloak by keycloak.
the class AuthorizationEndpoint method updateAuthenticationSession.
private void updateAuthenticationSession() {
authenticationSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
authenticationSession.setRedirectUri(redirectUri);
authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
authenticationSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType());
authenticationSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam());
authenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
if (request.getState() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, request.getState());
if (request.getNonce() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.NONCE_PARAM, request.getNonce());
if (request.getMaxAge() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(request.getMaxAge()));
if (request.getScope() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.SCOPE_PARAM, request.getScope());
if (request.getLoginHint() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, request.getLoginHint());
if (request.getPrompt() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.PROMPT_PARAM, request.getPrompt());
if (request.getIdpHint() != null)
authenticationSession.setClientNote(AdapterConstants.KC_IDP_HINT, request.getIdpHint());
if (request.getAction() != null)
authenticationSession.setClientNote(Constants.KC_ACTION, request.getAction());
if (request.getResponseMode() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, request.getResponseMode());
if (request.getClaims() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.CLAIMS_PARAM, request.getClaims());
if (request.getAcr() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.ACR_PARAM, request.getAcr());
if (request.getDisplay() != null)
authenticationSession.setAuthNote(OAuth2Constants.DISPLAY, request.getDisplay());
if (request.getUiLocales() != null)
authenticationSession.setAuthNote(LocaleSelectorProvider.CLIENT_REQUEST_LOCALE, request.getUiLocales());
// https://tools.ietf.org/html/rfc7636#section-4
if (request.getCodeChallenge() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM, request.getCodeChallenge());
if (request.getCodeChallengeMethod() != null)
authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, request.getCodeChallengeMethod());
Map<String, Integer> acrLoaMap = AcrUtils.getAcrLoaMap(authenticationSession.getClient());
List<String> acrValues = AcrUtils.getRequiredAcrValues(request.getClaims());
if (acrValues.isEmpty()) {
acrValues = AcrUtils.getAcrValues(request.getClaims(), request.getAcr(), authenticationSession.getClient());
} else {
authenticationSession.setClientNote(Constants.FORCE_LEVEL_OF_AUTHENTICATION, "true");
}
acrValues.stream().mapToInt(acr -> {
try {
Integer loa = acrLoaMap.get(acr);
return loa == null ? Integer.parseInt(acr) : loa;
} catch (NumberFormatException e) {
// this is an unknown acr. In case of an essential claim, we directly reject authentication as we cannot met the specification requirement. Otherwise fallback to minimum LoA
boolean essential = Boolean.parseBoolean(authenticationSession.getClientNote(Constants.FORCE_LEVEL_OF_AUTHENTICATION));
if (essential) {
logger.errorf("Requested essential acr value '%s' is not a number and it is not mapped in the ACR-To-Loa mappings of realm or client. Please doublecheck ACR-to-LOA mapping or correct ACR passed in the 'claims' parameter.", acr);
event.error(Errors.INVALID_REQUEST);
throw new ErrorPageException(session, authenticationSession, Response.Status.BAD_REQUEST, Messages.INVALID_PARAMETER, OIDCLoginProtocol.CLAIMS_PARAM);
} else {
logger.warnf("Requested acr value '%s' is not a number and it is not mapped in the ACR-To-Loa mappings of realm or client. Please doublecheck ACR-to-LOA mapping or correct used ACR.", acr);
return Constants.MINIMUM_LOA;
}
}
}).min().ifPresent(loa -> authenticationSession.setClientNote(Constants.REQUESTED_LEVEL_OF_AUTHENTICATION, String.valueOf(loa)));
if (request.getAdditionalReqParams() != null) {
for (String paramName : request.getAdditionalReqParams().keySet()) {
authenticationSession.setClientNote(LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + paramName, request.getAdditionalReqParams().get(paramName));
}
}
}
Also used :
ErrorPageException(org.keycloak.services.ErrorPageException)
Example 5 with ErrorPageException
use of org.keycloak.services.ErrorPageException in project keycloak by keycloak.
the class IdentityBrokerService method checkClient.
private ClientModel checkClient(String clientId) {
if (clientId == null) {
event.error(Errors.INVALID_REQUEST);
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
}
event.client(clientId);
ClientModel client = realmModel.getClientByClientId(clientId);
if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND);
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
}
if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED);
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
}
return client;
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
ErrorPageException(org.keycloak.services.ErrorPageException)
Aggregations
ErrorPageException (org.keycloak.services.ErrorPageException)7
ClientModel (org.keycloak.models.ClientModel)4
ClientSessionContext (org.keycloak.models.ClientSessionContext)2
UserSessionModel (org.keycloak.models.UserSessionModel)2
IOException (java.io.IOException)1
InputStream (java.io.InputStream)1
MessageDigest (java.security.MessageDigest)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
HashSet (java.util.HashSet)1
List (java.util.List)1
GET (javax.ws.rs.GET)1
NotFoundException (javax.ws.rs.NotFoundException)1
Path (javax.ws.rs.Path)1
WebApplicationException (javax.ws.rs.WebApplicationException)1
Response (javax.ws.rs.core.Response)1
UriBuilder (javax.ws.rs.core.UriBuilder)1
NoCache (org.jboss.resteasy.annotations.cache.NoCache)1
OAuthErrorException (org.keycloak.OAuthErrorException)1
IdentityBrokerException (org.keycloak.broker.provider.IdentityBrokerException)1
IdentityProvider (org.keycloak.broker.provider.IdentityProvider)1
