Example 1 with ResourceOwnerPasswordCredentialsContext
use of org.keycloak.services.clientpolicy.context.ResourceOwnerPasswordCredentialsContext in project keycloak by keycloak.
the class RejectResourceOwnerPasswordCredentialsGrantExecutor method executeOnEvent.
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
switch(context.getEvent()) {
case REGISTER:
case UPDATE:
ClientCRUDContext clientUpdateContext = (ClientCRUDContext) context;
autoConfigure(clientUpdateContext.getProposedClientRepresentation());
validate(clientUpdateContext.getProposedClientRepresentation());
break;
case RESOURCE_OWNER_PASSWORD_CREDENTIALS_REQUEST:
ResourceOwnerPasswordCredentialsContext ropcContext = (ResourceOwnerPasswordCredentialsContext) context;
executeOnAuthorizationRequest(ropcContext.getParams());
return;
default:
return;
}
}
Also used :
ClientCRUDContext(org.keycloak.services.clientpolicy.context.ClientCRUDContext)
ResourceOwnerPasswordCredentialsContext(org.keycloak.services.clientpolicy.context.ResourceOwnerPasswordCredentialsContext)
Example 2 with ResourceOwnerPasswordCredentialsContext
use of org.keycloak.services.clientpolicy.context.ResourceOwnerPasswordCredentialsContext in project keycloak by keycloak.
the class TokenEndpoint method resourceOwnerPasswordCredentialsGrant.
public Response resourceOwnerPasswordCredentialsGrant() {
event.detail(Details.AUTH_METHOD, "oauth_credentials");
if (!client.isDirectAccessGrantsEnabled()) {
event.error(Errors.NOT_ALLOWED);
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Client not allowed for direct access grants", Response.Status.BAD_REQUEST);
}
if (client.isConsentRequired()) {
event.error(Errors.CONSENT_DENIED);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_CLIENT, "Client requires user consent", Response.Status.BAD_REQUEST);
}
try {
session.clientPolicy().triggerOnEvent(new ResourceOwnerPasswordCredentialsContext(formParams));
} catch (ClientPolicyException cpe) {
event.error(cpe.getError());
throw new CorsErrorResponseException(cors, cpe.getError(), cpe.getErrorDetail(), cpe.getErrorStatus());
}
String scope = getRequestedScopes();
RootAuthenticationSessionModel rootAuthSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, false);
AuthenticationSessionModel authSession = rootAuthSession.createAuthenticationSession(client);
authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
authSession.setAction(AuthenticatedClientSessionModel.Action.AUTHENTICATE.name());
authSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
authSession.setClientNote(OIDCLoginProtocol.SCOPE_PARAM, scope);
AuthenticationFlowModel flow = AuthenticationFlowResolver.resolveDirectGrantFlow(authSession);
String flowId = flow.getId();
AuthenticationProcessor processor = new AuthenticationProcessor();
processor.setAuthenticationSession(authSession).setFlowId(flowId).setConnection(clientConnection).setEventBuilder(event).setRealm(realm).setSession(session).setUriInfo(session.getContext().getUri()).setRequest(request);
Response challenge = processor.authenticateOnly();
if (challenge != null) {
// Remove authentication session as "Resource Owner Password Credentials Grant" is single-request scoped authentication
new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, false);
cors.build(httpResponse);
return challenge;
}
processor.evaluateRequiredActionTriggers();
UserModel user = authSession.getAuthenticatedUser();
if (user.getRequiredActionsStream().count() > 0 || authSession.getRequiredActions().size() > 0) {
// Remove authentication session as "Resource Owner Password Credentials Grant" is single-request scoped authentication
new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, false);
event.error(Errors.RESOLVE_REQUIRED_ACTIONS);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Account is not fully set up", Response.Status.BAD_REQUEST);
}
AuthenticationManager.setClientScopesInSession(authSession);
ClientSessionContext clientSessionCtx = processor.attachSession();
UserSessionModel userSession = processor.getUserSession();
updateUserSessionFromClientAuth(userSession);
TokenManager.AccessTokenResponseBuilder responseBuilder = tokenManager.responseBuilder(realm, client, event, session, userSession, clientSessionCtx).generateAccessToken();
if (OIDCAdvancedConfigWrapper.fromClientModel(client).isUseRefreshToken()) {
responseBuilder.generateRefreshToken();
}
String scopeParam = clientSessionCtx.getClientSession().getNote(OAuth2Constants.SCOPE);
if (TokenUtil.isOIDCRequest(scopeParam)) {
responseBuilder.generateIDToken().generateAccessTokenHash();
}
// TODO : do the same as codeToToken()
AccessTokenResponse res = responseBuilder.build();
event.success();
AuthenticationManager.logSuccess(session, authSession);
return cors.builder(Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).build();
}
Also used :
AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel)
RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)
UserSessionModel(org.keycloak.models.UserSessionModel)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager)
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
Response(javax.ws.rs.core.Response)
HttpResponse(org.jboss.resteasy.spi.HttpResponse)
UserModel(org.keycloak.models.UserModel)
DefaultClientSessionContext(org.keycloak.services.util.DefaultClientSessionContext)
ClientSessionContext(org.keycloak.models.ClientSessionContext)
ResourceOwnerPasswordCredentialsContext(org.keycloak.services.clientpolicy.context.ResourceOwnerPasswordCredentialsContext)
RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)
AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)
CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)
AuthenticationProcessor(org.keycloak.authentication.AuthenticationProcessor)
TokenManager(org.keycloak.protocol.oidc.TokenManager)
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
Aggregations
ResourceOwnerPasswordCredentialsContext (org.keycloak.services.clientpolicy.context.ResourceOwnerPasswordCredentialsContext)2
Response (javax.ws.rs.core.Response)1
HttpResponse (org.jboss.resteasy.spi.HttpResponse)1
AuthenticationProcessor (org.keycloak.authentication.AuthenticationProcessor)1
AuthenticationFlowModel (org.keycloak.models.AuthenticationFlowModel)1
ClientSessionContext (org.keycloak.models.ClientSessionContext)1
UserModel (org.keycloak.models.UserModel)1
UserSessionModel (org.keycloak.models.UserSessionModel)1
TokenManager (org.keycloak.protocol.oidc.TokenManager)1
AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)1
CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)1
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)1
ClientCRUDContext (org.keycloak.services.clientpolicy.context.ClientCRUDContext)1
AuthenticationSessionManager (org.keycloak.services.managers.AuthenticationSessionManager)1
DefaultClientSessionContext (org.keycloak.services.util.DefaultClientSessionContext)1
AuthenticationSessionModel (org.keycloak.sessions.AuthenticationSessionModel)1
RootAuthenticationSessionModel (org.keycloak.sessions.RootAuthenticationSessionModel)1
