Search in sources :

Example 11 with AuthenticationSessionManager

use of org.keycloak.services.managers.AuthenticationSessionManager in project keycloak by keycloak.

the class RestartLoginCookie method restartSession.

public static AuthenticationSessionModel restartSession(KeycloakSession session, RealmModel realm, RootAuthenticationSessionModel rootSession, String expectedClientId, Cookie cook) throws Exception {
    String encodedCookie = cook.getValue();
    RestartLoginCookie cookie = session.tokens().decode(encodedCookie, RestartLoginCookie.class);
    if (cookie == null) {
        logger.debug("Failed to verify encoded RestartLoginCookie");
        return null;
    }
    ClientModel client = realm.getClientByClientId(cookie.getClientId());
    if (client == null)
        return null;
    // Restart just if client from cookie matches client from the URL.
    if (!client.getClientId().equals(expectedClientId)) {
        logger.debugf("Skip restarting from the KC_RESTART. Clients doesn't match: Cookie client: %s, Requested client: %s", client.getClientId(), expectedClientId);
        return null;
    }
    // Need to create brand new session and setup cookie
    if (rootSession == null) {
        rootSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, true);
    }
    AuthenticationSessionModel authSession = rootSession.createAuthenticationSession(client);
    authSession.setProtocol(cookie.getAuthMethod());
    authSession.setRedirectUri(cookie.getRedirectUri());
    authSession.setAction(cookie.getAction());
    for (Map.Entry<String, String> entry : cookie.getNotes().entrySet()) {
        authSession.setClientNote(entry.getKey(), entry.getValue());
    }
    return authSession;
}
Also used : AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager) ClientModel(org.keycloak.models.ClientModel) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel) HashMap(java.util.HashMap) Map(java.util.Map)

Example 12 with AuthenticationSessionManager

use of org.keycloak.services.managers.AuthenticationSessionManager in project keycloak by keycloak.

the class SessionCodeChecks method initialVerifyAuthSession.

public AuthenticationSessionModel initialVerifyAuthSession() {
    // Basic realm checks
    if (!checkSsl()) {
        event.error(Errors.SSL_REQUIRED);
        response = ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED);
        return null;
    }
    if (!realm.isEnabled()) {
        event.error(Errors.REALM_DISABLED);
        response = ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED);
        return null;
    }
    // Setup client to be shown on error/info page based on "client_id" parameter
    logger.debugf("Will use client '%s' in back-to-application link", clientId);
    ClientModel client = null;
    if (clientId != null) {
        client = realm.getClientByClientId(clientId);
    }
    if (client != null) {
        session.getContext().setClient(client);
    }
    // object retrieve
    AuthenticationSessionManager authSessionManager = new AuthenticationSessionManager(session);
    AuthenticationSessionModel authSession = null;
    if (authSessionId != null)
        authSession = authSessionManager.getAuthenticationSessionByIdAndClient(realm, authSessionId, client, tabId);
    AuthenticationSessionModel authSessionCookie = authSessionManager.getCurrentAuthenticationSession(realm, client, tabId);
    if (authSession != null && authSessionCookie != null && !authSession.getParentSession().getId().equals(authSessionCookie.getParentSession().getId())) {
        event.detail(Details.REASON, "cookie does not match auth_session query parameter");
        event.error(Errors.INVALID_CODE);
        response = ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_CODE);
        return null;
    }
    if (authSession != null) {
        session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession);
        return authSession;
    }
    if (authSessionCookie != null) {
        session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSessionCookie);
        return authSessionCookie;
    }
    // See if we are already authenticated and userSession with same ID exists.
    UserSessionModel userSession = authSessionManager.getUserSessionFromAuthCookie(realm);
    if (userSession != null) {
        LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession).setSuccess(Messages.ALREADY_LOGGED_IN);
        if (client == null) {
            loginForm.setAttribute(Constants.SKIP_LINK, true);
        }
        response = loginForm.createInfoPage();
        return null;
    }
    // Otherwise just try to restart from the cookie
    RootAuthenticationSessionModel existingRootAuthSession = authSessionManager.getCurrentRootAuthenticationSession(realm);
    response = restartAuthenticationSessionFromCookie(existingRootAuthSession);
    return null;
}
Also used : AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager) ClientModel(org.keycloak.models.ClientModel) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel) LoginFormsProvider(org.keycloak.forms.login.LoginFormsProvider) UserSessionModel(org.keycloak.models.UserSessionModel) RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)

Example 13 with AuthenticationSessionManager

use of org.keycloak.services.managers.AuthenticationSessionManager in project keycloak by keycloak.

the class LoginActionsService method resetCredentialsGET.

/**
 * Endpoint for executing reset credentials flow.  If token is null, a authentication session is created with the account
 * service as the client.  Successful reset sends you to the account page.  Note, account service must be enabled.
 *
 * @param code
 * @param execution
 * @return
 */
@Path(RESET_CREDENTIALS_PATH)
@GET
public // optional, can get from cookie instead
Response resetCredentialsGET(// optional, can get from cookie instead
@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId) {
    ClientModel client = realm.getClientByClientId(clientId);
    AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm, client, tabId);
    processLocaleParam(authSession);
    // we allow applications to link to reset credentials without going through OAuth or SAML handshakes
    if (authSession == null && code == null) {
        if (!realm.isResetPasswordAllowed()) {
            event.event(EventType.RESET_PASSWORD);
            event.error(Errors.NOT_ALLOWED);
            return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
        }
        authSession = createAuthenticationSessionForClient(clientId);
        return processResetCredentials(false, null, authSession, null);
    }
    event.event(EventType.RESET_PASSWORD);
    return resetCredentials(authSessionId, code, execution, clientId, tabId);
}
Also used : AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager) ClientModel(org.keycloak.models.ClientModel) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel) Path(javax.ws.rs.Path) GET(javax.ws.rs.GET)

Example 14 with AuthenticationSessionManager

use of org.keycloak.services.managers.AuthenticationSessionManager in project keycloak by keycloak.

the class LoginActionsService method createAuthenticationSessionForClient.

AuthenticationSessionModel createAuthenticationSessionForClient(String clientID) throws UriBuilderException, IllegalArgumentException {
    AuthenticationSessionModel authSession;
    ClientModel client = session.clients().getClientByClientId(realm, clientID);
    String redirectUri;
    if (client == null) {
        client = SystemClientUtil.getSystemClient(realm);
        redirectUri = Urls.accountBase(session.getContext().getUri().getBaseUri()).path("/").build(realm.getName()).toString();
    } else {
        redirectUri = RedirectUtils.getFirstValidRedirectUri(session, client.getRootUrl(), client.getRedirectUris());
    }
    RootAuthenticationSessionModel rootAuthSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, true);
    authSession = rootAuthSession.createAuthenticationSession(client);
    authSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
    // authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
    authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    authSession.setRedirectUri(redirectUri);
    authSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE);
    authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri);
    authSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
    return authSession;
}
Also used : AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager) ClientModel(org.keycloak.models.ClientModel) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel) RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel)

Example 15 with AuthenticationSessionManager

use of org.keycloak.services.managers.AuthenticationSessionManager in project keycloak by keycloak.

the class LoginActionsService method restartSession.

/**
 * protocol independent page for restart of the flow
 *
 * @return
 */
@Path(RESTART_PATH)
@GET
public // optional, can get from cookie instead
Response restartSession(// optional, can get from cookie instead
@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId) {
    event.event(EventType.RESTART_AUTHENTICATION);
    SessionCodeChecks checks = new SessionCodeChecks(realm, session.getContext().getUri(), request, clientConnection, session, event, authSessionId, null, null, clientId, tabId, null);
    AuthenticationSessionModel authSession = checks.initialVerifyAuthSession();
    if (authSession == null) {
        return checks.getResponse();
    }
    String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
    if (flowPath == null) {
        flowPath = AUTHENTICATE_PATH;
    }
    // See if we already have userSession attached to authentication session. This means restart of authentication session during re-authentication
    // We logout userSession in this case
    UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authSession);
    if (userSession != null) {
        logger.debugf("Logout of user session %s when restarting flow during re-authentication", userSession.getId());
        AuthenticationManager.backchannelLogout(session, userSession, false);
    }
    AuthenticationProcessor.resetFlow(authSession, flowPath);
    URI redirectUri = getLastExecutionUrl(flowPath, null, authSession.getClient().getClientId(), tabId);
    logger.debugf("Flow restart requested. Redirecting to %s", redirectUri);
    return Response.status(Response.Status.FOUND).location(redirectUri).build();
}
Also used : AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel) UserSessionModel(org.keycloak.models.UserSessionModel) URI(java.net.URI) Path(javax.ws.rs.Path) GET(javax.ws.rs.GET)

Aggregations

AuthenticationSessionManager (org.keycloak.services.managers.AuthenticationSessionManager)22 AuthenticationSessionModel (org.keycloak.sessions.AuthenticationSessionModel)18 RootAuthenticationSessionModel (org.keycloak.sessions.RootAuthenticationSessionModel)15 UserSessionModel (org.keycloak.models.UserSessionModel)11 ClientModel (org.keycloak.models.ClientModel)10 UserModel (org.keycloak.models.UserModel)8 ClientSessionContext (org.keycloak.models.ClientSessionContext)7 GET (javax.ws.rs.GET)4 Response (javax.ws.rs.core.Response)4 UriBuilder (javax.ws.rs.core.UriBuilder)4 LoginFormsProvider (org.keycloak.forms.login.LoginFormsProvider)4 DefaultClientSessionContext (org.keycloak.services.util.DefaultClientSessionContext)4 URI (java.net.URI)3 HashMap (java.util.HashMap)3 Path (javax.ws.rs.Path)3 AuthenticatedClientSessionModel (org.keycloak.models.AuthenticatedClientSessionModel)3 TokenManager (org.keycloak.protocol.oidc.TokenManager)3 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)3 IOException (java.io.IOException)2 Map (java.util.Map)2