Example 6 with UserSessionCrossDCManager
use of org.keycloak.services.managers.UserSessionCrossDCManager in project keycloak by keycloak.
the class TokenRevocationEndpoint method checkUser.
private void checkUser() {
if (token.getSessionState() == null) {
user = TokenManager.lookupUserFromStatelessToken(session, realm, token);
} else {
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), false, client.getId());
if (userSession == null) {
userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), true, client.getId());
if (userSession == null) {
event.error(Errors.USER_SESSION_NOT_FOUND);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.OK);
}
}
user = userSession.getUser();
}
if (user == null) {
event.error(Errors.USER_NOT_FOUND);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.OK);
}
event.user(user);
}
Also used :
UserSessionModel(org.keycloak.models.UserSessionModel)
CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)
UserSessionCrossDCManager(org.keycloak.services.managers.UserSessionCrossDCManager)
Example 7 with UserSessionCrossDCManager
use of org.keycloak.services.managers.UserSessionCrossDCManager in project keycloak by keycloak.
the class UserInfoEndpoint method findValidSession.
private UserSessionModel findValidSession(AccessToken token, EventBuilder event, ClientModel client) {
if (token.getSessionState() == null) {
return createTransientSessionForClient(token, client);
}
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), false, client.getId());
UserSessionModel offlineUserSession = null;
if (AuthenticationManager.isSessionValid(realm, userSession)) {
checkTokenIssuedAt(token, userSession, event, client);
event.session(userSession);
return userSession;
} else {
offlineUserSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), true, client.getId());
if (AuthenticationManager.isOfflineSessionValid(realm, offlineUserSession)) {
checkTokenIssuedAt(token, offlineUserSession, event, client);
event.session(offlineUserSession);
return offlineUserSession;
}
}
if (userSession == null && offlineUserSession == null) {
event.error(Errors.USER_SESSION_NOT_FOUND);
throw newUnauthorizedErrorResponseException(OAuthErrorException.INVALID_REQUEST, "User session not found or doesn't have client attached on it");
}
if (userSession != null) {
event.session(userSession);
} else {
event.session(offlineUserSession);
}
event.error(Errors.SESSION_EXPIRED);
throw newUnauthorizedErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Session expired");
}
Also used :
UserSessionModel(org.keycloak.models.UserSessionModel)
UserSessionCrossDCManager(org.keycloak.services.managers.UserSessionCrossDCManager)
Example 8 with UserSessionCrossDCManager
use of org.keycloak.services.managers.UserSessionCrossDCManager in project keycloak by keycloak.
the class TokenManager method checkTokenValidForIntrospection.
/**
* Checks if the token is valid. Optionally the session last refresh and client session timestamp
* are updated if the token was valid. This is used to keep the session alive when long lived tokens are used.
*
* @param session
* @param realm
* @param token
* @param updateTimestamps
* @return
*/
public boolean checkTokenValidForIntrospection(KeycloakSession session, RealmModel realm, AccessToken token, boolean updateTimestamps) {
ClientModel client = realm.getClientByClientId(token.getIssuedFor());
if (client == null || !client.isEnabled()) {
return false;
}
try {
TokenVerifier.createWithoutSignature(token).withChecks(NotBeforeCheck.forModel(client), TokenVerifier.IS_ACTIVE, new TokenRevocationCheck(session)).verify();
} catch (VerificationException e) {
logger.debugf("JWT check failed: %s", e.getMessage());
return false;
}
boolean valid = false;
// Tokens without sessions are considered valid. Signature check and revocation check are sufficient checks for them
if (token.getSessionState() == null) {
UserModel user = lookupUserFromStatelessToken(session, realm, token);
valid = isUserValid(session, realm, token, user);
} else {
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), false, client.getId());
if (AuthenticationManager.isSessionValid(realm, userSession)) {
valid = isUserValid(session, realm, token, userSession.getUser());
} else {
userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), true, client.getId());
if (AuthenticationManager.isOfflineSessionValid(realm, userSession)) {
valid = isUserValid(session, realm, token, userSession.getUser());
}
}
if (valid && (token.isIssuedBeforeSessionStart(userSession.getStarted()))) {
valid = false;
}
AuthenticatedClientSessionModel clientSession = userSession == null ? null : userSession.getAuthenticatedClientSessionByClient(client.getId());
if (clientSession != null) {
if (valid && (token.isIssuedBeforeSessionStart(clientSession.getStarted()))) {
valid = false;
}
}
String tokenType = token.getType();
if (realm.isRevokeRefreshToken() && (tokenType.equals(TokenUtil.TOKEN_TYPE_REFRESH) || tokenType.equals(TokenUtil.TOKEN_TYPE_OFFLINE)) && !validateTokenReuseForIntrospection(session, realm, token)) {
return false;
}
if (updateTimestamps && valid) {
int currentTime = Time.currentTime();
userSession.setLastSessionRefresh(currentTime);
if (clientSession != null) {
clientSession.setTimestamp(currentTime);
}
}
}
return valid;
}
Also used :
UserModel(org.keycloak.models.UserModel)
ClientModel(org.keycloak.models.ClientModel)
UserSessionModel(org.keycloak.models.UserSessionModel)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
VerificationException(org.keycloak.common.VerificationException)
UserSessionCrossDCManager(org.keycloak.services.managers.UserSessionCrossDCManager)
Aggregations
UserSessionModel (org.keycloak.models.UserSessionModel)8
UserSessionCrossDCManager (org.keycloak.services.managers.UserSessionCrossDCManager)8
UserModel (org.keycloak.models.UserModel)4
AuthenticatedClientSessionModel (org.keycloak.models.AuthenticatedClientSessionModel)3
VerificationException (org.keycloak.common.VerificationException)2
ClientModel (org.keycloak.models.ClientModel)2
ClientSessionContext (org.keycloak.models.ClientSessionContext)2
CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)2
DefaultClientSessionContext (org.keycloak.services.util.DefaultClientSessionContext)2
UUID (java.util.UUID)1
OAuthErrorException (org.keycloak.OAuthErrorException)1
LoginFormsProvider (org.keycloak.forms.login.LoginFormsProvider)1
CodeToTokenStoreProvider (org.keycloak.models.CodeToTokenStoreProvider)1
OAuth2DeviceCodeModel (org.keycloak.models.OAuth2DeviceCodeModel)1
OAuth2DeviceTokenStoreProvider (org.keycloak.models.OAuth2DeviceTokenStoreProvider)1
DeviceTokenRequestContext (org.keycloak.protocol.oidc.grants.device.clientpolicy.context.DeviceTokenRequestContext)1
AccessToken (org.keycloak.representations.AccessToken)1
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)1
AuthenticationSessionManager (org.keycloak.services.managers.AuthenticationSessionManager)1
UserSessionManager (org.keycloak.services.managers.UserSessionManager)1
