Search in sources :

Example 1 with CookieHelper.getCookie

use of org.keycloak.services.util.CookieHelper.getCookie in project keycloak by keycloak.

the class AuthenticationManager method authenticateIdentityCookie.

public static AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive) {
    Cookie cookie = CookieHelper.getCookie(session.getContext().getRequestHeaders().getCookies(), KEYCLOAK_IDENTITY_COOKIE);
    if (cookie == null || "".equals(cookie.getValue())) {
        logger.debugv("Could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
        return null;
    }
    String tokenString = cookie.getValue();
    AuthResult authResult = verifyIdentityToken(session, realm, session.getContext().getUri(), session.getContext().getConnection(), checkActive, false, null, true, tokenString, session.getContext().getRequestHeaders(), VALIDATE_IDENTITY_COOKIE);
    if (authResult == null) {
        expireIdentityCookie(realm, session.getContext().getUri(), session.getContext().getConnection());
        expireOldIdentityCookie(realm, session.getContext().getUri(), session.getContext().getConnection());
        return null;
    }
    authResult.getSession().setLastSessionRefresh(Time.currentTime());
    return authResult;
}
Also used : NewCookie(javax.ws.rs.core.NewCookie) Cookie(javax.ws.rs.core.Cookie) CookieHelper.getCookie(org.keycloak.services.util.CookieHelper.getCookie)

Example 2 with CookieHelper.getCookie

use of org.keycloak.services.util.CookieHelper.getCookie in project keycloak by keycloak.

the class AuthenticationManager method expireUserSessionCookie.

public static boolean expireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, UriInfo uriInfo, HttpHeaders headers, ClientConnection connection) {
    try {
        // check to see if any identity cookie is set with the same session and expire it if necessary
        Cookie cookie = CookieHelper.getCookie(headers.getCookies(), KEYCLOAK_IDENTITY_COOKIE);
        if (cookie == null)
            return true;
        String tokenString = cookie.getValue();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class).realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())).checkActive(false).checkTokenType(false).withChecks(VALIDATE_IDENTITY_COOKIE);
        String kid = verifier.getHeader().getKeyId();
        String algorithm = verifier.getHeader().getAlgorithm().name();
        SignatureVerifierContext signatureVerifier = session.getProvider(SignatureProvider.class, algorithm).verifier(kid);
        verifier.verifierContext(signatureVerifier);
        AccessToken token = verifier.verify().getToken();
        UserSessionModel cookieSession = session.sessions().getUserSession(realm, token.getSessionState());
        if (cookieSession == null || !cookieSession.getId().equals(userSession.getId()))
            return true;
        expireIdentityCookie(realm, uriInfo, connection);
        return true;
    } catch (Exception e) {
        return false;
    }
}
Also used : NewCookie(javax.ws.rs.core.NewCookie) Cookie(javax.ws.rs.core.Cookie) CookieHelper.getCookie(org.keycloak.services.util.CookieHelper.getCookie) SignatureProvider(org.keycloak.crypto.SignatureProvider) UserSessionModel(org.keycloak.models.UserSessionModel) SignatureVerifierContext(org.keycloak.crypto.SignatureVerifierContext) AccessToken(org.keycloak.representations.AccessToken) ErrorResponseException(org.keycloak.services.ErrorResponseException) AuthenticationFlowException(org.keycloak.authentication.AuthenticationFlowException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) VerificationException(org.keycloak.common.VerificationException) UnsupportedEncodingException(java.io.UnsupportedEncodingException)

Aggregations

Cookie (javax.ws.rs.core.Cookie)2 NewCookie (javax.ws.rs.core.NewCookie)2 CookieHelper.getCookie (org.keycloak.services.util.CookieHelper.getCookie)2 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 AuthenticationFlowException (org.keycloak.authentication.AuthenticationFlowException)1 VerificationException (org.keycloak.common.VerificationException)1 SignatureProvider (org.keycloak.crypto.SignatureProvider)1 SignatureVerifierContext (org.keycloak.crypto.SignatureVerifierContext)1 UserSessionModel (org.keycloak.models.UserSessionModel)1 AccessToken (org.keycloak.representations.AccessToken)1 ErrorResponseException (org.keycloak.services.ErrorResponseException)1 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)1