Examples with AuthenticationSessionModel org.keycloak.sessions.AuthenticationSessionModel used on opensource projects

Example 56 with AuthenticationSessionModel

use of org.keycloak.sessions.AuthenticationSessionModel in project keycloak by keycloak.

the class LoginActionsService method resetCredentialsGET.

/**
 * Endpoint for executing reset credentials flow.  If token is null, a authentication session is created with the account
 * service as the client.  Successful reset sends you to the account page.  Note, account service must be enabled.
 *
 * @param code
 * @param execution
 * @return
 */
@Path(RESET_CREDENTIALS_PATH)
@GET
public // optional, can get from cookie instead
Response resetCredentialsGET(// optional, can get from cookie instead
@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(SESSION_CODE) String code, @QueryParam(Constants.EXECUTION) String execution, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId) {
    ClientModel client = realm.getClientByClientId(clientId);
    AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm, client, tabId);
    processLocaleParam(authSession);
    // we allow applications to link to reset credentials without going through OAuth or SAML handshakes
    if (authSession == null && code == null) {
        if (!realm.isResetPasswordAllowed()) {
            event.event(EventType.RESET_PASSWORD);
            event.error(Errors.NOT_ALLOWED);
            return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
        }
        authSession = createAuthenticationSessionForClient(clientId);
        return processResetCredentials(false, null, authSession, null);
    }
    event.event(EventType.RESET_PASSWORD);
    return resetCredentials(authSessionId, code, execution, clientId, tabId);
}

Example 57 with AuthenticationSessionModel

use of org.keycloak.sessions.AuthenticationSessionModel in project keycloak by keycloak.

the class LoginActionsService method createAuthenticationSessionForClient.

AuthenticationSessionModel createAuthenticationSessionForClient(String clientID) throws UriBuilderException, IllegalArgumentException {
    AuthenticationSessionModel authSession;
    ClientModel client = session.clients().getClientByClientId(realm, clientID);
    String redirectUri;
    if (client == null) {
        client = SystemClientUtil.getSystemClient(realm);
        redirectUri = Urls.accountBase(session.getContext().getUri().getBaseUri()).path("/").build(realm.getName()).toString();
    } else {
        redirectUri = RedirectUtils.getFirstValidRedirectUri(session, client.getRootUrl(), client.getRedirectUris());
    }
    RootAuthenticationSessionModel rootAuthSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, true);
    authSession = rootAuthSession.createAuthenticationSession(client);
    authSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
    // authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
    authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    authSession.setRedirectUri(redirectUri);
    authSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE);
    authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri);
    authSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
    return authSession;
}

Example 58 with AuthenticationSessionModel

use of org.keycloak.sessions.AuthenticationSessionModel in project keycloak by keycloak.

the class LoginActionsService method processConsent.

/**
 * OAuth grant page.  You should not invoked this directly!
 *
 * @return
 */
@Path("consent")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response processConsent() {
    MultivaluedMap<String, String> formData = request.getDecodedFormParameters();
    event.event(EventType.LOGIN);
    String code = formData.getFirst(SESSION_CODE);
    String clientId = session.getContext().getUri().getQueryParameters().getFirst(Constants.CLIENT_ID);
    String tabId = session.getContext().getUri().getQueryParameters().getFirst(Constants.TAB_ID);
    SessionCodeChecks checks = checksForCode(null, code, null, clientId, tabId, REQUIRED_ACTION);
    if (!checks.verifyRequiredAction(AuthenticationSessionModel.Action.OAUTH_GRANT.name())) {
        return checks.getResponse();
    }
    AuthenticationSessionModel authSession = checks.getAuthenticationSession();
    initLoginEvent(authSession);
    UserModel user = authSession.getAuthenticatedUser();
    ClientModel client = authSession.getClient();
    if (formData.containsKey("cancel")) {
        LoginProtocol protocol = session.getProvider(LoginProtocol.class, authSession.getProtocol());
        protocol.setRealm(realm).setHttpHeaders(headers).setUriInfo(session.getContext().getUri()).setEventBuilder(event);
        Response response = protocol.sendError(authSession, Error.CONSENT_DENIED);
        event.error(Errors.REJECTED_BY_USER);
        return response;
    }
    UserConsentModel grantedConsent = session.users().getConsentByClient(realm, user.getId(), client.getId());
    if (grantedConsent == null) {
        grantedConsent = new UserConsentModel(client);
        session.users().addConsent(realm, user.getId(), grantedConsent);
    }
    // Update may not be required if all clientScopes were already granted (May happen for example with prompt=consent)
    boolean updateConsentRequired = false;
    for (String clientScopeId : authSession.getClientScopes()) {
        ClientScopeModel clientScope = KeycloakModelUtils.findClientScopeById(realm, client, clientScopeId);
        if (clientScope != null) {
            if (!grantedConsent.isClientScopeGranted(clientScope) && clientScope.isDisplayOnConsentScreen()) {
                grantedConsent.addGrantedClientScope(clientScope);
                updateConsentRequired = true;
            }
        } else {
            logger.warnf("Client scope or client with ID '%s' not found", clientScopeId);
        }
    }
    if (updateConsentRequired) {
        session.users().updateConsent(realm, user.getId(), grantedConsent);
    }
    event.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED);
    event.success();
    ClientSessionContext clientSessionCtx = AuthenticationProcessor.attachSession(authSession, null, session, realm, clientConnection, event);
    return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSessionCtx.getClientSession().getUserSession(), clientSessionCtx, request, session.getContext().getUri(), clientConnection, event, authSession);
}

Example 59 with AuthenticationSessionModel

use of org.keycloak.sessions.AuthenticationSessionModel in project keycloak by keycloak.

the class LoginActionsService method registerRequest.

private Response registerRequest(String authSessionId, String code, String execution, String clientId, String tabId, boolean isPostRequest) {
    event.event(EventType.REGISTER);
    if (!realm.isRegistrationAllowed()) {
        event.error(Errors.REGISTRATION_DISABLED);
        return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.REGISTRATION_NOT_ALLOWED);
    }
    SessionCodeChecks checks = checksForCode(authSessionId, code, execution, clientId, tabId, REGISTRATION_PATH);
    if (!checks.verifyActiveAndValidAction(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
        return checks.getResponse();
    }
    AuthenticationSessionModel authSession = checks.getAuthenticationSession();
    processLocaleParam(authSession);
    AuthenticationManager.expireIdentityCookie(realm, session.getContext().getUri(), clientConnection);
    return processRegistration(checks.isActionRequest(), execution, authSession, null);
}

Example 60 with AuthenticationSessionModel

use of org.keycloak.sessions.AuthenticationSessionModel in project keycloak by keycloak.

the class LoginActionsService method restartSession.

/**
 * protocol independent page for restart of the flow
 *
 * @return
 */
@Path(RESTART_PATH)
@GET
public // optional, can get from cookie instead
Response restartSession(// optional, can get from cookie instead
@QueryParam(AUTH_SESSION_ID) String authSessionId, @QueryParam(Constants.CLIENT_ID) String clientId, @QueryParam(Constants.TAB_ID) String tabId) {
    event.event(EventType.RESTART_AUTHENTICATION);
    SessionCodeChecks checks = new SessionCodeChecks(realm, session.getContext().getUri(), request, clientConnection, session, event, authSessionId, null, null, clientId, tabId, null);
    AuthenticationSessionModel authSession = checks.initialVerifyAuthSession();
    if (authSession == null) {
        return checks.getResponse();
    }
    String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
    if (flowPath == null) {
        flowPath = AUTHENTICATE_PATH;
    }
    // See if we already have userSession attached to authentication session. This means restart of authentication session during re-authentication
    // We logout userSession in this case
    UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authSession);
    if (userSession != null) {
        logger.debugf("Logout of user session %s when restarting flow during re-authentication", userSession.getId());
        AuthenticationManager.backchannelLogout(session, userSession, false);
    }
    AuthenticationProcessor.resetFlow(authSession, flowPath);
    URI redirectUri = getLastExecutionUrl(flowPath, null, authSession.getClient().getClientId(), tabId);
    logger.debugf("Flow restart requested. Redirecting to %s", redirectUri);
    return Response.status(Response.Status.FOUND).location(redirectUri).build();
}