Package org.keycloak.services.managers

Class AuthenticationManager

java.lang.Object

org.keycloak.services.managers.AuthenticationManager

Direct Known Subclasses:

AppAuthManager

public class AuthenticationManager
extends Object

Stateless object that manages authentication

Version:

$Revision: 1 $

Author:

Bill Burke

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	AuthenticationManager.AuthenticationStatus
static class	AuthenticationManager.AuthResult

Field Summary

Fields

Modifier and Type	Field	Description
static String	AUTH_TIME
static String	AUTH_TIME_BROKER
static String	CLIENT_LOGOUT_STATE	Auth session note on client logout state (when logging out)
static String	END_AFTER_REQUIRED_ACTIONS
static String	FORCED_REAUTHENTICATION
static String	FORM_USERNAME
static String	INITIATING_IDP_PARAM
static String	INVALIDATE_ACTION_TOKEN
static String	KEYCLOAK_IDENTITY_COOKIE
static String	KEYCLOAK_LOGOUT_PROTOCOL
static String	KEYCLOAK_REMEMBER_ME
static String	KEYCLOAK_SESSION_COOKIE
protected static org.jboss.logging.Logger	logger
static String	LOGOUT_INITIATING_IDP
static String	LOGOUT_WITH_SYSTEM_CLIENT
static String	SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS
static String	SSO_AUTH
static String	USER_SESSION_PERSISTENT_STATE	Auth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store)

Constructor Summary

Constructors

Constructor	Description
AuthenticationManager()

Method Summary

Modifier and Type	Method	Description
static javax.ws.rs.core.Response	actionRequired(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event)
AuthenticationManager.AuthResult	authenticateIdentityCookie(KeycloakSession session, RealmModel realm)
static AuthenticationManager.AuthResult	authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive)
static BackchannelLogoutResponse	backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers, boolean logoutBroker)
static BackchannelLogoutResponse	backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession)
static void	backchannelLogout(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker)
static void	backchannelLogoutUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, javax.ws.rs.core.UriInfo uriInfo, javax.ws.rs.core.HttpHeaders headers)	Logout all clientSessions of this user and client
static javax.ws.rs.core.Response	browserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers)
static IdentityCookieToken	createIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer)
static void	createLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection)
static AuthenticationSessionModel	createOrJoinLogoutSession(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie)
static void	createRememberMeCookie(String username, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static RequiredActionProvider	createRequiredAction(RequiredActionContextResult context)
static void	evaluateRequiredActionTriggers(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user)
protected static javax.ws.rs.core.Response	executionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Stream<String> requiredActions)
static void	expireCookie(RealmModel realm, String cookieName, String path, boolean httpOnly, ClientConnection connection, ServerCookie.SameSiteAttributeValue sameSite, KeycloakSession session)
static void	expireIdentityCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static void	expireOldAuthSessionCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static void	expireOldIdentityCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static void	expireRememberMeCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static boolean	expireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, javax.ws.rs.core.HttpHeaders headers, ClientConnection connection)
static javax.ws.rs.core.Response	finishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers)
static javax.ws.rs.core.Response	finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, EventBuilder event)
static void	finishUnconfirmedUserSession(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel)
static String	getAccountCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
static CommonClientSessionModel.Action	getClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid)	Returns the logout state of the particular client as per the logoutAuthSession
protected static String	getIdentityCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
static String	getOldCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
static String	getRealmCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
static String	getRememberMeUsername(RealmModel realm, javax.ws.rs.core.HttpHeaders headers)
static String	getSessionIdFromSessionCookie(KeycloakSession session)
static boolean	isOfflineSessionValid(RealmModel realm, UserSessionModel userSession)
static boolean	isSessionValid(RealmModel realm, UserSessionModel userSession)
static boolean	isSSOAuthentication(AuthenticatedClientSessionModel clientSession)
static void	logSuccess(KeycloakSession session, AuthenticationSessionModel authSession)
static UserModel	lookupUserForBruteForceLog(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession)
static javax.ws.rs.core.Response	nextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, EventBuilder event)
static String	nextRequiredAction(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event)
static javax.ws.rs.core.Response	redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession)
static javax.ws.rs.core.Response	redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol)
static javax.ws.rs.core.Response	redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, javax.ws.rs.core.UriInfo uriInfo, String requiredAction)
static void	setClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action)	Sets logout state of the particular client into the logoutAuthSession
static void	setClientScopesInSession(AuthenticationSessionModel authSession)
static void	setKcActionStatus(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession)
static AuthenticationManager.AuthResult	verifyIdentityToken(KeycloakSession session, RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, javax.ws.rs.core.HttpHeaders headers, TokenVerifier.Predicate<? super AccessToken>... additionalChecks)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS

public static final String SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS

See Also:

Constant Field Values

END_AFTER_REQUIRED_ACTIONS

public static final String END_AFTER_REQUIRED_ACTIONS

See Also:

Constant Field Values

INVALIDATE_ACTION_TOKEN

public static final String INVALIDATE_ACTION_TOKEN

See Also:

Constant Field Values

USER_SESSION_PERSISTENT_STATE

public static final String USER_SESSION_PERSISTENT_STATE

Auth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store)

See Also:

Constant Field Values

CLIENT_LOGOUT_STATE

public static final String CLIENT_LOGOUT_STATE

Auth session note on client logout state (when logging out)

See Also:

Constant Field Values

AUTH_TIME

public static final String AUTH_TIME

See Also:

Constant Field Values

AUTH_TIME_BROKER

public static final String AUTH_TIME_BROKER

See Also:

Constant Field Values

SSO_AUTH

public static final String SSO_AUTH

See Also:

Constant Field Values

FORCED_REAUTHENTICATION

public static final String FORCED_REAUTHENTICATION

See Also:

Constant Field Values

logger

protected static final org.jboss.logging.Logger logger

FORM_USERNAME

public static final String FORM_USERNAME

See Also:

Constant Field Values

KEYCLOAK_IDENTITY_COOKIE

public static final String KEYCLOAK_IDENTITY_COOKIE

See Also:

Constant Field Values

KEYCLOAK_SESSION_COOKIE

public static final String KEYCLOAK_SESSION_COOKIE

See Also:

Constant Field Values

KEYCLOAK_REMEMBER_ME

public static final String KEYCLOAK_REMEMBER_ME

See Also:

Constant Field Values

LOGOUT_WITH_SYSTEM_CLIENT

public static final String LOGOUT_WITH_SYSTEM_CLIENT

See Also:

Constant Field Values

KEYCLOAK_LOGOUT_PROTOCOL

public static final String KEYCLOAK_LOGOUT_PROTOCOL

See Also:

Constant Field Values

LOGOUT_INITIATING_IDP

public static final String LOGOUT_INITIATING_IDP

See Also:

Constant Field Values

INITIATING_IDP_PARAM

public static final String INITIATING_IDP_PARAM

See Also:

Constant Field Values

Constructor Detail

AuthenticationManager

public AuthenticationManager()

Method Detail

isSessionValid

public static boolean isSessionValid(RealmModel realm,
                                     UserSessionModel userSession)

isOfflineSessionValid

public static boolean isOfflineSessionValid(RealmModel realm,
                                            UserSessionModel userSession)

expireUserSessionCookie

public static boolean expireUserSessionCookie(KeycloakSession session,
                                              UserSessionModel userSession,
                                              RealmModel realm,
                                              javax.ws.rs.core.UriInfo uriInfo,
                                              javax.ws.rs.core.HttpHeaders headers,
                                              ClientConnection connection)

backchannelLogout

public static void backchannelLogout(KeycloakSession session,
                                     UserSessionModel userSession,
                                     boolean logoutBroker)

backchannelLogout

public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session,
                                                          RealmModel realm,
                                                          UserSessionModel userSession,
                                                          javax.ws.rs.core.UriInfo uriInfo,
                                                          ClientConnection connection,
                                                          javax.ws.rs.core.HttpHeaders headers,
                                                          boolean logoutBroker)

backchannelLogout

public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session,
                                                          RealmModel realm,
                                                          UserSessionModel userSession,
                                                          javax.ws.rs.core.UriInfo uriInfo,
                                                          ClientConnection connection,
                                                          javax.ws.rs.core.HttpHeaders headers,
                                                          boolean logoutBroker,
                                                          boolean offlineSession)

Parameters:

session -

realm -

userSession -

uriInfo -

connection -

headers -

logoutBroker -

offlineSession -

Returns:

BackchannelLogoutResponse with logout information

createOrJoinLogoutSession

public static AuthenticationSessionModel createOrJoinLogoutSession(KeycloakSession session,
                                                                   RealmModel realm,
                                                                   AuthenticationSessionManager asm,
                                                                   UserSessionModel userSession,
                                                                   boolean browserCookie)

setClientLogoutAction

public static void setClientLogoutAction(AuthenticationSessionModel logoutAuthSession,
                                         String clientUuid,
                                         CommonClientSessionModel.Action action)

Sets logout state of the particular client into the logoutAuthSession

Parameters:

logoutAuthSession - logoutAuthSession. May be null in which case this is a no-op.

clientUuid - Client. Must not be null

action -

getClientLogoutAction

public static CommonClientSessionModel.Action getClientLogoutAction(AuthenticationSessionModel logoutAuthSession,
                                                                    String clientUuid)

Returns the logout state of the particular client as per the logoutAuthSession

Parameters:

logoutAuthSession - logoutAuthSession. May be null in which case this is a no-op.

clientUuid - Internal ID of the client. Must not be null

Returns:

State if it can be determined, null otherwise.

backchannelLogoutUserFromClient

public static void backchannelLogoutUserFromClient(KeycloakSession session,
                                                   RealmModel realm,
                                                   UserModel user,
                                                   ClientModel client,
                                                   javax.ws.rs.core.UriInfo uriInfo,
                                                   javax.ws.rs.core.HttpHeaders headers)

Logout all clientSessions of this user and client

Parameters:

session -

realm -

user -

client -

uriInfo -

headers -

browserLogout

public static javax.ws.rs.core.Response browserLogout(KeycloakSession session,
                                                      RealmModel realm,
                                                      UserSessionModel userSession,
                                                      javax.ws.rs.core.UriInfo uriInfo,
                                                      ClientConnection connection,
                                                      javax.ws.rs.core.HttpHeaders headers)

finishBrowserLogout

public static javax.ws.rs.core.Response finishBrowserLogout(KeycloakSession session,
                                                            RealmModel realm,
                                                            UserSessionModel userSession,
                                                            javax.ws.rs.core.UriInfo uriInfo,
                                                            ClientConnection connection,
                                                            javax.ws.rs.core.HttpHeaders headers)

finishUnconfirmedUserSession

public static void finishUnconfirmedUserSession(KeycloakSession session,
                                                RealmModel realm,
                                                UserSessionModel userSessionModel)

createIdentityToken

public static IdentityCookieToken createIdentityToken(KeycloakSession keycloakSession,
                                                      RealmModel realm,
                                                      UserModel user,
                                                      UserSessionModel session,
                                                      String issuer)

createLoginCookie

public static void createLoginCookie(KeycloakSession keycloakSession,
                                     RealmModel realm,
                                     UserModel user,
                                     UserSessionModel session,
                                     javax.ws.rs.core.UriInfo uriInfo,
                                     ClientConnection connection)

createRememberMeCookie

public static void createRememberMeCookie(String username,
                                          javax.ws.rs.core.UriInfo uriInfo,
                                          KeycloakSession session)

getRememberMeUsername

public static String getRememberMeUsername(RealmModel realm,
                                           javax.ws.rs.core.HttpHeaders headers)

expireIdentityCookie

public static void expireIdentityCookie(RealmModel realm,
                                        javax.ws.rs.core.UriInfo uriInfo,
                                        KeycloakSession session)

expireOldIdentityCookie

public static void expireOldIdentityCookie(RealmModel realm,
                                           javax.ws.rs.core.UriInfo uriInfo,
                                           KeycloakSession session)

expireRememberMeCookie

public static void expireRememberMeCookie(RealmModel realm,
                                          javax.ws.rs.core.UriInfo uriInfo,
                                          KeycloakSession session)

expireOldAuthSessionCookie

public static void expireOldAuthSessionCookie(RealmModel realm,
                                              javax.ws.rs.core.UriInfo uriInfo,
                                              KeycloakSession session)

getIdentityCookiePath

protected static String getIdentityCookiePath(RealmModel realm,
                                              javax.ws.rs.core.UriInfo uriInfo)

getRealmCookiePath

public static String getRealmCookiePath(RealmModel realm,
                                        javax.ws.rs.core.UriInfo uriInfo)

getOldCookiePath

public static String getOldCookiePath(RealmModel realm,
                                      javax.ws.rs.core.UriInfo uriInfo)

getAccountCookiePath

public static String getAccountCookiePath(RealmModel realm,
                                          javax.ws.rs.core.UriInfo uriInfo)

expireCookie

public static void expireCookie(RealmModel realm,
                                String cookieName,
                                String path,
                                boolean httpOnly,
                                ClientConnection connection,
                                ServerCookie.SameSiteAttributeValue sameSite,
                                KeycloakSession session)

authenticateIdentityCookie

public AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session,
                                                                   RealmModel realm)

authenticateIdentityCookie

public static AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session,
                                                                          RealmModel realm,
                                                                          boolean checkActive)

redirectAfterSuccessfulFlow

public static javax.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session,
                                                                    RealmModel realm,
                                                                    UserSessionModel userSession,
                                                                    ClientSessionContext clientSessionCtx,
                                                                    HttpRequest request,
                                                                    javax.ws.rs.core.UriInfo uriInfo,
                                                                    ClientConnection clientConnection,
                                                                    EventBuilder event,
                                                                    AuthenticationSessionModel authSession)

redirectAfterSuccessfulFlow

public static javax.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session,
                                                                    RealmModel realm,
                                                                    UserSessionModel userSession,
                                                                    ClientSessionContext clientSessionCtx,
                                                                    HttpRequest request,
                                                                    javax.ws.rs.core.UriInfo uriInfo,
                                                                    ClientConnection clientConnection,
                                                                    EventBuilder event,
                                                                    AuthenticationSessionModel authSession,
                                                                    LoginProtocol protocol)

getSessionIdFromSessionCookie

public static String getSessionIdFromSessionCookie(KeycloakSession session)

isSSOAuthentication

public static boolean isSSOAuthentication(AuthenticatedClientSessionModel clientSession)

nextActionAfterAuthentication

public static javax.ws.rs.core.Response nextActionAfterAuthentication(KeycloakSession session,
                                                                      AuthenticationSessionModel authSession,
                                                                      ClientConnection clientConnection,
                                                                      HttpRequest request,
                                                                      javax.ws.rs.core.UriInfo uriInfo,
                                                                      EventBuilder event)

redirectToRequiredActions

public static javax.ws.rs.core.Response redirectToRequiredActions(KeycloakSession session,
                                                                  RealmModel realm,
                                                                  AuthenticationSessionModel authSession,
                                                                  javax.ws.rs.core.UriInfo uriInfo,
                                                                  String requiredAction)

finishedRequiredActions

public static javax.ws.rs.core.Response finishedRequiredActions(KeycloakSession session,
                                                                AuthenticationSessionModel authSession,
                                                                UserSessionModel userSession,
                                                                ClientConnection clientConnection,
                                                                HttpRequest request,
                                                                javax.ws.rs.core.UriInfo uriInfo,
                                                                EventBuilder event)

nextRequiredAction

public static String nextRequiredAction(KeycloakSession session,
                                        AuthenticationSessionModel authSession,
                                        HttpRequest request,
                                        EventBuilder event)

actionRequired

public static javax.ws.rs.core.Response actionRequired(KeycloakSession session,
                                                       AuthenticationSessionModel authSession,
                                                       HttpRequest request,
                                                       EventBuilder event)

setClientScopesInSession

public static void setClientScopesInSession(AuthenticationSessionModel authSession)

createRequiredAction

public static RequiredActionProvider createRequiredAction(RequiredActionContextResult context)

executionActions

protected static javax.ws.rs.core.Response executionActions(KeycloakSession session,
                                                            AuthenticationSessionModel authSession,
                                                            HttpRequest request,
                                                            EventBuilder event,
                                                            RealmModel realm,
                                                            UserModel user,
                                                            Stream<String> requiredActions)

evaluateRequiredActionTriggers

public static void evaluateRequiredActionTriggers(KeycloakSession session,
                                                  AuthenticationSessionModel authSession,
                                                  HttpRequest request,
                                                  EventBuilder event,
                                                  RealmModel realm,
                                                  UserModel user)

verifyIdentityToken

public static AuthenticationManager.AuthResult verifyIdentityToken(KeycloakSession session,
                                                                   RealmModel realm,
                                                                   javax.ws.rs.core.UriInfo uriInfo,
                                                                   ClientConnection connection,
                                                                   boolean checkActive,
                                                                   boolean checkTokenType,
                                                                   String checkAudience,
                                                                   boolean isCookie,
                                                                   String tokenString,
                                                                   javax.ws.rs.core.HttpHeaders headers,
                                                                   TokenVerifier.Predicate<? super AccessToken>... additionalChecks)

setKcActionStatus

public static void setKcActionStatus(String executedProviderId,
                                     RequiredActionContext.KcActionStatus status,
                                     AuthenticationSessionModel authSession)

logSuccess

public static void logSuccess(KeycloakSession session,
                              AuthenticationSessionModel authSession)

lookupUserForBruteForceLog

public static UserModel lookupUserForBruteForceLog(KeycloakSession session,
                                                   RealmModel realm,
                                                   AuthenticationSessionModel authenticationSession)