Package org.keycloak.services.managers
Class AuthenticationManager
- java.lang.Object
-
- org.keycloak.services.managers.AuthenticationManager
-
- Direct Known Subclasses:
AppAuthManager
public class AuthenticationManager extends Object
Stateless object that manages authentication- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
AuthenticationManager.AuthenticationStatus
static class
AuthenticationManager.AuthResult
-
Field Summary
Fields Modifier and Type Field Description static String
AUTH_TIME
static String
AUTH_TIME_BROKER
static String
CLIENT_LOGOUT_STATE
Auth session note on client logout state (when logging out)static String
END_AFTER_REQUIRED_ACTIONS
static String
FORCED_REAUTHENTICATION
static String
FORM_USERNAME
static String
INITIATING_IDP_PARAM
static String
INVALIDATE_ACTION_TOKEN
static String
KEYCLOAK_IDENTITY_COOKIE
static String
KEYCLOAK_LOGOUT_PROTOCOL
static String
KEYCLOAK_REMEMBER_ME
static String
KEYCLOAK_SESSION_COOKIE
protected static org.jboss.logging.Logger
logger
static String
LOGOUT_INITIATING_IDP
static String
LOGOUT_WITH_SYSTEM_CLIENT
static String
SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS
static String
SSO_AUTH
static String
USER_SESSION_PERSISTENT_STATE
Auth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store)
-
Constructor Summary
Constructors Constructor Description AuthenticationManager()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static javax.ws.rs.core.Response
actionRequired(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event)
AuthenticationManager.AuthResult
authenticateIdentityCookie(KeycloakSession session, RealmModel realm)
static AuthenticationManager.AuthResult
authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive)
static BackchannelLogoutResponse
backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers, boolean logoutBroker)
static BackchannelLogoutResponse
backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession)
static void
backchannelLogout(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker)
static void
backchannelLogoutUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, javax.ws.rs.core.UriInfo uriInfo, javax.ws.rs.core.HttpHeaders headers)
Logout all clientSessions of this user and clientstatic javax.ws.rs.core.Response
browserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers)
static IdentityCookieToken
createIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer)
static void
createLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection)
static AuthenticationSessionModel
createOrJoinLogoutSession(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie)
static void
createRememberMeCookie(String username, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static RequiredActionProvider
createRequiredAction(RequiredActionContextResult context)
static void
evaluateRequiredActionTriggers(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user)
protected static javax.ws.rs.core.Response
executionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Stream<String> requiredActions)
static void
expireCookie(RealmModel realm, String cookieName, String path, boolean httpOnly, ClientConnection connection, ServerCookie.SameSiteAttributeValue sameSite, KeycloakSession session)
static void
expireIdentityCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static void
expireOldAuthSessionCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static void
expireOldIdentityCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static void
expireRememberMeCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
static boolean
expireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, javax.ws.rs.core.HttpHeaders headers, ClientConnection connection)
static javax.ws.rs.core.Response
finishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers)
static javax.ws.rs.core.Response
finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, EventBuilder event)
static void
finishUnconfirmedUserSession(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel)
static String
getAccountCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
static CommonClientSessionModel.Action
getClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid)
Returns the logout state of the particular client as per thelogoutAuthSession
protected static String
getIdentityCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
static String
getOldCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
static String
getRealmCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
static String
getRememberMeUsername(RealmModel realm, javax.ws.rs.core.HttpHeaders headers)
static String
getSessionIdFromSessionCookie(KeycloakSession session)
static boolean
isOfflineSessionValid(RealmModel realm, UserSessionModel userSession)
static boolean
isSessionValid(RealmModel realm, UserSessionModel userSession)
static boolean
isSSOAuthentication(AuthenticatedClientSessionModel clientSession)
static void
logSuccess(KeycloakSession session, AuthenticationSessionModel authSession)
static UserModel
lookupUserForBruteForceLog(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession)
static javax.ws.rs.core.Response
nextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, EventBuilder event)
static String
nextRequiredAction(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event)
static javax.ws.rs.core.Response
redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession)
static javax.ws.rs.core.Response
redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol)
static javax.ws.rs.core.Response
redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, javax.ws.rs.core.UriInfo uriInfo, String requiredAction)
static void
setClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action)
Sets logout state of the particular client into thelogoutAuthSession
static void
setClientScopesInSession(AuthenticationSessionModel authSession)
static void
setKcActionStatus(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession)
static AuthenticationManager.AuthResult
verifyIdentityToken(KeycloakSession session, RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, javax.ws.rs.core.HttpHeaders headers, TokenVerifier.Predicate<? super AccessToken>... additionalChecks)
-
-
-
Field Detail
-
SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS
public static final String SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS
- See Also:
- Constant Field Values
-
END_AFTER_REQUIRED_ACTIONS
public static final String END_AFTER_REQUIRED_ACTIONS
- See Also:
- Constant Field Values
-
INVALIDATE_ACTION_TOKEN
public static final String INVALIDATE_ACTION_TOKEN
- See Also:
- Constant Field Values
-
USER_SESSION_PERSISTENT_STATE
public static final String USER_SESSION_PERSISTENT_STATE
Auth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store)- See Also:
- Constant Field Values
-
CLIENT_LOGOUT_STATE
public static final String CLIENT_LOGOUT_STATE
Auth session note on client logout state (when logging out)- See Also:
- Constant Field Values
-
AUTH_TIME
public static final String AUTH_TIME
- See Also:
- Constant Field Values
-
AUTH_TIME_BROKER
public static final String AUTH_TIME_BROKER
- See Also:
- Constant Field Values
-
SSO_AUTH
public static final String SSO_AUTH
- See Also:
- Constant Field Values
-
FORCED_REAUTHENTICATION
public static final String FORCED_REAUTHENTICATION
- See Also:
- Constant Field Values
-
logger
protected static final org.jboss.logging.Logger logger
-
FORM_USERNAME
public static final String FORM_USERNAME
- See Also:
- Constant Field Values
-
KEYCLOAK_IDENTITY_COOKIE
public static final String KEYCLOAK_IDENTITY_COOKIE
- See Also:
- Constant Field Values
-
KEYCLOAK_SESSION_COOKIE
public static final String KEYCLOAK_SESSION_COOKIE
- See Also:
- Constant Field Values
-
KEYCLOAK_REMEMBER_ME
public static final String KEYCLOAK_REMEMBER_ME
- See Also:
- Constant Field Values
-
LOGOUT_WITH_SYSTEM_CLIENT
public static final String LOGOUT_WITH_SYSTEM_CLIENT
- See Also:
- Constant Field Values
-
KEYCLOAK_LOGOUT_PROTOCOL
public static final String KEYCLOAK_LOGOUT_PROTOCOL
- See Also:
- Constant Field Values
-
LOGOUT_INITIATING_IDP
public static final String LOGOUT_INITIATING_IDP
- See Also:
- Constant Field Values
-
INITIATING_IDP_PARAM
public static final String INITIATING_IDP_PARAM
- See Also:
- Constant Field Values
-
-
Method Detail
-
isSessionValid
public static boolean isSessionValid(RealmModel realm, UserSessionModel userSession)
-
isOfflineSessionValid
public static boolean isOfflineSessionValid(RealmModel realm, UserSessionModel userSession)
-
expireUserSessionCookie
public static boolean expireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, javax.ws.rs.core.HttpHeaders headers, ClientConnection connection)
-
backchannelLogout
public static void backchannelLogout(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker)
-
backchannelLogout
public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers, boolean logoutBroker)
-
backchannelLogout
public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession)
- Parameters:
session
-realm
-userSession
-uriInfo
-connection
-headers
-logoutBroker
-offlineSession
-- Returns:
- BackchannelLogoutResponse with logout information
-
createOrJoinLogoutSession
public static AuthenticationSessionModel createOrJoinLogoutSession(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie)
-
setClientLogoutAction
public static void setClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action)
Sets logout state of the particular client into thelogoutAuthSession
- Parameters:
logoutAuthSession
- logoutAuthSession. May benull
in which case this is a no-op.clientUuid
- Client. Must not benull
action
-
-
getClientLogoutAction
public static CommonClientSessionModel.Action getClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid)
Returns the logout state of the particular client as per thelogoutAuthSession
- Parameters:
logoutAuthSession
- logoutAuthSession. May benull
in which case this is a no-op.clientUuid
- Internal ID of the client. Must not benull
- Returns:
- State if it can be determined,
null
otherwise.
-
backchannelLogoutUserFromClient
public static void backchannelLogoutUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, javax.ws.rs.core.UriInfo uriInfo, javax.ws.rs.core.HttpHeaders headers)
Logout all clientSessions of this user and client- Parameters:
session
-realm
-user
-client
-uriInfo
-headers
-
-
browserLogout
public static javax.ws.rs.core.Response browserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers)
-
finishBrowserLogout
public static javax.ws.rs.core.Response finishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, javax.ws.rs.core.HttpHeaders headers)
-
finishUnconfirmedUserSession
public static void finishUnconfirmedUserSession(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel)
-
createIdentityToken
public static IdentityCookieToken createIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer)
-
createLoginCookie
public static void createLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection)
-
createRememberMeCookie
public static void createRememberMeCookie(String username, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
-
getRememberMeUsername
public static String getRememberMeUsername(RealmModel realm, javax.ws.rs.core.HttpHeaders headers)
-
expireIdentityCookie
public static void expireIdentityCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
-
expireOldIdentityCookie
public static void expireOldIdentityCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
-
expireRememberMeCookie
public static void expireRememberMeCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
-
expireOldAuthSessionCookie
public static void expireOldAuthSessionCookie(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, KeycloakSession session)
-
getIdentityCookiePath
protected static String getIdentityCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
-
getRealmCookiePath
public static String getRealmCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
-
getOldCookiePath
public static String getOldCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
-
getAccountCookiePath
public static String getAccountCookiePath(RealmModel realm, javax.ws.rs.core.UriInfo uriInfo)
-
expireCookie
public static void expireCookie(RealmModel realm, String cookieName, String path, boolean httpOnly, ClientConnection connection, ServerCookie.SameSiteAttributeValue sameSite, KeycloakSession session)
-
authenticateIdentityCookie
public AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm)
-
authenticateIdentityCookie
public static AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive)
-
redirectAfterSuccessfulFlow
public static javax.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession)
-
redirectAfterSuccessfulFlow
public static javax.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol)
-
getSessionIdFromSessionCookie
public static String getSessionIdFromSessionCookie(KeycloakSession session)
-
isSSOAuthentication
public static boolean isSSOAuthentication(AuthenticatedClientSessionModel clientSession)
-
nextActionAfterAuthentication
public static javax.ws.rs.core.Response nextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, EventBuilder event)
-
redirectToRequiredActions
public static javax.ws.rs.core.Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, javax.ws.rs.core.UriInfo uriInfo, String requiredAction)
-
finishedRequiredActions
public static javax.ws.rs.core.Response finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, javax.ws.rs.core.UriInfo uriInfo, EventBuilder event)
-
nextRequiredAction
public static String nextRequiredAction(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event)
-
actionRequired
public static javax.ws.rs.core.Response actionRequired(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event)
-
setClientScopesInSession
public static void setClientScopesInSession(AuthenticationSessionModel authSession)
-
createRequiredAction
public static RequiredActionProvider createRequiredAction(RequiredActionContextResult context)
-
executionActions
protected static javax.ws.rs.core.Response executionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Stream<String> requiredActions)
-
evaluateRequiredActionTriggers
public static void evaluateRequiredActionTriggers(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user)
-
verifyIdentityToken
public static AuthenticationManager.AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, javax.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, javax.ws.rs.core.HttpHeaders headers, TokenVerifier.Predicate<? super AccessToken>... additionalChecks)
-
setKcActionStatus
public static void setKcActionStatus(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession)
-
logSuccess
public static void logSuccess(KeycloakSession session, AuthenticationSessionModel authSession)
-
lookupUserForBruteForceLog
public static UserModel lookupUserForBruteForceLog(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession)
-
-