Package org.keycloak.services.managers
Class AuthenticationManager
java.lang.Object
org.keycloak.services.managers.AuthenticationManager
- Direct Known Subclasses:
AppAuthManager
Stateless object that manages authentication
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic enumstatic class -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringstatic final StringAuth session note on client logout state (when logging out)static final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringprotected static final org.jboss.logging.Loggerstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final StringAuth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store) -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic jakarta.ws.rs.core.ResponseactionRequired(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) authenticateIdentityCookie(KeycloakSession session, RealmModel realm) authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive) static BackchannelLogoutResponsebackchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker) static BackchannelLogoutResponsebackchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession) static voidbackchannelLogout(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker) static voidbackchannelLogoutUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers) Logout all clientSessions of this user and clientstatic jakarta.ws.rs.core.ResponsebrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) static IdentityCookieTokencreateIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer) static voidcreateLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection) static AuthenticationSessionModelcreateOrJoinLogoutSession(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie) static voidcreateRememberMeCookie(String username, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) static RequiredActionProviderstatic voidevaluateRequiredActionTriggers(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user) protected static jakarta.ws.rs.core.ResponseexecutionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Stream<String> requiredActions) static voidexpireAuthSessionCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) static voidexpireCookie(RealmModel realm, String cookieName, String path, boolean httpOnly, ClientConnection connection, ServerCookie.SameSiteAttributeValue sameSite, KeycloakSession session) static voidexpireIdentityCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) static voidexpireOldAuthSessionCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) static voidexpireOldIdentityCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) static voidexpireRememberMeCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) static booleanexpireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers, ClientConnection connection) static jakarta.ws.rs.core.ResponsefinishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) static jakarta.ws.rs.core.ResponsefinishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) static voidfinishUnconfirmedUserSession(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel) static StringgetAccountCookiePath(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo) getClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid) Returns the logout state of the particular client as per thelogoutAuthSessionprotected static StringgetIdentityCookiePath(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo) static StringgetOldCookiePath(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo) static StringgetRealmCookiePath(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo) static StringgetRememberMeUsername(RealmModel realm, jakarta.ws.rs.core.HttpHeaders headers) static Stringstatic booleanisOfflineSessionValid(RealmModel realm, UserSessionModel userSession) static booleanisSessionValid(RealmModel realm, UserSessionModel userSession) static booleanisSSOAuthentication(AuthenticatedClientSessionModel clientSession) static voidlogSuccess(KeycloakSession session, AuthenticationSessionModel authSession) static UserModellookupUserForBruteForceLog(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession) static jakarta.ws.rs.core.ResponsenextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) static StringnextRequiredAction(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) static jakarta.ws.rs.core.ResponseredirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession) static jakarta.ws.rs.core.ResponseredirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol) static jakarta.ws.rs.core.ResponseredirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, jakarta.ws.rs.core.UriInfo uriInfo, String requiredAction) static voidsetClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action) Sets logout state of the particular client into thelogoutAuthSessionstatic voidsetClientScopesInSession(AuthenticationSessionModel authSession) static voidsetKcActionStatus(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession) verifyIdentityToken(KeycloakSession session, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, jakarta.ws.rs.core.HttpHeaders headers, TokenVerifier.Predicate<? super AccessToken>... additionalChecks)
-
Field Details
-
SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS
- See Also:
-
END_AFTER_REQUIRED_ACTIONS
- See Also:
-
INVALIDATE_ACTION_TOKEN
- See Also:
-
USER_SESSION_PERSISTENT_STATE
Auth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store)- See Also:
-
CLIENT_LOGOUT_STATE
Auth session note on client logout state (when logging out)- See Also:
-
AUTH_TIME
- See Also:
-
AUTH_TIME_BROKER
- See Also:
-
SSO_AUTH
- See Also:
-
FORCED_REAUTHENTICATION
- See Also:
-
logger
protected static final org.jboss.logging.Logger logger -
FORM_USERNAME
- See Also:
-
KEYCLOAK_IDENTITY_COOKIE
- See Also:
-
KEYCLOAK_SESSION_COOKIE
- See Also:
-
KEYCLOAK_REMEMBER_ME
- See Also:
-
LOGOUT_WITH_SYSTEM_CLIENT
- See Also:
-
KEYCLOAK_LOGOUT_PROTOCOL
- See Also:
-
LOGOUT_INITIATING_IDP
- See Also:
-
INITIATING_IDP_PARAM
- See Also:
-
-
Constructor Details
-
AuthenticationManager
public AuthenticationManager()
-
-
Method Details
-
isSessionValid
-
isOfflineSessionValid
-
expireUserSessionCookie
public static boolean expireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers, ClientConnection connection) -
backchannelLogout
public static void backchannelLogout(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker) -
backchannelLogout
public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker) -
backchannelLogout
public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession) - Parameters:
session-realm-userSession-uriInfo-connection-headers-logoutBroker-offlineSession-- Returns:
- BackchannelLogoutResponse with logout information
-
createOrJoinLogoutSession
public static AuthenticationSessionModel createOrJoinLogoutSession(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie) -
setClientLogoutAction
public static void setClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action) Sets logout state of the particular client into thelogoutAuthSession- Parameters:
logoutAuthSession- logoutAuthSession. May benullin which case this is a no-op.clientUuid- Client. Must not benullaction-
-
getClientLogoutAction
public static CommonClientSessionModel.Action getClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid) Returns the logout state of the particular client as per thelogoutAuthSession- Parameters:
logoutAuthSession- logoutAuthSession. May benullin which case this is a no-op.clientUuid- Internal ID of the client. Must not benull- Returns:
- State if it can be determined,
nullotherwise.
-
backchannelLogoutUserFromClient
public static void backchannelLogoutUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers) Logout all clientSessions of this user and client- Parameters:
session-realm-user-client-uriInfo-headers-
-
browserLogout
public static jakarta.ws.rs.core.Response browserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) -
finishBrowserLogout
public static jakarta.ws.rs.core.Response finishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) -
finishUnconfirmedUserSession
public static void finishUnconfirmedUserSession(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel) -
createIdentityToken
public static IdentityCookieToken createIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer) -
createLoginCookie
public static void createLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection) -
createRememberMeCookie
public static void createRememberMeCookie(String username, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) -
getRememberMeUsername
public static String getRememberMeUsername(RealmModel realm, jakarta.ws.rs.core.HttpHeaders headers) -
expireIdentityCookie
public static void expireIdentityCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) -
expireOldIdentityCookie
public static void expireOldIdentityCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) -
expireRememberMeCookie
public static void expireRememberMeCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) -
expireOldAuthSessionCookie
public static void expireOldAuthSessionCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) -
expireAuthSessionCookie
public static void expireAuthSessionCookie(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) -
getIdentityCookiePath
-
getRealmCookiePath
-
getOldCookiePath
-
getAccountCookiePath
-
expireCookie
public static void expireCookie(RealmModel realm, String cookieName, String path, boolean httpOnly, ClientConnection connection, ServerCookie.SameSiteAttributeValue sameSite, KeycloakSession session) -
authenticateIdentityCookie
public AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm) -
authenticateIdentityCookie
public static AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive) -
redirectAfterSuccessfulFlow
public static jakarta.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession) -
redirectAfterSuccessfulFlow
public static jakarta.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol) -
getSessionIdFromSessionCookie
-
isSSOAuthentication
-
nextActionAfterAuthentication
public static jakarta.ws.rs.core.Response nextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) -
redirectToRequiredActions
public static jakarta.ws.rs.core.Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, jakarta.ws.rs.core.UriInfo uriInfo, String requiredAction) -
finishedRequiredActions
public static jakarta.ws.rs.core.Response finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) -
nextRequiredAction
public static String nextRequiredAction(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) -
actionRequired
public static jakarta.ws.rs.core.Response actionRequired(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) -
setClientScopesInSession
-
createRequiredAction
-
executionActions
protected static jakarta.ws.rs.core.Response executionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Stream<String> requiredActions) -
evaluateRequiredActionTriggers
public static void evaluateRequiredActionTriggers(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user) -
verifyIdentityToken
public static AuthenticationManager.AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, jakarta.ws.rs.core.HttpHeaders headers, TokenVerifier.Predicate<? super AccessToken>... additionalChecks) -
setKcActionStatus
public static void setKcActionStatus(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession) -
logSuccess
-
lookupUserForBruteForceLog
public static UserModel lookupUserForBruteForceLog(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession)
-