Class LoginActionsServiceChecks

java.lang.Object
org.keycloak.services.resources.LoginActionsServiceChecks

public class LoginActionsServiceChecks extends Object
Author:
hmlnarik
  • Constructor Details

    • LoginActionsServiceChecks

      public LoginActionsServiceChecks()
  • Method Details

    • checkNotLoggedInYet

      public static <T extends JsonWebToken> void checkNotLoggedInYet(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionId) throws VerificationException
      Verifies that the authentication session has not yet been converted to user session, in other words that the user has not yet completed authentication and logged in.
      Throws:
      VerificationException
    • checkIsUserValid

      public static void checkIsUserValid(KeycloakSession session, RealmModel realm, String userId, Consumer<UserModel> userSetter) throws VerificationException
      Verifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).
      Throws:
      VerificationException
    • checkIsUserValid

      public static <T extends JsonWebToken & SingleUseObjectKeyModel> void checkIsUserValid(T token, ActionTokenContext<T> context) throws VerificationException
      Verifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).
      Throws:
      VerificationException
    • checkIsClientValid

      public static void checkIsClientValid(KeycloakSession session, ClientModel client) throws VerificationException
      Verifies whether the client denoted by client ID in token's iss (issuedFor) field both exists and is enabled.
      Throws:
      VerificationException
    • checkIsClientValid

      public static <T extends JsonWebToken> void checkIsClientValid(T token, ActionTokenContext<T> context) throws VerificationException
      Verifies whether the client denoted by client ID in token's iss (issuedFor) field both exists and is enabled.
      Throws:
      VerificationException
    • doesAuthenticationSessionFromCookieMatchOneFromToken

      public static <T extends JsonWebToken> boolean doesAuthenticationSessionFromCookieMatchOneFromToken(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionCompoundIdFromToken) throws VerificationException
      This check verifies that current authentication session is consistent with the one specified in token. Examples:
      • 1. Email from administrator with reset e-mail - token does not contain auth session ID
      • 2. Email from "verify e-mail" step within flow - token contains auth session ID.
      • 3. User clicked the link in an e-mail and gets to a new browser - authentication session cookie is not set
      • 4. User clicked the link in an e-mail while having authentication running - authentication session cookie is already set in the browser
      • For combinations 1 and 3, 1 and 4, and 2 and 3: Requests next step
      • For combination 2 and 4:
        • If the auth session IDs from token and cookie match, pass
        • Else if the auth session from cookie was forked and its parent auth session ID matches that of token, replaces current auth session with that of parent and passes
        • Else requests restart by throwing RestartFlow exception
      When the check passes, it also sets the authentication session in token context accordingly.
      Type Parameters:
      T -
      Throws:
      VerificationException
    • checkTokenWasNotUsedYet

      public static <T extends JsonWebToken & SingleUseObjectKeyModel> void checkTokenWasNotUsedYet(T token, ActionTokenContext<T> context) throws VerificationException
      Throws:
      VerificationException