Package org.keycloak.services.resources
Class LoginActionsServiceChecks
java.lang.Object
org.keycloak.services.resources.LoginActionsServiceChecks
- Author:
- hmlnarik
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
This check verifies that user ID (subject) from the token matches the one from the authentication session.static class
Verifies that if authentication session exists and any action is required according to it, then it is the expected one.static class
Verifies whether the given redirect URL, when set, is valid for the given client. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic void
checkIsClientValid
(KeycloakSession session, ClientModel client) Verifies whether the client denoted by client ID in token'siss
(issuedFor
) field both exists and is enabled.static <T extends JsonWebToken>
voidcheckIsClientValid
(T token, ActionTokenContext<T> context) Verifies whether the client denoted by client ID in token'siss
(issuedFor
) field both exists and is enabled.static void
checkIsUserValid
(KeycloakSession session, RealmModel realm, String userId, Consumer<UserModel> userSetter) Verifies whether the user given by ID both exists in the current realm.static <T extends JsonWebToken & SingleUseObjectKeyModel>
voidcheckIsUserValid
(T token, ActionTokenContext<T> context) Verifies whether the user given by ID both exists in the current realm.static <T extends JsonWebToken>
voidcheckNotLoggedInYet
(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionId) Verifies that the authentication session has not yet been converted to user session, in other words that the user has not yet completed authentication and logged in.static <T extends JsonWebToken & SingleUseObjectKeyModel>
voidcheckTokenWasNotUsedYet
(T token, ActionTokenContext<T> context) static <T extends JsonWebToken>
booleandoesAuthenticationSessionFromCookieMatchOneFromToken
(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionCompoundIdFromToken) This check verifies that current authentication session is consistent with the one specified in token.
-
Constructor Details
-
LoginActionsServiceChecks
public LoginActionsServiceChecks()
-
-
Method Details
-
checkNotLoggedInYet
public static <T extends JsonWebToken> void checkNotLoggedInYet(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionId) throws VerificationException Verifies that the authentication session has not yet been converted to user session, in other words that the user has not yet completed authentication and logged in.- Throws:
VerificationException
-
checkIsUserValid
public static void checkIsUserValid(KeycloakSession session, RealmModel realm, String userId, Consumer<UserModel> userSetter) throws VerificationException Verifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).- Throws:
VerificationException
-
checkIsUserValid
public static <T extends JsonWebToken & SingleUseObjectKeyModel> void checkIsUserValid(T token, ActionTokenContext<T> context) throws VerificationException Verifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).- Throws:
VerificationException
-
checkIsClientValid
public static void checkIsClientValid(KeycloakSession session, ClientModel client) throws VerificationException Verifies whether the client denoted by client ID in token'siss
(issuedFor
) field both exists and is enabled.- Throws:
VerificationException
-
checkIsClientValid
public static <T extends JsonWebToken> void checkIsClientValid(T token, ActionTokenContext<T> context) throws VerificationException Verifies whether the client denoted by client ID in token'siss
(issuedFor
) field both exists and is enabled.- Throws:
VerificationException
-
doesAuthenticationSessionFromCookieMatchOneFromToken
public static <T extends JsonWebToken> boolean doesAuthenticationSessionFromCookieMatchOneFromToken(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionCompoundIdFromToken) throws VerificationException This check verifies that current authentication session is consistent with the one specified in token. Examples:- 1. Email from administrator with reset e-mail - token does not contain auth session ID
- 2. Email from "verify e-mail" step within flow - token contains auth session ID.
- 3. User clicked the link in an e-mail and gets to a new browser - authentication session cookie is not set
- 4. User clicked the link in an e-mail while having authentication running - authentication session cookie is already set in the browser
- For combinations 1 and 3, 1 and 4, and 2 and 3: Requests next step
- For combination 2 and 4:
- If the auth session IDs from token and cookie match, pass
- Else if the auth session from cookie was forked and its parent auth session ID matches that of token, replaces current auth session with that of parent and passes
- Else requests restart by throwing RestartFlow exception
- Type Parameters:
T
-- Throws:
VerificationException
-
checkTokenWasNotUsedYet
public static <T extends JsonWebToken & SingleUseObjectKeyModel> void checkTokenWasNotUsedYet(T token, ActionTokenContext<T> context) throws VerificationException - Throws:
VerificationException
-