Package org.keycloak.services.managers
Class AuthenticationManager
java.lang.Object
org.keycloak.services.managers.AuthenticationManager
- Direct Known Subclasses:
AppAuthManager
Stateless object that manages authentication
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
static class
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
static final String
static final String
Auth session note on client logout state (when logging out)static final String
static final String
static final String
static final String
static final String
static final String
static final String
protected static final org.jboss.logging.Logger
static final String
static final String
static final String
static final String
static final String
static final String
Auth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store) -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic jakarta.ws.rs.core.Response
actionRequired
(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) authenticateIdentityCookie
(KeycloakSession session, RealmModel realm) authenticateIdentityCookie
(KeycloakSession session, RealmModel realm, boolean checkActive) static BackchannelLogoutResponse
backchannelLogout
(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker) static BackchannelLogoutResponse
backchannelLogout
(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession) static void
backchannelLogout
(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker) static void
backchannelLogoutUserFromClient
(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers) Logout all clientSessions of this user and clientstatic jakarta.ws.rs.core.Response
browserLogout
(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) static boolean
compareSessionIdWithSessionCookie
(KeycloakSession session, String sessionId) static IdentityCookieToken
createIdentityToken
(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer) static void
createLoginCookie
(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection) static AuthenticationSessionModel
createOrJoinLogoutSession
(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie, boolean initiateLogout) static void
createRememberMeCookie
(String username, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) static RequiredActionProvider
static void
evaluateRequiredActionTriggers
(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user) protected static jakarta.ws.rs.core.Response
executionActions
(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Set<String> ignoredActions) static void
expireAuthSessionCookie
(KeycloakSession session) static void
expireIdentityCookie
(KeycloakSession session) static void
expireRememberMeCookie
(KeycloakSession session) static boolean
expireUserSessionCookie
(KeycloakSession session, UserSessionModel userSession, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers, ClientConnection connection) static jakarta.ws.rs.core.Response
finishBrowserLogout
(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) static jakarta.ws.rs.core.Response
finishedRequiredActions
(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) static void
finishUnconfirmedUserSession
(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel) getClientLogoutAction
(AuthenticationSessionModel logoutAuthSession, String clientUuid) Returns the logout state of the particular client as per thelogoutAuthSession
static String
getRealmCookiePath
(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo) static String
getRememberMeUsername
(KeycloakSession session) static String
getRequestedScopes
(KeycloakSession session) static String
getRequestedScopes
(KeycloakSession session, ClientModel client) static boolean
isClientSessionValid
(RealmModel realm, ClientModel client, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) static boolean
isSessionValid
(RealmModel realm, UserSessionModel userSession) static boolean
isSSOAuthentication
(AuthenticatedClientSessionModel clientSession) static void
logSuccess
(KeycloakSession session, AuthenticationSessionModel authSession) static UserModel
lookupUserForBruteForceLog
(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession) static jakarta.ws.rs.core.Response
nextActionAfterAuthentication
(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) static String
nextRequiredAction
(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) static jakarta.ws.rs.core.Response
redirectAfterSuccessfulFlow
(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession) static jakarta.ws.rs.core.Response
redirectAfterSuccessfulFlow
(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol) static jakarta.ws.rs.core.Response
redirectToRequiredActions
(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, jakarta.ws.rs.core.UriInfo uriInfo, String requiredAction) static void
setClientLogoutAction
(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action) Sets logout state of the particular client into thelogoutAuthSession
static void
setClientScopesInSession
(KeycloakSession session, AuthenticationSessionModel authSession) static void
setKcActionStatus
(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession) static void
setKcActionToEnforced
(String executedProviderId, AuthenticationSessionModel authSession) static String
sha256UrlEncodedHash
(String input) verifyIdentityToken
(KeycloakSession session, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, jakarta.ws.rs.core.HttpHeaders headers, TokenVerifier.Predicate<? super AccessToken>... additionalChecks)
-
Field Details
-
SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS
- See Also:
-
END_AFTER_REQUIRED_ACTIONS
- See Also:
-
INVALIDATE_ACTION_TOKEN
- See Also:
-
USER_SESSION_PERSISTENT_STATE
Auth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store)- See Also:
-
CLIENT_LOGOUT_STATE
Auth session note on client logout state (when logging out)- See Also:
-
AUTH_TIME
- See Also:
-
AUTH_TIME_BROKER
- See Also:
-
SSO_AUTH
- See Also:
-
FORCED_REAUTHENTICATION
- See Also:
-
PASSWORD_VALIDATED
- See Also:
-
logger
protected static final org.jboss.logging.Logger logger -
FORM_USERNAME
- See Also:
-
KEYCLOAK_SESSION_COOKIE
- See Also:
-
LOGOUT_WITH_SYSTEM_CLIENT
- See Also:
-
KEYCLOAK_LOGOUT_PROTOCOL
- See Also:
-
LOGOUT_INITIATING_IDP
- See Also:
-
INITIATING_IDP_PARAM
- See Also:
-
-
Constructor Details
-
AuthenticationManager
public AuthenticationManager()
-
-
Method Details
-
isSessionValid
-
isClientSessionValid
public static boolean isClientSessionValid(RealmModel realm, ClientModel client, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) -
expireUserSessionCookie
public static boolean expireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers, ClientConnection connection) -
backchannelLogout
public static void backchannelLogout(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker) -
backchannelLogout
public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker) -
backchannelLogout
public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession) - Parameters:
session
-realm
-userSession
-uriInfo
-connection
-headers
-logoutBroker
-offlineSession
-- Returns:
- BackchannelLogoutResponse with logout information
-
createOrJoinLogoutSession
public static AuthenticationSessionModel createOrJoinLogoutSession(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie, boolean initiateLogout) -
setClientLogoutAction
public static void setClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action) Sets logout state of the particular client into thelogoutAuthSession
- Parameters:
logoutAuthSession
- logoutAuthSession. May benull
in which case this is a no-op.clientUuid
- Client. Must not benull
action
-
-
getClientLogoutAction
public static CommonClientSessionModel.Action getClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid) Returns the logout state of the particular client as per thelogoutAuthSession
- Parameters:
logoutAuthSession
- logoutAuthSession. May benull
in which case this is a no-op.clientUuid
- Internal ID of the client. Must not benull
- Returns:
- State if it can be determined,
null
otherwise.
-
backchannelLogoutUserFromClient
public static void backchannelLogoutUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers) Logout all clientSessions of this user and client- Parameters:
session
-realm
-user
-client
-uriInfo
-headers
-
-
browserLogout
public static jakarta.ws.rs.core.Response browserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) -
finishBrowserLogout
public static jakarta.ws.rs.core.Response finishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) -
finishUnconfirmedUserSession
public static void finishUnconfirmedUserSession(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel) -
createIdentityToken
public static IdentityCookieToken createIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer) -
createLoginCookie
public static void createLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection) -
createRememberMeCookie
public static void createRememberMeCookie(String username, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) -
getRememberMeUsername
-
expireIdentityCookie
-
expireRememberMeCookie
-
expireAuthSessionCookie
-
getRealmCookiePath
-
authenticateIdentityCookie
public AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm) -
authenticateIdentityCookie
public static AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive) -
redirectAfterSuccessfulFlow
public static jakarta.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession) -
redirectAfterSuccessfulFlow
public static jakarta.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol) -
compareSessionIdWithSessionCookie
- Parameters:
session
- keycloak sessionsessionId
- in plain-text- Returns:
- true if sessionId matches with the session from KEYCLOAK_SESSION_COOKIE
-
isSSOAuthentication
-
nextActionAfterAuthentication
public static jakarta.ws.rs.core.Response nextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) -
redirectToRequiredActions
public static jakarta.ws.rs.core.Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, jakarta.ws.rs.core.UriInfo uriInfo, String requiredAction) -
finishedRequiredActions
public static jakarta.ws.rs.core.Response finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) -
nextRequiredAction
public static String nextRequiredAction(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) -
actionRequired
public static jakarta.ws.rs.core.Response actionRequired(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) -
setClientScopesInSession
public static void setClientScopesInSession(KeycloakSession session, AuthenticationSessionModel authSession) -
createRequiredAction
-
executionActions
protected static jakarta.ws.rs.core.Response executionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Set<String> ignoredActions) -
evaluateRequiredActionTriggers
public static void evaluateRequiredActionTriggers(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user) -
verifyIdentityToken
public static AuthenticationManager.AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, jakarta.ws.rs.core.HttpHeaders headers, TokenVerifier.Predicate<? super AccessToken>... additionalChecks) -
setKcActionStatus
public static void setKcActionStatus(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession) -
setKcActionToEnforced
public static void setKcActionToEnforced(String executedProviderId, AuthenticationSessionModel authSession) -
logSuccess
-
lookupUserForBruteForceLog
public static UserModel lookupUserForBruteForceLog(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession) -
sha256UrlEncodedHash
-
getRequestedScopes
-
getRequestedScopes
-