Package org.keycloak.services.resources
Class LoginActionsServiceChecks
- java.lang.Object
-
- org.keycloak.services.resources.LoginActionsServiceChecks
-
public class LoginActionsServiceChecks extends Object
- Author:
- hmlnarik
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classLoginActionsServiceChecks.AuthenticationSessionUserIdMatchesOneFromTokenThis check verifies that user ID (subject) from the token matches the one from the authentication session.static classLoginActionsServiceChecks.IsActionRequiredVerifies that if authentication session exists and any action is required according to it, then it is the expected one.static classLoginActionsServiceChecks.IsRedirectValidVerifies whether the given redirect URL, when set, is valid for the given client.
-
Constructor Summary
Constructors Constructor Description LoginActionsServiceChecks()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static voidcheckIsClientValid(org.keycloak.models.KeycloakSession session, org.keycloak.models.ClientModel client)Verifies whether the client denoted by client ID in token'siss(issuedFor) field both exists and is enabled.static <T extends org.keycloak.representations.JsonWebToken>
voidcheckIsClientValid(T token, ActionTokenContext<T> context)Verifies whether the client denoted by client ID in token'siss(issuedFor) field both exists and is enabled.static voidcheckIsUserValid(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String userId, Consumer<org.keycloak.models.UserModel> userSetter)Verifies whether the user given by ID both exists in the current realm.static <T extends org.keycloak.representations.JsonWebToken & org.keycloak.models.SingleUseObjectKeyModel>
voidcheckIsUserValid(T token, ActionTokenContext<T> context)Verifies whether the user given by ID both exists in the current realm.static <T extends org.keycloak.representations.JsonWebToken>
voidcheckNotLoggedInYet(ActionTokenContext<T> context, org.keycloak.sessions.AuthenticationSessionModel authSessionFromCookie, String authSessionId)Verifies that the authentication session has not yet been converted to user session, in other words that the user has not yet completed authentication and logged in.static <T extends org.keycloak.representations.JsonWebToken & org.keycloak.models.SingleUseObjectKeyModel>
voidcheckTokenWasNotUsedYet(T token, ActionTokenContext<T> context)static <T extends org.keycloak.representations.JsonWebToken>
booleandoesAuthenticationSessionFromCookieMatchOneFromToken(ActionTokenContext<T> context, org.keycloak.sessions.AuthenticationSessionModel authSessionFromCookie, String authSessionCompoundIdFromToken)This check verifies that current authentication session is consistent with the one specified in token.
-
-
-
Method Detail
-
checkNotLoggedInYet
public static <T extends org.keycloak.representations.JsonWebToken> void checkNotLoggedInYet(ActionTokenContext<T> context, org.keycloak.sessions.AuthenticationSessionModel authSessionFromCookie, String authSessionId) throws org.keycloak.common.VerificationException
Verifies that the authentication session has not yet been converted to user session, in other words that the user has not yet completed authentication and logged in.- Throws:
org.keycloak.common.VerificationException
-
checkIsUserValid
public static void checkIsUserValid(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, String userId, Consumer<org.keycloak.models.UserModel> userSetter) throws org.keycloak.common.VerificationExceptionVerifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).- Throws:
org.keycloak.common.VerificationException
-
checkIsUserValid
public static <T extends org.keycloak.representations.JsonWebToken & org.keycloak.models.SingleUseObjectKeyModel> void checkIsUserValid(T token, ActionTokenContext<T> context) throws org.keycloak.common.VerificationExceptionVerifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).- Throws:
org.keycloak.common.VerificationException
-
checkIsClientValid
public static void checkIsClientValid(org.keycloak.models.KeycloakSession session, org.keycloak.models.ClientModel client) throws org.keycloak.common.VerificationExceptionVerifies whether the client denoted by client ID in token'siss(issuedFor) field both exists and is enabled.- Throws:
org.keycloak.common.VerificationException
-
checkIsClientValid
public static <T extends org.keycloak.representations.JsonWebToken> void checkIsClientValid(T token, ActionTokenContext<T> context) throws org.keycloak.common.VerificationExceptionVerifies whether the client denoted by client ID in token'siss(issuedFor) field both exists and is enabled.- Throws:
org.keycloak.common.VerificationException
-
doesAuthenticationSessionFromCookieMatchOneFromToken
public static <T extends org.keycloak.representations.JsonWebToken> boolean doesAuthenticationSessionFromCookieMatchOneFromToken(ActionTokenContext<T> context, org.keycloak.sessions.AuthenticationSessionModel authSessionFromCookie, String authSessionCompoundIdFromToken) throws org.keycloak.common.VerificationException
This check verifies that current authentication session is consistent with the one specified in token. Examples:- 1. Email from administrator with reset e-mail - token does not contain auth session ID
- 2. Email from "verify e-mail" step within flow - token contains auth session ID.
- 3. User clicked the link in an e-mail and gets to a new browser - authentication session cookie is not set
- 4. User clicked the link in an e-mail while having authentication running - authentication session cookie is already set in the browser
- For combinations 1 and 3, 1 and 4, and 2 and 3: Requests next step
- For combination 2 and 4:
- If the auth session IDs from token and cookie match, pass
- Else if the auth session from cookie was forked and its parent auth session ID matches that of token, replaces current auth session with that of parent and passes
- Else requests restart by throwing RestartFlow exception
- Type Parameters:
T-- Throws:
org.keycloak.common.VerificationException
-
checkTokenWasNotUsedYet
public static <T extends org.keycloak.representations.JsonWebToken & org.keycloak.models.SingleUseObjectKeyModel> void checkTokenWasNotUsedYet(T token, ActionTokenContext<T> context) throws org.keycloak.common.VerificationException- Throws:
org.keycloak.common.VerificationException
-
-