LoginActionsServiceChecks (Keycloak Docs Distribution 14.0.0 API)

java.lang.Object
- org.keycloak.services.resources.LoginActionsServiceChecks

public class LoginActionsServiceChecks
extends Object

Author:: hmlnarik

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`static class`	`LoginActionsServiceChecks.AuthenticationSessionUserIdMatchesOneFromToken` This check verifies that user ID (subject) from the token matches the one from the authentication session.
`static class`	`LoginActionsServiceChecks.IsActionRequired` Verifies that if authentication session exists and any action is required according to it, then it is the expected one.
`static class`	`LoginActionsServiceChecks.IsRedirectValid` Verifies whether the given redirect URL, when set, is valid for the given client.

Constructor Summary

Constructors
Constructor and Description

LoginActionsServiceChecks()

Constructors
Constructor and Description
`LoginActionsServiceChecks()`

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method and Description
`static void`	`checkIsClientValid(KeycloakSession session, ClientModel client)` Verifies whether the client denoted by client ID in token's `iss` (`issuedFor`) field both exists and is enabled.
`static <T extends JsonWebToken> void`	`checkIsClientValid(T token, ActionTokenContext<T> context)` Verifies whether the client denoted by client ID in token's `iss` (`issuedFor`) field both exists and is enabled.
`static void`	`checkIsUserValid(KeycloakSession session, RealmModel realm, String userId, Consumer<UserModel> userSetter)` Verifies whether the user given by ID both exists in the current realm.
`static <T extends JsonWebToken & ActionTokenKeyModel> void`	`checkIsUserValid(T token, ActionTokenContext<T> context)` Verifies whether the user given by ID both exists in the current realm.
`static <T extends JsonWebToken> void`	`checkNotLoggedInYet(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionId)` Verifies that the authentication session has not yet been converted to user session, in other words that the user has not yet completed authentication and logged in.
`static <T extends JsonWebToken & ActionTokenKeyModel> void`	`checkTokenWasNotUsedYet(T token, ActionTokenContext<T> context)`
`static <T extends JsonWebToken> boolean`	`doesAuthenticationSessionFromCookieMatchOneFromToken(ActionTokenContext<T> context, AuthenticationSessionModel authSessionFromCookie, String authSessionCompoundIdFromToken)` This check verifies that current authentication session is consistent with the one specified in token.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail
- LoginActionsServiceChecks
```
public LoginActionsServiceChecks()
```

Method Detail

checkNotLoggedInYet

public static <T extends JsonWebToken> void checkNotLoggedInYet(ActionTokenContext<T> context,
                                                                AuthenticationSessionModel authSessionFromCookie,
                                                                String authSessionId)
                                                         throws VerificationException

Verifies that the authentication session has not yet been converted to user session, in other words that the user has not yet completed authentication and logged in.

Throws:: VerificationException

checkIsUserValid

public static void checkIsUserValid(KeycloakSession session,
                                    RealmModel realm,
                                    String userId,
                                    Consumer<UserModel> userSetter)
                             throws VerificationException

Verifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).

Throws:: VerificationException

checkIsUserValid

public static <T extends JsonWebToken & ActionTokenKeyModel> void checkIsUserValid(T token,
                                                                                   ActionTokenContext<T> context)
                                                                            throws VerificationException

Verifies whether the user given by ID both exists in the current realm. If yes, it optionally also injects the user using the given function (e.g. into session context).

Throws:: VerificationException

checkIsClientValid

public static void checkIsClientValid(KeycloakSession session,
                                      ClientModel client)
                               throws VerificationException

Verifies whether the client denoted by client ID in token's iss (issuedFor) field both exists and is enabled.

Throws:: VerificationException

checkIsClientValid

public static <T extends JsonWebToken> void checkIsClientValid(T token,
                                                               ActionTokenContext<T> context)
                                                        throws VerificationException

Verifies whether the client denoted by client ID in token's iss (issuedFor) field both exists and is enabled.

Throws:: VerificationException

doesAuthenticationSessionFromCookieMatchOneFromToken
```
public static <T extends JsonWebToken> boolean doesAuthenticationSessionFromCookieMatchOneFromToken(ActionTokenContext<T> context,
                                                                                                    AuthenticationSessionModel authSessionFromCookie,
                                                                                                    String authSessionCompoundIdFromToken)
                                                                                             throws VerificationException
```
This check verifies that current authentication session is consistent with the one specified in token. Examples:
- 1. Email from administrator with reset e-mail - token does not contain auth session ID
- 2. Email from "verify e-mail" step within flow - token contains auth session ID.
- 3. User clicked the link in an e-mail and gets to a new browser - authentication session cookie is not set
- 4. User clicked the link in an e-mail while having authentication running - authentication session cookie is already set in the browser
- For combinations 1 and 3, 1 and 4, and 2 and 3: Requests next step
- For combination 2 and 4:
  - If the auth session IDs from token and cookie match, pass
  - Else if the auth session from cookie was forked and its parent auth session ID matches that of token, replaces current auth session with that of parent and passes
  - Else requests restart by throwing RestartFlow exception
When the check passes, it also sets the authentication session in token context accordingly.
Type Parameters:

T -

Throws:

VerificationException

checkTokenWasNotUsedYet

public static <T extends JsonWebToken & ActionTokenKeyModel> void checkTokenWasNotUsedYet(T token,
                                                                                          ActionTokenContext<T> context)
                                                                                   throws VerificationException

Throws:: VerificationException

Class LoginActionsServiceChecks

Nested Class Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

LoginActionsServiceChecks

Method Detail

checkNotLoggedInYet

checkIsUserValid

checkIsUserValid

checkIsClientValid

checkIsClientValid

doesAuthenticationSessionFromCookieMatchOneFromToken

checkTokenWasNotUsedYet