Package org.keycloak.services.managers
Class AuthenticationManager
java.lang.Object
org.keycloak.services.managers.AuthenticationManager
- Direct Known Subclasses:
AppAuthManager
Stateless object that manages authentication
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic enumstatic class -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringstatic final StringAuth session note on client logout state (when logging out)static final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringprotected static final org.jboss.logging.Loggerstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final StringAuth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store) -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionauthenticateIdentityCookie(KeycloakSession session, RealmModel realm) authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive) static BackchannelLogoutResponsebackchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker) static BackchannelLogoutResponsebackchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession) static voidbackchannelLogout(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker) static voidbackchannelLogoutUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers) Logout all clientSessions of this user and clientstatic jakarta.ws.rs.core.ResponsebrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) static booleancompareSessionIdWithSessionCookie(KeycloakSession session, String sessionId) static IdentityCookieTokencreateIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer) static voidcreateLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection) static AuthenticationSessionModelcreateOrJoinLogoutSession(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie, boolean initiateLogout) static voidcreateRememberMeCookie(String username, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) static RequiredActionProviderstatic voidevaluateRequiredActionTriggers(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user) protected static jakarta.ws.rs.core.ResponseexecutionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Set<String> ignoredActions) static voidexpireAuthSessionCookie(KeycloakSession session) static voidexpireIdentityCookie(KeycloakSession session) static voidexpireRememberMeCookie(KeycloakSession session) static booleanexpireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers, ClientConnection connection) static jakarta.ws.rs.core.ResponsefinishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) static jakarta.ws.rs.core.ResponsefinishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) static voidfinishUnconfirmedUserSession(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel) getClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid) Returns the logout state of the particular client as per thelogoutAuthSessionstatic StringgetRealmCookiePath(RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo) static StringgetRememberMeUsername(KeycloakSession session) static StringgetRequestedScopes(KeycloakSession session) static StringgetRequestedScopes(KeycloakSession session, ClientModel client) static booleanisClientSessionValid(RealmModel realm, ClientModel client, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) static booleanisSessionValid(RealmModel realm, UserSessionModel userSession) static booleanisSSOAuthentication(AuthenticatedClientSessionModel clientSession) static voidlogSuccess(KeycloakSession session, AuthenticationSessionModel authSession) static UserModellookupUserForBruteForceLog(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession) static jakarta.ws.rs.core.ResponsenextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) static StringnextRequiredAction(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) static jakarta.ws.rs.core.ResponseredirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession) static jakarta.ws.rs.core.ResponseredirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol) static jakarta.ws.rs.core.ResponseredirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, jakarta.ws.rs.core.UriInfo uriInfo, String requiredAction) static voidresolveLightweightAccessTokenRoles(KeycloakSession session, AccessToken accessToken, RealmModel realm) static voidsetClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action) Sets logout state of the particular client into thelogoutAuthSessionstatic voidsetClientScopesInSession(KeycloakSession session, AuthenticationSessionModel authSession) static voidsetKcActionStatus(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession) static voidsetKcActionToEnforced(String executedProviderId, AuthenticationSessionModel authSession) static Stringsha256UrlEncodedHash(String input) verifyIdentityToken(KeycloakSession session, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, jakarta.ws.rs.core.HttpHeaders headers, Consumer<TokenVerifier<AccessToken>> verifierConsumer)
-
Field Details
-
SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS
- See Also:
-
END_AFTER_REQUIRED_ACTIONS
- See Also:
-
INVALIDATE_ACTION_TOKEN
- See Also:
-
USER_SESSION_PERSISTENT_STATE
Auth session note, which indicates if user session will be persistent (Saved to real persistent store) or transient (transient session will be scoped to single request and hence there is no need to save it in the underlying store)- See Also:
-
CLIENT_LOGOUT_STATE
Auth session note on client logout state (when logging out)- See Also:
-
AUTH_TIME
- See Also:
-
AUTH_TIME_BROKER
- See Also:
-
SSO_AUTH
- See Also:
-
FORCED_REAUTHENTICATION
- See Also:
-
PASSWORD_VALIDATED
- See Also:
-
logger
protected static final org.jboss.logging.Logger logger -
FORM_USERNAME
- See Also:
-
KEYCLOAK_SESSION_COOKIE
- See Also:
-
LOGOUT_WITH_SYSTEM_CLIENT
- See Also:
-
KEYCLOAK_LOGOUT_PROTOCOL
- See Also:
-
LOGOUT_INITIATING_IDP
- See Also:
-
INITIATING_IDP_PARAM
- See Also:
-
-
Constructor Details
-
AuthenticationManager
public AuthenticationManager()
-
-
Method Details
-
isSessionValid
-
isClientSessionValid
public static boolean isClientSessionValid(RealmModel realm, ClientModel client, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) -
expireUserSessionCookie
public static boolean expireUserSessionCookie(KeycloakSession session, UserSessionModel userSession, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers, ClientConnection connection) -
backchannelLogout
public static void backchannelLogout(KeycloakSession session, UserSessionModel userSession, boolean logoutBroker) -
backchannelLogout
public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker) -
backchannelLogout
public static BackchannelLogoutResponse backchannelLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers, boolean logoutBroker, boolean offlineSession) - Parameters:
session-realm-userSession-uriInfo-connection-headers-logoutBroker-offlineSession-- Returns:
- BackchannelLogoutResponse with logout information
-
createOrJoinLogoutSession
public static AuthenticationSessionModel createOrJoinLogoutSession(KeycloakSession session, RealmModel realm, AuthenticationSessionManager asm, UserSessionModel userSession, boolean browserCookie, boolean initiateLogout) -
setClientLogoutAction
public static void setClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid, CommonClientSessionModel.Action action) Sets logout state of the particular client into thelogoutAuthSession- Parameters:
logoutAuthSession- logoutAuthSession. May benullin which case this is a no-op.clientUuid- Client. Must not benullaction-
-
getClientLogoutAction
public static CommonClientSessionModel.Action getClientLogoutAction(AuthenticationSessionModel logoutAuthSession, String clientUuid) Returns the logout state of the particular client as per thelogoutAuthSession- Parameters:
logoutAuthSession- logoutAuthSession. May benullin which case this is a no-op.clientUuid- Internal ID of the client. Must not benull- Returns:
- State if it can be determined,
nullotherwise.
-
backchannelLogoutUserFromClient
public static void backchannelLogoutUserFromClient(KeycloakSession session, RealmModel realm, UserModel user, ClientModel client, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers) Logout all clientSessions of this user and client- Parameters:
session-realm-user-client-uriInfo-headers-
-
browserLogout
public static jakarta.ws.rs.core.Response browserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) -
finishBrowserLogout
public static jakarta.ws.rs.core.Response finishBrowserLogout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, jakarta.ws.rs.core.HttpHeaders headers) -
finishUnconfirmedUserSession
public static void finishUnconfirmedUserSession(KeycloakSession session, RealmModel realm, UserSessionModel userSessionModel) -
createIdentityToken
public static IdentityCookieToken createIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer) -
createLoginCookie
public static void createLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection) -
createRememberMeCookie
public static void createRememberMeCookie(String username, jakarta.ws.rs.core.UriInfo uriInfo, KeycloakSession session) -
getRememberMeUsername
-
expireIdentityCookie
-
expireRememberMeCookie
-
expireAuthSessionCookie
-
getRealmCookiePath
-
authenticateIdentityCookie
public AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm) -
authenticateIdentityCookie
public static AuthenticationManager.AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, boolean checkActive) -
redirectAfterSuccessfulFlow
public static jakarta.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession) -
redirectAfterSuccessfulFlow
public static jakarta.ws.rs.core.Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, ClientSessionContext clientSessionCtx, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, AuthenticationSessionModel authSession, LoginProtocol protocol) -
compareSessionIdWithSessionCookie
- Parameters:
session- keycloak sessionsessionId- in plain-text- Returns:
- true if sessionId matches with the session from KEYCLOAK_SESSION_COOKIE
-
isSSOAuthentication
-
nextActionAfterAuthentication
public static jakarta.ws.rs.core.Response nextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) -
redirectToRequiredActions
public static jakarta.ws.rs.core.Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, jakarta.ws.rs.core.UriInfo uriInfo, String requiredAction) -
finishedRequiredActions
public static jakarta.ws.rs.core.Response finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event) -
nextRequiredAction
public static String nextRequiredAction(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event) -
setClientScopesInSession
public static void setClientScopesInSession(KeycloakSession session, AuthenticationSessionModel authSession) -
createRequiredAction
-
executionActions
protected static jakarta.ws.rs.core.Response executionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Set<String> ignoredActions) -
evaluateRequiredActionTriggers
public static void evaluateRequiredActionTriggers(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user) -
verifyIdentityToken
public static AuthenticationManager.AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, String checkAudience, boolean isCookie, String tokenString, jakarta.ws.rs.core.HttpHeaders headers, Consumer<TokenVerifier<AccessToken>> verifierConsumer) -
resolveLightweightAccessTokenRoles
public static void resolveLightweightAccessTokenRoles(KeycloakSession session, AccessToken accessToken, RealmModel realm) -
setKcActionStatus
public static void setKcActionStatus(String executedProviderId, RequiredActionContext.KcActionStatus status, AuthenticationSessionModel authSession) -
setKcActionToEnforced
public static void setKcActionToEnforced(String executedProviderId, AuthenticationSessionModel authSession) -
logSuccess
-
lookupUserForBruteForceLog
public static UserModel lookupUserForBruteForceLog(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authenticationSession) -
sha256UrlEncodedHash
-
getRequestedScopes
-
getRequestedScopes
-