@GET @Path("logout_response") public Response logoutResponse(@Context UriInfo uriInfo, @QueryParam("state") String state) { UserSessionModel userSession = session.sessions().getUserSession(realm, state); if (userSession == null) { logger.error("no valid user session"); EventBuilder event = new EventBuilder(realm, session, clientConnection); event.event(EventType.LOGOUT); event.error(Errors.USER_SESSION_NOT_FOUND); return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR); } if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) { logger.error("usersession in different state"); EventBuilder event = new EventBuilder(realm, session, clientConnection); event.event(EventType.LOGOUT); event.error(Errors.USER_SESSION_NOT_FOUND); return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE); } return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers); }
@Override public Response finishLogout(UserSessionModel userSession) { String redirectUri = userSession.getNote(CASLoginProtocol.LOGOUT_REDIRECT_URI); event.event(EventType.LOGOUT); event.user(userSession.getUser()).session(userSession).success(); if (redirectUri != null) { return Response.status(302).location(URI.create(redirectUri)).build(); } else { LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class).setSuccess("Logout successful"); infoPage.setAttribute("skipLink", true); return infoPage.createInfoPage(); } }
@Override public void authenticate(AuthenticationFlowContext context) { context.getEvent().detail(Details.USERNAME, username) .detail(Details.REGISTER_METHOD, "form") .detail(Details.EMAIL, email) ; UserModel user = context.getSession().users().addUser(context.getRealm(), username); user.setEnabled(true); user.setEmail(email); context.getClientSession().setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); context.setUser(user); context.getEvent().user(user); context.getEvent().success(); context.newEvent().event(EventType.LOGIN); context.getEvent().client(context.getClientSession().getClient().getClientId()) .detail(Details.REDIRECT_URI, context.getClientSession().getRedirectUri()) .detail(Details.AUTH_METHOD, context.getClientSession().getAuthMethod()); String authType = context.getClientSession().getNote(Details.AUTH_TYPE); if (authType != null) { context.getEvent().detail(Details.AUTH_TYPE, authType); } context.success(); }
/** * Override the validate password so we transfer password validation result into the authentication flow context. * <p> * TODO: Discuss issue with keycloak development team and send a patch. */ @Override public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) { List<CredentialInput> credentials = new LinkedList<>(); String password = inputData.getFirst(CredentialRepresentation.PASSWORD); // Patched PasswordUserCredentialModel credentialModel = UserCredentialModel.password(password); AuthenticatorUtil.readScope(context) .ifPresent(s -> credentialModel.setNote(Constants.CUSTOM_SCOPE_NOTE_KEY, s)); credentials.add(credentialModel); if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) { AuthenticatorUtil.addMainSecretToUserSession(userSecretAdapter, context, user, credentialModel); return true; } else { context.getEvent().user(user); context.getEvent().error(Errors.INVALID_USER_CREDENTIALS); Response challengeResponse = invalidCredentials(context); context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); context.clearUser(); return false; } } }
private void checkClient(String service) { if (service == null) { event.error(Errors.INVALID_REQUEST); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, CASLoginProtocol.SERVICE_PARAM); } client = realm.getClients().stream() .filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol())) .filter(c -> RedirectUtils.verifyRedirectUri(session.getContext().getUri(), service, realm, c) != null) .findFirst().orElse(null); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED); } redirectUri = RedirectUtils.verifyRedirectUri(session.getContext().getUri(), service, realm, client); event.client(client.getClientId()); event.detail(Details.REDIRECT_URI, redirectUri); session.getContext().setClient(client); }
protected void checkTicket(String ticket, boolean requireReauth) { if (ticket == null) { event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.TICKET_PARAM, Response.Status.BAD_REQUEST); event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Malformed service ticket", Response.Status.BAD_REQUEST); event.error(Errors.INVALID_CODE); event.error(Errors.EXPIRED_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST); event.error(Errors.SESSION_EXPIRED); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Interactive authentication was requested but not performed", Response.Status.BAD_REQUEST); event.error(Errors.USER_SESSION_NOT_FOUND); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST); event.error(Errors.USER_NOT_FOUND); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User not found", Response.Status.BAD_REQUEST); event.error(Errors.USER_DISABLED); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User disabled", Response.Status.BAD_REQUEST); event.user(userSession.getUser()); event.session(userSession.getId()); event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST);
protected void checkClient(String service) { if (service == null) { event.error(Errors.INVALID_REQUEST); throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.SERVICE_PARAM, Response.Status.BAD_REQUEST); } client = realm.getClients().stream() .filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol())) .filter(c -> RedirectUtils.verifyRedirectUri(session.getContext().getUri(), service, realm, c) != null) .findFirst().orElse(null); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client not found", Response.Status.BAD_REQUEST); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client disabled", Response.Status.BAD_REQUEST); } event.client(client.getClientId()); session.getContext().setClient(client); }
@GET @NoCache public Response build() { MultivaluedMap<String, String> params = session.getContext().getUri().getQueryParameters(); String service = params.getFirst(CASLoginProtocol.SERVICE_PARAM); String ticket = params.getFirst(CASLoginProtocol.TICKET_PARAM); boolean renew = params.containsKey(CASLoginProtocol.RENEW_PARAM); event.event(EventType.CODE_TO_TOKEN); try { checkSsl(); checkRealm(); checkClient(service); checkTicket(ticket, renew); event.success(); return successResponse(); } catch (CASValidationException e) { return errorResponse(e); } }
public AuthorizationEndpoint(RealmModel realm, EventBuilder event) { super(realm, event); event.event(EventType.LOGIN); }
public EventBuilder clone() { return new EventBuilder(store, listeners, realm, event.clone()); }
public EventBuilder(RealmModel realm, KeycloakSession session, ClientConnection clientConnection) { this.realm = realm; event = new Event(); if (realm.isEventsEnabled()) { EventStoreProvider store = session.getProvider(EventStoreProvider.class); if (store != null) { this.store = store; } else { log.error("Events enabled, but no event store provider configured"); } } if (realm.getEventsListeners() != null && !realm.getEventsListeners().isEmpty()) { this.listeners = new LinkedList<>(); for (String id : realm.getEventsListeners()) { EventListenerProvider listener = session.getProvider(EventListenerProvider.class, id); if (listener != null) { listeners.add(listener); } else { log.error("Event listener '" + id + "' registered, but provider not found"); } } } realm(realm); ipAddress(clientConnection.getRemoteAddr()); }
@Override public void authenticateClient(ClientAuthenticationFlowContext context) { ClientModel client = context.getRealm().getClientByClientId(clientId); if (client == null) { context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null); return; } context.getEvent().client(client); context.setClient(client); context.success(); }
@Override public void authenticate(AuthenticationFlowContext context) { UserCredentialModel credentialModel = passwordAndScope(context); boolean valid = context.getSession().userCredentialManager().isValid(context.getRealm(), context.getUser(), new CredentialInput[] { credentialModel }); if (!valid) { context.getEvent().user(context.getUser()); context.getEvent().error("invalid_user_credentials"); Response challengeResponse = this.errorResponse(Status.UNAUTHORIZED.getStatusCode(), "invalid_grant", "Invalid user credentials"); context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse); } else { AuthenticatorUtil.addMainSecretToUserSession(userSecretAdapter, context, context.getUser(), credentialModel); context.success(); } }
public SamlValidateEndpoint(RealmModel realm, EventBuilder event) { super(realm, event.event(EventType.CODE_TO_TOKEN)); }
@GET public Response build() { MultivaluedMap<String, String> params = session.getContext().getUri().getQueryParameters(); String service = params.getFirst(CASLoginProtocol.SERVICE_PARAM); boolean renew = params.containsKey(CASLoginProtocol.RENEW_PARAM); boolean gateway = params.containsKey(CASLoginProtocol.GATEWAY_PARAM); checkSsl(); checkRealm(); checkClient(service); authenticationSession = createAuthenticationSession(client, null); updateAuthenticationSession(); // So back button doesn't work CacheControlUtil.noBackButtonCacheControlHeader(); if (renew) { authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true"); } this.event.event(EventType.LOGIN); return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, session.getContext().getUri(), headers, event), gateway, false); }