libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Merge pull request #552 from stianst/access-code

Browse source 
Updates to AccessCode
This commit is contained in:
Stian Thorgersen 2014-07-23 16:01:38 +01:00
commit 4b05feb6d6
26 changed files with 348 additions and 197 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
core/src/main/java/org/keycloak/representations/AccessCode.java
View file

@ -11,15 +11,11 @@ public class AccessCode {
protected String id; protected String id;
protected String clientId; protected String clientId;
protected String userId; protected String userId;
protected String usernameUsed;
protected String state; protected String state;
protected String sessionState; protected String sessionState;
protected String redirectUri; protected String redirectUri;
protected boolean rememberMe;
protected String authMethod;
protected int timestamp; protected int timestamp;
protected int expiration; protected Action action;
protected Set<String> requiredActions;
protected Set<String> requestedRoles; protected Set<String> requestedRoles;
public String getId() { public String getId() {
@ -70,30 +66,6 @@ public class AccessCode {
this.redirectUri = redirectUri; this.redirectUri = redirectUri;
} }
public boolean isRememberMe() {
return rememberMe;
}
public void setRememberMe(boolean rememberMe) {
this.rememberMe = rememberMe;
}
public String getAuthMethod() {
return authMethod;
}
public void setAuthMethod(String authMethod) {
this.authMethod = authMethod;
}
public int getExpiration() {
return expiration;
}
public void setExpiration(int expiration) {
this.expiration = expiration;
}
public int getTimestamp() { public int getTimestamp() {
return timestamp; return timestamp;
} }
@ -102,20 +74,12 @@ public class AccessCode {
this.timestamp = timestamp; this.timestamp = timestamp;
} }
public Set<String> getRequiredActions() { public Action getAction() {
return requiredActions; return action;
} }
public void setRequiredActions(Set<String> requiredActions) { public void setAction(Action action) {
this.requiredActions = requiredActions; this.action = action;
}
public String getUsernameUsed() {
return usernameUsed;
}
public void setUsernameUsed(String usernameUsed) {
this.usernameUsed = usernameUsed;
} }
public Set<String> getRequestedRoles() { public Set<String> getRequestedRoles() {
@ -125,4 +89,13 @@ public class AccessCode {
public void setRequestedRoles(Set<String> requestedRoles) { public void setRequestedRoles(Set<String> requestedRoles) {
this.requestedRoles = requestedRoles; this.requestedRoles = requestedRoles;
} }
public static enum Action {
OAUTH_GRANT,
VERIFY_EMAIL,
UPDATE_PROFILE,
CONFIGURE_TOTP,
UPDATE_PASSWORD
}
} }

13
model/api/src/main/java/org/keycloak/models/UserSessionModel.java
View file

@ -15,10 +15,22 @@ public interface UserSessionModel {
void setUser(UserModel user); void setUser(UserModel user);
String getLoginUsername();
void setLoginUsername(String loginUsername);
String getIpAddress(); String getIpAddress();
void setIpAddress(String ipAddress); void setIpAddress(String ipAddress);
String getAuthMethod();
void setAuthMethod(String authMethod);
boolean isRememberMe();
void setRememberMe(boolean rememberMe);
int getStarted(); int getStarted();
void setStarted(int started); void setStarted(int started);
@ -32,4 +44,5 @@ public interface UserSessionModel {
List<ClientModel> getClientAssociations(); List<ClientModel> getClientAssociations();
void removeAssociatedClient(ClientModel client); void removeAssociatedClient(ClientModel client);
} }

2
model/api/src/main/java/org/keycloak/models/UserSessionProvider.java
View file

@ -10,7 +10,7 @@ import java.util.List;
*/ */
public interface UserSessionProvider extends Provider { public interface UserSessionProvider extends Provider {
UserSessionModel createUserSession(RealmModel realm, UserModel user, String ipAddress); UserSessionModel createUserSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe);
UserSessionModel getUserSession(RealmModel realm, String id); UserSessionModel getUserSession(RealmModel realm, String id);
List<UserSessionModel> getUserSessions(RealmModel realm, UserModel user); List<UserSessionModel> getUserSessions(RealmModel realm, UserModel user);
List<UserSessionModel> getUserSessions(RealmModel realm, ClientModel client); List<UserSessionModel> getUserSessions(RealmModel realm, ClientModel client);

5
model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/JpaUserSessionProvider.java
View file

@ -63,12 +63,15 @@ public class JpaUserSessionProvider implements UserSessionProvider {
} }
@Override @Override
public UserSessionModel createUserSession(RealmModel realm, UserModel user, String ipAddress) { public UserSessionModel createUserSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe) {
UserSessionEntity entity = new UserSessionEntity(); UserSessionEntity entity = new UserSessionEntity();
entity.setId(KeycloakModelUtils.generateId()); entity.setId(KeycloakModelUtils.generateId());
entity.setRealmId(realm.getId()); entity.setRealmId(realm.getId());
entity.setUserId(user.getId()); entity.setUserId(user.getId());
entity.setLoginUsername(loginUsername);
entity.setIpAddress(ipAddress); entity.setIpAddress(ipAddress);
entity.setAuthMethod(authMethod);
entity.setRememberMe(rememberMe);
int currentTime = Time.currentTime(); int currentTime = Time.currentTime();

30
model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/UserSessionAdapter.java
View file

@ -53,6 +53,16 @@ public class UserSessionAdapter implements UserSessionModel {
entity.setUserId(user.getId()); entity.setUserId(user.getId());
} }
@Override
public String getLoginUsername() {
return entity.getLoginUsername();
}
@Override
public void setLoginUsername(String loginUsername) {
entity.setLoginUsername(loginUsername);
}
@Override @Override
public String getIpAddress() { public String getIpAddress() {
return entity.getIpAddress(); return entity.getIpAddress();
@ -63,6 +73,26 @@ public class UserSessionAdapter implements UserSessionModel {
entity.setIpAddress(ipAddress); entity.setIpAddress(ipAddress);
} }
@Override
public String getAuthMethod() {
return entity.getAuthMethod();
}
@Override
public void setAuthMethod(String authMethod) {
entity.setAuthMethod(authMethod);
}
@Override
public boolean isRememberMe() {
return entity.isRememberMe();
}
@Override
public void setRememberMe(boolean rememberMe) {
entity.setRememberMe(rememberMe);
}
@Override @Override
public int getStarted() { public int getStarted() {
return entity.getStarted(); return entity.getStarted();

33
model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/entities/UserSessionEntity.java
View file

@ -35,12 +35,21 @@ public class UserSessionEntity {
@Column(name="USER_ID") @Column(name="USER_ID")
protected String userId; protected String userId;
@Column(name="LOGIN_USERNAME")
protected String loginUsername;
@Column(name="REALM_ID") @Column(name="REALM_ID")
protected String realmId; protected String realmId;
@Column(name="IP_ADDRESS") @Column(name="IP_ADDRESS")
protected String ipAddress; protected String ipAddress;
@Column(name="AUTH_METHOD")
protected String authMethod;
@Column(name="REMEMBER_ME")
protected boolean rememberMe;
@Column(name="STARTED") @Column(name="STARTED")
protected int started; protected int started;
@ -66,6 +75,14 @@ public class UserSessionEntity {
this.userId = userId; this.userId = userId;
} }
public String getLoginUsername() {
return loginUsername;
}
public void setLoginUsername(String loginUsername) {
this.loginUsername = loginUsername;
}
public String getRealmId() { public String getRealmId() {
return realmId; return realmId;
} }
@ -82,6 +99,22 @@ public class UserSessionEntity {
this.ipAddress = ipAddress; this.ipAddress = ipAddress;
} }
public String getAuthMethod() {
return authMethod;
}
public void setAuthMethod(String authMethod) {
this.authMethod = authMethod;
}
public boolean isRememberMe() {
return rememberMe;
}
public void setRememberMe(boolean rememberMe) {
this.rememberMe = rememberMe;
}
public int getStarted() { public int getStarted() {
return started; return started;
} }

5
model/sessions-mem/src/main/java/org/keycloak/models/sessions/mem/MemUserSessionProvider.java
View file

@ -37,14 +37,17 @@ public class MemUserSessionProvider implements UserSessionProvider {
} }
@Override @Override
public UserSessionModel createUserSession(RealmModel realm, UserModel user, String ipAddress) { public UserSessionModel createUserSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe) {
String id = KeycloakModelUtils.generateId(); String id = KeycloakModelUtils.generateId();
UserSessionEntity entity = new UserSessionEntity(); UserSessionEntity entity = new UserSessionEntity();
entity.setId(id); entity.setId(id);
entity.setRealm(realm.getId()); entity.setRealm(realm.getId());
entity.setUser(user.getId()); entity.setUser(user.getId());
entity.setLoginUsername(loginUsername);
entity.setIpAddress(ipAddress); entity.setIpAddress(ipAddress);
entity.setAuthMethod(authMethod);
entity.setRememberMe(rememberMe);
int currentTime = Time.currentTime(); int currentTime = Time.currentTime();

30
model/sessions-mem/src/main/java/org/keycloak/models/sessions/mem/UserSessionAdapter.java
View file

@ -43,6 +43,16 @@ public class UserSessionAdapter implements UserSessionModel {
entity.setUser(user.getId()); entity.setUser(user.getId());
} }
@Override
public String getLoginUsername() {
return entity.getLoginUsername();
}
@Override
public void setLoginUsername(String loginUsername) {
entity.setLoginUsername(loginUsername);
}
public String getIpAddress() { public String getIpAddress() {
return entity.getIpAddress(); return entity.getIpAddress();
} }
@ -51,6 +61,26 @@ public class UserSessionAdapter implements UserSessionModel {
entity.setIpAddress(ipAddress); entity.setIpAddress(ipAddress);
} }
@Override
public String getAuthMethod() {
return entity.getAuthMethod();
}
@Override
public void setAuthMethod(String authMethod) {
entity.setAuthMethod(authMethod);
}
@Override
public boolean isRememberMe() {
return entity.isRememberMe();
}
@Override
public void setRememberMe(boolean rememberMe) {
entity.setRememberMe(rememberMe);
}
public int getStarted() { public int getStarted() {
return entity.getStarted(); return entity.getStarted();
} }

27
model/sessions-mem/src/main/java/org/keycloak/models/sessions/mem/entities/UserSessionEntity.java
View file

@ -11,7 +11,10 @@ public class UserSessionEntity {
private String id; private String id;
private String realm; private String realm;
private String user; private String user;
private String loginUsername;
private String ipAddress; private String ipAddress;
private String authMethod;
private boolean rememberMe;
private int started; private int started;
private int lastSessionRefresh; private int lastSessionRefresh;
private List<String> clients = new LinkedList<String>(); private List<String> clients = new LinkedList<String>();
@ -40,6 +43,14 @@ public class UserSessionEntity {
this.user = user; this.user = user;
} }
public String getLoginUsername() {
return loginUsername;
}
public void setLoginUsername(String loginUsername) {
this.loginUsername = loginUsername;
}
public String getIpAddress() { public String getIpAddress() {
return ipAddress; return ipAddress;
} }
@ -48,6 +59,22 @@ public class UserSessionEntity {
this.ipAddress = ipAddress; this.ipAddress = ipAddress;
} }
public String getAuthMethod() {
return authMethod;
}
public void setAuthMethod(String authMethod) {
this.authMethod = authMethod;
}
public boolean isRememberMe() {
return rememberMe;
}
public void setRememberMe(boolean rememberMe) {
this.rememberMe = rememberMe;
}
public int getStarted() { public int getStarted() {
return started; return started;
} }

5
model/sessions-mongo/src/main/java/org/keycloak/models/sessions/mongo/MongoUserSessionProvider.java
View file

@ -35,11 +35,14 @@ public class MongoUserSessionProvider implements UserSessionProvider {
} }
@Override @Override
public UserSessionModel createUserSession(RealmModel realm, UserModel user, String ipAddress) { public UserSessionModel createUserSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe) {
MongoUserSessionEntity entity = new MongoUserSessionEntity(); MongoUserSessionEntity entity = new MongoUserSessionEntity();
entity.setRealmId(realm.getId()); entity.setRealmId(realm.getId());
entity.setUser(user.getId()); entity.setUser(user.getId());
entity.setLoginUsername(loginUsername);
entity.setIpAddress(ipAddress); entity.setIpAddress(ipAddress);
entity.setAuthMethod(authMethod);
entity.setRememberMe(rememberMe);
int currentTime = Time.currentTime(); int currentTime = Time.currentTime();

33
model/sessions-mongo/src/main/java/org/keycloak/models/sessions/mongo/UserSessionAdapter.java
View file

@ -58,6 +58,17 @@ public class UserSessionAdapter extends AbstractMongoAdapter<MongoUserSessionEnt
updateMongoEntity(); updateMongoEntity();
} }
@Override
public String getLoginUsername() {
return entity.getLoginUsername();
}
@Override
public void setLoginUsername(String loginUsername) {
entity.setLoginUsername(loginUsername);
updateMongoEntity();
}
@Override @Override
public String getIpAddress() { public String getIpAddress() {
return entity.getIpAddress(); return entity.getIpAddress();
@ -69,6 +80,28 @@ public class UserSessionAdapter extends AbstractMongoAdapter<MongoUserSessionEnt
updateMongoEntity(); updateMongoEntity();
} }
@Override
public String getAuthMethod() {
return entity.getAuthMethod();
}
@Override
public void setAuthMethod(String authMethod) {
entity.setAuthMethod(authMethod);
updateMongoEntity();
}
@Override
public boolean isRememberMe() {
return entity.isRememberMe();
}
@Override
public void setRememberMe(boolean rememberMe) {
entity.setRememberMe(rememberMe);
updateMongoEntity();
}
@Override @Override
public int getStarted() { public int getStarted() {
return entity.getStarted(); return entity.getStarted();

30
model/sessions-mongo/src/main/java/org/keycloak/models/sessions/mongo/entities/MongoUserSessionEntity.java
View file

@ -18,8 +18,14 @@ public class MongoUserSessionEntity extends AbstractIdentifiableEntity implement
private String user; private String user;
private String loginUsername;
private String ipAddress; private String ipAddress;
private String authMethod;
private boolean rememberMe;
private int started; private int started;
private int lastSessionRefresh; private int lastSessionRefresh;
@ -42,6 +48,14 @@ public class MongoUserSessionEntity extends AbstractIdentifiableEntity implement
this.user = user; this.user = user;
} }
public String getLoginUsername() {
return loginUsername;
}
public void setLoginUsername(String loginUsername) {
this.loginUsername = loginUsername;
}
public String getIpAddress() { public String getIpAddress() {
return ipAddress; return ipAddress;
} }
@ -50,6 +64,22 @@ public class MongoUserSessionEntity extends AbstractIdentifiableEntity implement
this.ipAddress = ipAddress; this.ipAddress = ipAddress;
} }
public String getAuthMethod() {
return authMethod;
}
public void setAuthMethod(String authMethod) {
this.authMethod = authMethod;
}
public boolean isRememberMe() {
return rememberMe;
}
public void setRememberMe(boolean rememberMe) {
this.rememberMe = rememberMe;
}
public int getStarted() { public int getStarted() {
return started; return started;
} }

89
services/src/main/java/org/keycloak/services/managers/AccessCodeEntry.java
View file

@ -9,7 +9,6 @@ import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserModel.RequiredAction; import org.keycloak.models.UserModel.RequiredAction;
import org.keycloak.representations.AccessCode; import org.keycloak.representations.AccessCode;
import org.keycloak.representations.AccessToken;
import org.keycloak.util.Time; import org.keycloak.util.Time;
import java.util.HashSet; import java.util.HashSet;
@ -42,12 +41,9 @@ public class AccessCodeEntry {
return accessCode.getSessionState(); return accessCode.getSessionState();
} }
public void setSessionState(String state) {
accessCode.setSessionState(state);
}
public boolean isExpired() { public boolean isExpired() {
return accessCode.getExpiration() != 0 && Time.currentTime() > accessCode.getExpiration(); int lifespan = accessCode.getAction() == null ? realm.getAccessCodeLifespan() : realm.getAccessCodeLifespanUserAction();
return accessCode.getTimestamp() + lifespan < Time.currentTime();
} }
public Set<RoleModel> getRequestedRoles() { public Set<RoleModel> getRequestedRoles() {
@ -78,61 +74,52 @@ public class AccessCodeEntry {
return accessCode.getRedirectUri(); return accessCode.getRedirectUri();
} }
public boolean isRememberMe() { public AccessCode.Action getAction() {
return accessCode.isRememberMe(); return accessCode.getAction();
} }
public void setRememberMe(boolean remember) { public void setAction(AccessCode.Action action) {
accessCode.setRememberMe(remember); accessCode.setAction(action);
accessCode.setTimestamp(Time.currentTime());
} }
public String getAuthMethod() { public RequiredAction getRequiredAction() {
return accessCode.getAuthMethod(); AccessCode.Action action = accessCode.getAction();
} if (action != null) {
switch (action) {
public String getUsernameUsed() { case CONFIGURE_TOTP:
return accessCode.getUsernameUsed(); return RequiredAction.CONFIGURE_TOTP;
} case UPDATE_PASSWORD:
return RequiredAction.UPDATE_PASSWORD;
public void setUsernameUsed(String username) { case UPDATE_PROFILE:
accessCode.setUsernameUsed(username); return RequiredAction.UPDATE_PROFILE;
} case VERIFY_EMAIL:
return RequiredAction.VERIFY_EMAIL;
public void resetExpiration() { }
accessCode.setExpiration(Time.currentTime() + realm.getAccessCodeLifespan());
}
public void setAuthMethod(String authMethod) {
accessCode.setAuthMethod(authMethod);
}
public Set<RequiredAction> getRequiredActions() {
Set<RequiredAction> set = new HashSet<RequiredAction>();
for (String action : accessCode.getRequiredActions()) {
set.add(RequiredAction.valueOf(action));
} }
return set; return null;
} }
public boolean hasRequiredAction(RequiredAction action) { public void setRequiredAction(RequiredAction requiredAction) {
return accessCode.getRequiredActions().contains(action.toString()); switch (requiredAction) {
} case CONFIGURE_TOTP:
setAction(AccessCode.Action.CONFIGURE_TOTP);
public void removeRequiredAction(RequiredAction action) { break;
accessCode.getRequiredActions().remove(action.toString()); case UPDATE_PASSWORD:
} setAction(AccessCode.Action.UPDATE_PASSWORD);
break;
public void setRequiredActions(Set<RequiredAction> set) { case UPDATE_PROFILE:
Set<String> newSet = new HashSet<String>(); setAction(AccessCode.Action.UPDATE_PROFILE);
for (RequiredAction action : set) { break;
newSet.add(action.toString()); case VERIFY_EMAIL:
setAction(AccessCode.Action.VERIFY_EMAIL);
break;
default:
throw new IllegalArgumentException("Unknown required action " + requiredAction);
} }
accessCode.setRequiredActions(newSet);
} }
public String getCode() { public String getCode() {
return new JWSBuilder().jsonContent(accessCode).rsa256(realm.getPrivateKey()); return new JWSBuilder().jsonContent(accessCode).rsa256(realm.getPrivateKey());
} }
} }

6
services/src/main/java/org/keycloak/services/managers/AppAuthManager.java
View file

@ -21,11 +21,9 @@ public class AppAuthManager extends AuthenticationManager {
public AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, UriInfo uriInfo, HttpHeaders headers) { public AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, UriInfo uriInfo, HttpHeaders headers) {
AuthResult authResult = super.authenticateIdentityCookie(session, realm, uriInfo, headers); AuthResult authResult = super.authenticateIdentityCookie(session, realm, uriInfo, headers);
if (authResult == null) return null; if (authResult == null) return null;
Cookie remember = headers.getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME);
boolean rememberMe = remember != null;
// refresh the cookies! // refresh the cookies!
createLoginCookie(realm, authResult.getUser(), authResult.getSession(), uriInfo, rememberMe); createLoginCookie(realm, authResult.getUser(), authResult.getSession(), uriInfo);
if (rememberMe) createRememberMeCookie(realm, uriInfo); if (authResult.getSession().isRememberMe()) createRememberMeCookie(realm, uriInfo);
return authResult; return authResult;
} }

4
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -94,7 +94,7 @@ public class AuthenticationManager {
return token; return token;
} }
public void createLoginCookie(RealmModel realm, UserModel user, UserSessionModel session, UriInfo uriInfo, boolean rememberMe) { public void createLoginCookie(RealmModel realm, UserModel user, UserSessionModel session, UriInfo uriInfo) {
logger.info("createLoginCookie"); logger.info("createLoginCookie");
String cookiePath = getIdentityCookiePath(realm, uriInfo); String cookiePath = getIdentityCookiePath(realm, uriInfo);
AccessToken identityToken = createIdentityToken(realm, user, session); AccessToken identityToken = createIdentityToken(realm, user, session);
@ -102,7 +102,7 @@ public class AuthenticationManager {
boolean secureOnly = !realm.isSslNotRequired(); boolean secureOnly = !realm.isSslNotRequired();
logger.debugv("creatingLoginCookie - name: {0} path: {1}", KEYCLOAK_IDENTITY_COOKIE, cookiePath); logger.debugv("creatingLoginCookie - name: {0} path: {1}", KEYCLOAK_IDENTITY_COOKIE, cookiePath);
int maxAge = NewCookie.DEFAULT_MAX_AGE; int maxAge = NewCookie.DEFAULT_MAX_AGE;
if (rememberMe) { if (session.isRememberMe()) {
maxAge = realm.getSsoSessionIdleTimeout(); maxAge = realm.getSsoSessionIdleTimeout();
logger.info("createLoginCookie maxAge: " + maxAge); logger.info("createLoginCookie maxAge: " + maxAge);
} }

1
services/src/main/java/org/keycloak/services/managers/TokenManager.java
View file

@ -81,7 +81,6 @@ public class TokenManager {
code.setClientId(client.getClientId()); code.setClientId(client.getClientId());
code.setUserId(user.getId()); code.setUserId(user.getId());
code.setTimestamp(Time.currentTime()); code.setTimestamp(Time.currentTime());
code.setExpiration(Time.currentTime() + realm.getAccessCodeLifespan());
code.setSessionState(session != null ? session.getId() : null); code.setSessionState(session != null ? session.getId() : null);
code.setRedirectUri(redirect); code.setRedirectUri(redirect);
code.setState(state); code.setState(state);

55
services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java
View file

@ -63,7 +63,6 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo; import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers; import javax.ws.rs.ext.Providers;
import java.util.HashSet;
import java.util.Set; import java.util.Set;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
@ -131,7 +130,6 @@ public class RequiredActionsService {
user.setEmail(email); user.setEmail(email);
user.removeRequiredAction(RequiredAction.UPDATE_PROFILE); user.removeRequiredAction(RequiredAction.UPDATE_PROFILE);
accessCode.removeRequiredAction(RequiredAction.UPDATE_PROFILE);
audit.clone().event(EventType.UPDATE_PROFILE).success(); audit.clone().event(EventType.UPDATE_PROFILE).success();
if (emailChanged) { if (emailChanged) {
@ -173,7 +171,6 @@ public class RequiredActionsService {
user.setTotp(true); user.setTotp(true);
user.removeRequiredAction(RequiredAction.CONFIGURE_TOTP); user.removeRequiredAction(RequiredAction.CONFIGURE_TOTP);
accessCode.removeRequiredAction(RequiredAction.CONFIGURE_TOTP);
audit.clone().event(EventType.UPDATE_TOTP).success(); audit.clone().event(EventType.UPDATE_TOTP).success();
@ -218,20 +215,15 @@ public class RequiredActionsService {
logger.debug("updatePassword updated credential"); logger.debug("updatePassword updated credential");
user.removeRequiredAction(RequiredAction.UPDATE_PASSWORD); user.removeRequiredAction(RequiredAction.UPDATE_PASSWORD);
if (accessCode != null) {
accessCode.removeRequiredAction(RequiredAction.UPDATE_PASSWORD);
}
audit.clone().event(EventType.UPDATE_PASSWORD).success(); audit.clone().event(EventType.UPDATE_PASSWORD).success();
// Password reset through email won't have an associated session // Redirect to account management to login if password reset was initiated by admin
if (accessCode.getSessionState() == null) { if (accessCode.getSessionState() == null) {
UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserById(accessCode.getUser().getId(), realm), clientConnection.getRemoteAddr()); return Response.seeOther(Urls.accountPage(uriInfo.getBaseUri(), realm.getId())).build();
accessCode.setSessionState(userSession.getId()); } else {
audit.session(userSession); return redirectOauth(user, accessCode);
} }
return redirectOauth(user, accessCode);
} }
@ -240,8 +232,7 @@ public class RequiredActionsService {
public Response emailVerification() { public Response emailVerification() {
if (uriInfo.getQueryParameters().containsKey("key")) { if (uriInfo.getQueryParameters().containsKey("key")) {
AccessCodeEntry accessCode = tokenManager.parseCode(uriInfo.getQueryParameters().getFirst("key"), session, realm); AccessCodeEntry accessCode = tokenManager.parseCode(uriInfo.getQueryParameters().getFirst("key"), session, realm);
if (accessCode == null || accessCode.isExpired() if (accessCode == null || accessCode.isExpired() || !RequiredAction.VERIFY_EMAIL.equals(accessCode.getRequiredAction())) {
|| !accessCode.hasRequiredAction(RequiredAction.VERIFY_EMAIL)) {
return unauthorized(); return unauthorized();
} }
@ -252,7 +243,6 @@ public class RequiredActionsService {
user.setEmailVerified(true); user.setEmailVerified(true);
user.removeRequiredAction(RequiredAction.VERIFY_EMAIL); user.removeRequiredAction(RequiredAction.VERIFY_EMAIL);
accessCode.removeRequiredAction(RequiredAction.VERIFY_EMAIL);
audit.clone().event(EventType.VERIFY_EMAIL).detail(Details.EMAIL, accessCode.getUser().getEmail()).success(); audit.clone().event(EventType.VERIFY_EMAIL).detail(Details.EMAIL, accessCode.getUser().getEmail()).success();
@ -276,9 +266,7 @@ public class RequiredActionsService {
public Response passwordReset() { public Response passwordReset() {
if (uriInfo.getQueryParameters().containsKey("key")) { if (uriInfo.getQueryParameters().containsKey("key")) {
AccessCodeEntry accessCode = tokenManager.parseCode(uriInfo.getQueryParameters().getFirst("key"), session, realm); AccessCodeEntry accessCode = tokenManager.parseCode(uriInfo.getQueryParameters().getFirst("key"), session, realm);
accessCode.setAuthMethod("form"); if (accessCode == null || accessCode.isExpired() || !RequiredAction.UPDATE_PASSWORD.equals(accessCode.getRequiredAction())) {
if (accessCode == null || accessCode.isExpired()
|| !accessCode.hasRequiredAction(RequiredAction.UPDATE_PASSWORD)) {
return unauthorized(); return unauthorized();
} }
@ -326,13 +314,11 @@ public class RequiredActionsService {
logger.warn("Failed to send password reset email: user not found"); logger.warn("Failed to send password reset email: user not found");
audit.error(Errors.USER_NOT_FOUND); audit.error(Errors.USER_NOT_FOUND);
} else { } else {
Set<RequiredAction> requiredActions = new HashSet<RequiredAction>(user.getRequiredActions()); UserSessionModel userSession = session.sessions().createUserSession(realm, user, username, clientConnection.getRemoteAddr(), "form", false);
requiredActions.add(RequiredAction.UPDATE_PASSWORD); audit.session(userSession);
AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, session, realm, client, user, null); AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, session, realm, client, user, userSession);
accessCode.setRequiredActions(requiredActions); accessCode.setRequiredAction(RequiredAction.UPDATE_PASSWORD);
accessCode.setAuthMethod("form");
accessCode.setUsernameUsed(username);
try { try {
UriBuilder builder = Urls.loginPasswordResetBuilder(uriInfo.getBaseUri()); UriBuilder builder = Urls.loginPasswordResetBuilder(uriInfo.getBaseUri());
@ -372,8 +358,8 @@ public class RequiredActionsService {
return null; return null;
} }
if (accessCodeEntry.getRequiredActions() == null || !accessCodeEntry.getRequiredActions().contains(requiredAction)) { if (!requiredAction.equals(accessCodeEntry.getRequiredAction())) {
logger.debugv("getAccessCodeEntry required actions null || entry does not contain required action: {0}|{1}", (accessCodeEntry.getRequiredActions() == null),!accessCodeEntry.getRequiredActions().contains(requiredAction) ); logger.debugv("Invalid access code action: {0}", requiredAction);
return null; return null;
} }
@ -391,11 +377,12 @@ public class RequiredActionsService {
Set<RequiredAction> requiredActions = user.getRequiredActions(); Set<RequiredAction> requiredActions = user.getRequiredActions();
if (!requiredActions.isEmpty()) { if (!requiredActions.isEmpty()) {
accessCode.setRequiredAction(requiredActions.iterator().next());
return Flows.forms(session, realm, uriInfo).setAccessCode(accessCode.getCode()).setUser(user) return Flows.forms(session, realm, uriInfo).setAccessCode(accessCode.getCode()).setUser(user)
.createResponse(requiredActions.iterator().next()); .createResponse(requiredActions.iterator().next());
} else { } else {
logger.debugv("redirectOauth: redirecting to: {0}", accessCode.getRedirectUri()); logger.debugv("redirectOauth: redirecting to: {0}", accessCode.getRedirectUri());
accessCode.resetExpiration(); accessCode.setAction(null);
AuthenticationManager authManager = new AuthenticationManager(); AuthenticationManager authManager = new AuthenticationManager();
@ -419,12 +406,16 @@ public class RequiredActionsService {
.session(accessCode.getSessionState()) .session(accessCode.getSessionState())
.detail(Details.CODE_ID, accessCode.getCodeId()) .detail(Details.CODE_ID, accessCode.getCodeId())
.detail(Details.REDIRECT_URI, accessCode.getRedirectUri()) .detail(Details.REDIRECT_URI, accessCode.getRedirectUri())
.detail(Details.RESPONSE_TYPE, "code") .detail(Details.RESPONSE_TYPE, "code");
.detail(Details.AUTH_METHOD, accessCode.getAuthMethod())
.detail(Details.USERNAME, accessCode.getUsernameUsed());
if (accessCode.isRememberMe()) { UserSessionModel userSession = accessCode.getSessionState() != null ? session.sessions().getUserSession(realm, accessCode.getSessionState()) : null;
audit.detail(Details.REMEMBER_ME, "true");
if (userSession != null) {
audit.detail(Details.AUTH_METHOD, userSession.getAuthMethod());
audit.detail(Details.USERNAME, userSession.getLoginUsername());
if (userSession.isRememberMe()) {
audit.detail(Details.REMEMBER_ME, "true");
}
} }
} }

9
services/src/main/java/org/keycloak/services/resources/SocialResource.java
View file

@ -116,6 +116,7 @@ public class SocialResource {
SocialProvider provider = SocialLoader.load(initialRequest.getProvider()); SocialProvider provider = SocialLoader.load(initialRequest.getProvider());
String realmName = initialRequest.getRealm(); String realmName = initialRequest.getRealm();
String authMethod = "social@" + provider.getId();
RealmManager realmManager = new RealmManager(session); RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.getRealmByName(realmName); RealmModel realm = realmManager.getRealmByName(realmName);
@ -123,7 +124,7 @@ public class SocialResource {
Audit audit = new AuditManager(realm, session, clientConnection).createAudit() Audit audit = new AuditManager(realm, session, clientConnection).createAudit()
.event(EventType.LOGIN) .event(EventType.LOGIN)
.detail(Details.RESPONSE_TYPE, initialRequest.get(OAuth2Constants.RESPONSE_TYPE)) .detail(Details.RESPONSE_TYPE, initialRequest.get(OAuth2Constants.RESPONSE_TYPE))
.detail(Details.AUTH_METHOD, "social@" + provider.getId()); .detail(Details.AUTH_METHOD, authMethod);
AuthenticationManager authManager = new AuthenticationManager(); AuthenticationManager authManager = new AuthenticationManager();
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, authManager, tokenManager); OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, authManager, tokenManager);
@ -251,10 +252,12 @@ public class SocialResource {
return oauth.forwardToSecurityFailure("Your account is not enabled."); return oauth.forwardToSecurityFailure("Your account is not enabled.");
} }
UserSessionModel userSession = session.sessions().createUserSession(realm, user, clientConnection.getRemoteAddr()); String username = socialLink.getSocialUserId() + "@" + socialLink.getSocialProvider();
UserSessionModel userSession = session.sessions().createUserSession(realm, user, username, clientConnection.getRemoteAddr(), authMethod, false);
audit.session(userSession); audit.session(userSession);
return oauth.processAccessCode(scope, state, redirectUri, client, user, userSession, socialLink.getSocialUserId() + "@" + socialLink.getSocialProvider(), false, "social@" + provider.getId(), audit); return oauth.processAccessCode(scope, state, redirectUri, client, user, userSession, audit);
} }
@GET @GET

37
services/src/main/java/org/keycloak/services/resources/TokenService.java
View file

@ -28,6 +28,7 @@ import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessCode;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse; import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.CredentialRepresentation;
@ -279,7 +280,7 @@ public class TokenService {
String scope = form.getFirst(OAuth2Constants.SCOPE); String scope = form.getFirst(OAuth2Constants.SCOPE);
UserSessionModel userSession = session.sessions().createUserSession(realm, user, clientConnection.getRemoteAddr()); UserSessionModel userSession = session.sessions().createUserSession(realm, user, username, clientConnection.getRemoteAddr(), "oauth_credentials", false);
userSession.associateClient(client); userSession.associateClient(client);
audit.session(userSession); audit.session(userSession);
@ -426,10 +427,10 @@ public class TokenService {
switch (status) { switch (status) {
case SUCCESS: case SUCCESS:
case ACTIONS_REQUIRED: case ACTIONS_REQUIRED:
UserSessionModel userSession = session.sessions().createUserSession(realm, user, clientConnection.getRemoteAddr()); UserSessionModel userSession = session.sessions().createUserSession(realm, user, username, clientConnection.getRemoteAddr(), "form", remember);
audit.session(userSession); audit.session(userSession);
return oauth.processAccessCode(scopeParam, state, redirect, client, user, userSession, username, remember, "form", audit); return oauth.processAccessCode(scopeParam, state, redirect, client, user, userSession, audit);
case ACCOUNT_TEMPORARILY_DISABLED: case ACCOUNT_TEMPORARILY_DISABLED:
audit.error(Errors.USER_TEMPORARILY_DISABLED); audit.error(Errors.USER_TEMPORARILY_DISABLED);
return Flows.forms(this.session, realm, uriInfo).setError(Messages.ACCOUNT_TEMPORARILY_DISABLED).setFormData(formData).createLogin(); return Flows.forms(this.session, realm, uriInfo).setError(Messages.ACCOUNT_TEMPORARILY_DISABLED).setFormData(formData).createLogin();
@ -642,6 +643,14 @@ public class TokenService {
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res) return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
.build(); .build();
} }
if (accessCode.getAction() != null) {
Map<String, String> res = new HashMap<String, String>();
res.put(OAuth2Constants.ERROR, "invalid_grant");
res.put(OAuth2Constants.ERROR_DESCRIPTION, "Code is not active");
audit.error(Errors.INVALID_CODE);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
.build();
}
audit.user(accessCode.getUser()); audit.user(accessCode.getUser());
audit.session(accessCode.getSessionState()); audit.session(accessCode.getSessionState());
@ -834,7 +843,7 @@ public class TokenService {
logger.debug(user.getUsername() + " already logged in."); logger.debug(user.getUsername() + " already logged in.");
audit.user(user).session(session).detail(Details.AUTH_METHOD, "sso"); audit.user(user).session(session).detail(Details.AUTH_METHOD, "sso");
return oauth.processAccessCode(scopeParam, state, redirect, client, user, session, null, false, "sso", audit); return oauth.processAccessCode(scopeParam, state, redirect, client, user, session, audit);
} }
if (prompt != null && prompt.equals("none")) { if (prompt != null && prompt.equals("none")) {
@ -974,7 +983,7 @@ public class TokenService {
String code = formData.getFirst(OAuth2Constants.CODE); String code = formData.getFirst(OAuth2Constants.CODE);
AccessCodeEntry accessCodeEntry = tokenManager.parseCode(code, session, realm); AccessCodeEntry accessCodeEntry = tokenManager.parseCode(code, session, realm);
if (accessCodeEntry == null) { if (accessCodeEntry == null || !AccessCode.Action.OAUTH_GRANT.equals(accessCodeEntry.getAction())) {
audit.error(Errors.INVALID_CODE); audit.error(Errors.INVALID_CODE);
return oauth.forwardToSecurityFailure("Unknown access code."); return oauth.forwardToSecurityFailure("Unknown access code.");
} }
@ -986,15 +995,17 @@ public class TokenService {
audit.client(accessCodeEntry.getClient()) audit.client(accessCodeEntry.getClient())
.user(accessCodeEntry.getUser()) .user(accessCodeEntry.getUser())
.detail(Details.RESPONSE_TYPE, "code") .detail(Details.RESPONSE_TYPE, "code")
.detail(Details.AUTH_METHOD, accessCodeEntry.getAuthMethod()) .detail(Details.REDIRECT_URI, redirect);
.detail(Details.REDIRECT_URI, redirect)
.detail(Details.USERNAME, accessCodeEntry.getUsernameUsed());
if (accessCodeEntry.isRememberMe()) {
audit.detail(Details.REMEMBER_ME, "true");
}
UserSessionModel userSession = session.sessions().getUserSession(realm, accessCodeEntry.getSessionState()); UserSessionModel userSession = session.sessions().getUserSession(realm, accessCodeEntry.getSessionState());
if (userSession != null) {
audit.detail(Details.AUTH_METHOD, userSession.getAuthMethod());
audit.detail(Details.USERNAME, userSession.getLoginUsername());
if (userSession.isRememberMe()) {
audit.detail(Details.REMEMBER_ME, "true");
}
}
if (!AuthenticationManager.isSessionValid(realm, userSession)) { if (!AuthenticationManager.isSessionValid(realm, userSession)) {
AuthenticationManager.logout(session, realm, userSession, uriInfo); AuthenticationManager.logout(session, realm, userSession, uriInfo);
audit.error(Errors.INVALID_CODE); audit.error(Errors.INVALID_CODE);
@ -1009,7 +1020,7 @@ public class TokenService {
audit.success(); audit.success();
accessCodeEntry.resetExpiration(); accessCodeEntry.setAction(null);
return oauth.redirectAccessCode(accessCodeEntry, userSession, state, redirect); return oauth.redirectAccessCode(accessCodeEntry, userSession, state, redirect);
} }

7
services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
View file

@ -820,13 +820,8 @@ public class UsersResource {
return Flows.errors().error("AccountProvider management not enabled", Response.Status.INTERNAL_SERVER_ERROR); return Flows.errors().error("AccountProvider management not enabled", Response.Status.INTERNAL_SERVER_ERROR);
} }
Set<UserModel.RequiredAction> requiredActions = new HashSet<UserModel.RequiredAction>(user.getRequiredActions());
requiredActions.add(UserModel.RequiredAction.UPDATE_PASSWORD);
AccessCodeEntry accessCode = tokenManager.createAccessCode(scope, state, redirect, session, realm, client, user, null); AccessCodeEntry accessCode = tokenManager.createAccessCode(scope, state, redirect, session, realm, client, user, null);
accessCode.setRequiredActions(requiredActions); accessCode.setRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
accessCode.setUsernameUsed(username);
accessCode.resetExpiration();
try { try {
UriBuilder builder = Urls.loginPasswordResetBuilder(uriInfo.getBaseUri()); UriBuilder builder = Urls.loginPasswordResetBuilder(uriInfo.getBaseUri());

30
services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java
View file

@ -37,7 +37,7 @@ import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserModel.RequiredAction; import org.keycloak.models.UserModel.RequiredAction;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessCode;
import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.services.managers.AccessCodeEntry; import org.keycloak.services.managers.AccessCodeEntry;
import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.AuthenticationManager;
@ -48,10 +48,8 @@ import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo; import javax.ws.rs.core.UriInfo;
import java.util.HashSet;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map;
import java.util.Set; import java.util.Set;
/** /**
@ -84,12 +82,7 @@ public class OAuthFlows {
this.tokenManager = tokenManager; this.tokenManager = tokenManager;
} }
public Response redirectAccessCode(AccessCodeEntry accessCode, UserSessionModel session, String state, String redirect) { public Response redirectAccessCode(AccessCodeEntry accessCode, UserSessionModel userSession, String state, String redirect) {
return redirectAccessCode(accessCode, session, state, redirect, false);
}
public Response redirectAccessCode(AccessCodeEntry accessCode, UserSessionModel userSession, String state, String redirect, boolean rememberMe) {
String code = accessCode.getCode(); String code = accessCode.getCode();
UriBuilder redirectUri = UriBuilder.fromUri(redirect).queryParam(OAuth2Constants.CODE, code); UriBuilder redirectUri = UriBuilder.fromUri(redirect).queryParam(OAuth2Constants.CODE, code);
log.debugv("redirectAccessCode: state: {0}", state); log.debugv("redirectAccessCode: state: {0}", state);
@ -97,7 +90,6 @@ public class OAuthFlows {
redirectUri.queryParam(OAuth2Constants.STATE, state); redirectUri.queryParam(OAuth2Constants.STATE, state);
Response.ResponseBuilder location = Response.status(302).location(redirectUri.build()); Response.ResponseBuilder location = Response.status(302).location(redirectUri.build());
Cookie remember = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME); Cookie remember = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME);
rememberMe = rememberMe || remember != null;
Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE); Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE);
if (sessionCookie != null) { if (sessionCookie != null) {
@ -112,8 +104,8 @@ public class OAuthFlows {
} }
// refresh the cookies! // refresh the cookies!
authManager.createLoginCookie(realm, accessCode.getUser(), userSession, uriInfo, rememberMe); authManager.createLoginCookie(realm, accessCode.getUser(), userSession, uriInfo);
if (rememberMe) authManager.createRememberMeCookie(realm, uriInfo); if (userSession.isRememberMe()) authManager.createRememberMeCookie(realm, uriInfo);
return location.build(); return location.build();
} }
@ -125,15 +117,12 @@ public class OAuthFlows {
return Response.status(302).location(redirectUri.build()).build(); return Response.status(302).location(redirectUri.build()).build();
} }
public Response processAccessCode(String scopeParam, String state, String redirect, ClientModel client, UserModel user, UserSessionModel session, String username, boolean rememberMe, String authMethod, Audit audit) { public Response processAccessCode(String scopeParam, String state, String redirect, ClientModel client, UserModel user, UserSessionModel session, Audit audit) {
isTotpConfigurationRequired(user); isTotpConfigurationRequired(user);
isEmailVerificationRequired(user); isEmailVerificationRequired(user);
boolean isResource = client instanceof ApplicationModel; boolean isResource = client instanceof ApplicationModel;
AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, this.session, realm, client, user, session); AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, this.session, realm, client, user, session);
accessCode.setRememberMe(rememberMe);
accessCode.setAuthMethod(authMethod);
accessCode.setUsernameUsed(username);
log.debugv("processAccessCode: isResource: {0}", isResource); log.debugv("processAccessCode: isResource: {0}", isResource);
log.debugv("processAccessCode: go to oauth page?: {0}", log.debugv("processAccessCode: go to oauth page?: {0}",
@ -143,10 +132,9 @@ public class OAuthFlows {
Set<RequiredAction> requiredActions = user.getRequiredActions(); Set<RequiredAction> requiredActions = user.getRequiredActions();
if (!requiredActions.isEmpty()) { if (!requiredActions.isEmpty()) {
accessCode.setRequiredActions(new HashSet<UserModel.RequiredAction>(requiredActions));
accessCode.resetExpiration();
RequiredAction action = user.getRequiredActions().iterator().next(); RequiredAction action = user.getRequiredActions().iterator().next();
accessCode.setRequiredAction(action);
if (action.equals(RequiredAction.VERIFY_EMAIL)) { if (action.equals(RequiredAction.VERIFY_EMAIL)) {
audit.clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, accessCode.getUser().getEmail()).success(); audit.clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, accessCode.getUser().getEmail()).success();
} }
@ -156,7 +144,7 @@ public class OAuthFlows {
} }
if (!isResource) { if (!isResource) {
accessCode.resetExpiration(); accessCode.setAction(AccessCode.Action.OAUTH_GRANT);
List<RoleModel> realmRoles = new LinkedList<RoleModel>(); List<RoleModel> realmRoles = new LinkedList<RoleModel>();
MultivaluedMap<String, RoleModel> resourceRoles = new MultivaluedMapImpl<String, RoleModel>(); MultivaluedMap<String, RoleModel> resourceRoles = new MultivaluedMapImpl<String, RoleModel>();
@ -177,7 +165,7 @@ public class OAuthFlows {
if (redirect != null) { if (redirect != null) {
audit.success(); audit.success();
return redirectAccessCode(accessCode, session, state, redirect, rememberMe); return redirectAccessCode(accessCode, session, state, redirect);
} else { } else {
return null; return null;
} }

2
testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/AdapterTest.java
View file

@ -100,7 +100,7 @@ public class AdapterTest {
ApplicationModel adminConsole = adminRealm.getApplicationByName(Constants.ADMIN_CONSOLE_APPLICATION); ApplicationModel adminConsole = adminRealm.getApplicationByName(Constants.ADMIN_CONSOLE_APPLICATION);
TokenManager tm = new TokenManager(); TokenManager tm = new TokenManager();
UserModel admin = session.users().getUserByUsername("admin", adminRealm); UserModel admin = session.users().getUserByUsername("admin", adminRealm);
UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, null); UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, "admin", null, "form", false);
AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession); AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession);
return tm.encodeToken(adminRealm, token); return tm.encodeToken(adminRealm, token);
} finally { } finally {

2
testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/RelativeUriAdapterTest.java
View file

@ -87,7 +87,7 @@ public class RelativeUriAdapterTest {
ApplicationModel adminConsole = adminRealm.getApplicationByName(Constants.ADMIN_CONSOLE_APPLICATION); ApplicationModel adminConsole = adminRealm.getApplicationByName(Constants.ADMIN_CONSOLE_APPLICATION);
TokenManager tm = new TokenManager(); TokenManager tm = new TokenManager();
UserModel admin = session.users().getUserByUsername("admin", adminRealm); UserModel admin = session.users().getUserByUsername("admin", adminRealm);
UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, null); UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, "user", null, "form", false);
AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession); AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession);
adminToken = tm.encodeToken(adminRealm, token); adminToken = tm.encodeToken(adminRealm, token);

2
testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java
View file

@ -79,7 +79,7 @@ public class AdminAPITest {
ApplicationModel adminConsole = adminRealm.getApplicationByName(Constants.ADMIN_CONSOLE_APPLICATION); ApplicationModel adminConsole = adminRealm.getApplicationByName(Constants.ADMIN_CONSOLE_APPLICATION);
TokenManager tm = new TokenManager(); TokenManager tm = new TokenManager();
UserModel admin = session.users().getUserByUsername("admin", adminRealm); UserModel admin = session.users().getUserByUsername("admin", adminRealm);
UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, null); UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, "admin", null, "form", false);
AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession); AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession);
return tm.encodeToken(adminRealm, token); return tm.encodeToken(adminRealm, token);
} finally { } finally {

18
testsuite/integration/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java
View file

@ -126,7 +126,7 @@ public class ResetPasswordTest {
resetPasswordPage.assertCurrent(); resetPasswordPage.assertCurrent();
events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).detail(Details.USERNAME, username).session((String) null).detail(Details.EMAIL, "login@test.com").assertEvent().getSessionId(); String sessionId = events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).detail(Details.USERNAME, username).detail(Details.EMAIL, "login@test.com").assertEvent().getSessionId();
Assert.assertEquals("You should receive an email shortly with further instructions.", resetPasswordPage.getSuccessMessage()); Assert.assertEquals("You should receive an email shortly with further instructions.", resetPasswordPage.getSuccessMessage());
@ -143,16 +143,15 @@ public class ResetPasswordTest {
updatePasswordPage.changePassword("resetPassword", "resetPassword"); updatePasswordPage.changePassword("resetPassword", "resetPassword");
events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).session((String) null).detail(Details.USERNAME, username).assertEvent(); events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).session(sessionId).detail(Details.USERNAME, username).assertEvent();
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
Event loginEvent = events.expectLogin().user(userId).detail(Details.USERNAME, username).assertEvent(); events.expectLogin().user(userId).detail(Details.USERNAME, username).session(sessionId).assertEvent();
String sessionId = loginEvent.getSessionId();
oauth.openLogout(); oauth.openLogout();
events.expectLogout(loginEvent.getSessionId()).user(userId).session(sessionId).assertEvent(); events.expectLogout(sessionId).user(userId).session(sessionId).assertEvent();
loginPage.open(); loginPage.open();
@ -210,7 +209,7 @@ public class ResetPasswordTest {
String body = (String) message.getContent(); String body = (String) message.getContent();
String changePasswordUrl = MailUtil.getLink(body); String changePasswordUrl = MailUtil.getLink(body);
events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").session((String) null).assertEvent(); String sessionId = events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent().getSessionId();
driver.navigate().to(changePasswordUrl.trim()); driver.navigate().to(changePasswordUrl.trim());
@ -222,16 +221,15 @@ public class ResetPasswordTest {
updatePasswordPage.changePassword("resetPasswordWithPasswordPolicy", "resetPasswordWithPasswordPolicy"); updatePasswordPage.changePassword("resetPasswordWithPasswordPolicy", "resetPasswordWithPasswordPolicy");
events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).session((String) null).detail(Details.USERNAME, "login-test").assertEvent(); events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).session(sessionId).detail(Details.USERNAME, "login-test").assertEvent();
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
Event loginEvent = events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent(); events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").session(sessionId).assertEvent();
String sessionId = loginEvent.getSessionId();
oauth.openLogout(); oauth.openLogout();
events.expectLogout(loginEvent.getSessionId()).user(userId).session(sessionId).assertEvent(); events.expectLogout(sessionId).user(userId).session(sessionId).assertEvent();
loginPage.open(); loginPage.open();

15
testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java
View file

@ -55,8 +55,8 @@ public class UserSessionProviderTest {
int started = Time.currentTime(); int started = Time.currentTime();
UserSessionModel[] sessions = createSessions(); UserSessionModel[] sessions = createSessions();
assertSession(session.sessions().getUserSession(realm, sessions[0].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); assertSession(session.sessions().getUserSession(realm, sessions[0].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party");
assertSession(session.sessions().getUserSession(realm, sessions[1].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); assertSession(session.sessions().getUserSession(realm, sessions[1].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app");
assertSession(session.sessions().getUserSession(realm, sessions[2].getId()), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started); assertSession(session.sessions().getUserSession(realm, sessions[2].getId()), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started);
} }
@ -116,7 +116,7 @@ public class UserSessionProviderTest {
@Test @Test
public void testGetByClientPaginated() { public void testGetByClientPaginated() {
for (int i = 0; i < 25; i++) { for (int i = 0; i < 25; i++) {
UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "127.0.0." + i); UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0." + i, "form", false);
userSession.setStarted(Time.currentTime() + i); userSession.setStarted(Time.currentTime() + i);
userSession.associateClient(realm.findClient("test-app")); userSession.associateClient(realm.findClient("test-app"));
} }
@ -157,14 +157,14 @@ public class UserSessionProviderTest {
private UserSessionModel[] createSessions() { private UserSessionModel[] createSessions() {
UserSessionModel[] sessions = new UserSessionModel[4]; UserSessionModel[] sessions = new UserSessionModel[4];
sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "127.0.0.1"); sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true);
sessions[0].associateClient(realm.findClient("test-app")); sessions[0].associateClient(realm.findClient("test-app"));
sessions[0].associateClient(realm.findClient("third-party")); sessions[0].associateClient(realm.findClient("third-party"));
sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "127.0.0.2"); sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true);
sessions[1].associateClient(realm.findClient("test-app")); sessions[1].associateClient(realm.findClient("test-app"));
sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "127.0.0.3"); sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true);
resetSession(); resetSession();
@ -197,6 +197,9 @@ public class UserSessionProviderTest {
public void assertSession(UserSessionModel session, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { public void assertSession(UserSessionModel session, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) {
assertEquals(user.getId(), session.getUser().getId()); assertEquals(user.getId(), session.getUser().getId());
assertEquals(ipAddress, session.getIpAddress()); assertEquals(ipAddress, session.getIpAddress());
assertEquals(user.getUsername(), session.getLoginUsername());
assertEquals("form", session.getAuthMethod());
assertEquals(true, session.isRememberMe());
assertTrue(session.getStarted() >= started - 1 && session.getStarted() <= started + 1); assertTrue(session.getStarted() >= started - 1 && session.getStarted() <= started + 1);
assertTrue(session.getLastSessionRefresh() >= lastRefresh - 1 && session.getLastSessionRefresh() <= lastRefresh + 1); assertTrue(session.getLastSessionRefresh() >= lastRefresh - 1 && session.getLastSessionRefresh() <= lastRefresh + 1);