diff --git a/server-spi-private/src/main/java/org/keycloak/models/light/LightweightUserAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/light/LightweightUserAdapter.java index fb233b2926..4e209d7ec8 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/light/LightweightUserAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/light/LightweightUserAdapter.java @@ -18,11 +18,10 @@ package org.keycloak.models.light; import org.keycloak.common.Profile; import org.keycloak.common.Profile.Feature; -import org.keycloak.common.util.Base64; import org.keycloak.models.ClientScopeModel; +import org.keycloak.common.util.SecretGenerator; import org.keycloak.models.GroupModel; import org.keycloak.models.KeycloakSession; -import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.SubjectCredentialManager; @@ -35,11 +34,11 @@ import com.fasterxml.jackson.annotation.JsonAutoDetect; import com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility; import com.fasterxml.jackson.annotation.JsonIncludeProperties; import java.io.IOException; -import java.nio.charset.StandardCharsets; import java.util.HashSet; import java.util.List; import java.util.Objects; import java.util.Set; +import java.util.UUID; import java.util.function.Consumer; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -80,17 +79,18 @@ public class LightweightUserAdapter extends AbstractInMemoryUserAdapter { } public static String getLightweightUserId(String id) { - try { - return id == null || id.length() < ID_PREFIX.length() - ? null - : new String(Base64.decode(id.substring(ID_PREFIX.length())), StandardCharsets.UTF_8); - } catch (IOException ex) { - return null; - } + return id == null || id.length() < ID_PREFIX.length() + ? null + : id.substring(ID_PREFIX.length()); } public LightweightUserAdapter(KeycloakSession session, String id) { - super(session, null, ID_PREFIX + Base64.encodeBytes(id.getBytes(StandardCharsets.UTF_8))); + super(session, null, ID_PREFIX + (id == null ? SecretGenerator.getInstance().randomString(16) : id)); + } + + public void setOwningUserSessionId(String id) { + this.id = ID_PREFIX + (id == null ? UUID.randomUUID().toString() : id); + update(); } protected LightweightUserAdapter() { diff --git a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java index b206a4a1a7..2ca6d9f629 100755 --- a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java +++ b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java @@ -37,6 +37,7 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; +import org.keycloak.models.light.LightweightUserAdapter; import org.keycloak.models.utils.AuthenticationFlowResolver; import org.keycloak.models.utils.FormMessage; import org.keycloak.protocol.LoginProtocol; @@ -1069,6 +1070,11 @@ public class AuthenticationProcessor { userSession = new UserSessionManager(session).createUserSession(authSession.getParentSession().getId(), realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol() , remember, brokerSessionId, brokerUserId, persistenceState); + + if (isLightweightUser(userSession.getUser())) { + LightweightUserAdapter lua = (LightweightUserAdapter) userSession.getUser(); + lua.setOwningUserSessionId(userSession.getId()); + } } else if (userSession.getUser() == null || !AuthenticationManager.isSessionValid(realm, userSession)) { userSession.restartSession(realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol() , remember, brokerSessionId, brokerUserId); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java index 9a41641edd..a81beb4f99 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java @@ -75,7 +75,7 @@ public class IdpCreateUserIfUniqueAuthenticator extends AbstractIdpAuthenticator logger.debugf("Transient brokering requested. Recording user details for account '%s' and from identity provider '%s' .", username, brokerContext.getIdpConfig().getAlias()); - federatedUser = new LightweightUserAdapter(session, brokerContext.getBrokerSessionId()); + federatedUser = new LightweightUserAdapter(session, context.getAuthenticationSession().getParentSession().getId()); federatedUser.setUsername(username); } else if (duplication == null) { logger.debugf("No duplication detected. Creating account for user '%s' and linking with identity provider '%s' .", diff --git a/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java index 54d4459e5b..20001f9d36 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java @@ -576,7 +576,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider { } if (context.getIdpConfig().isTransientUsers()) { - user = new LightweightUserAdapter(session, UUID.randomUUID().toString()); + user = new LightweightUserAdapter(session, context.getAuthenticationSession().getParentSession().getId()); } else { user = session.users().addUser(realm, username); } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java index f1dbb6acde..f8cbe2a71c 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java @@ -230,8 +230,10 @@ public class UsersResource { public UserResource user(final @PathParam("id") String id) { UserModel user = null; if (LightweightUserAdapter.isLightweightUser(id)) { - UserSessionModel userSession = session.sessions().getUserSessionByBrokerSessionId(realm, LightweightUserAdapter.getLightweightUserId(id)); - user = userSession.getUser(); + UserSessionModel userSession = session.sessions().getUserSession(realm, LightweightUserAdapter.getLightweightUserId(id)); + if (userSession != null) { + user = userSession.getUser(); + } } else { user = session.users().getUserById(realm, id); }