Use session ID rather than broker session ID

Closes: #24455

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
This commit is contained in:
Hynek Mlnarik 2023-11-03 15:12:54 +01:00 committed by Marek Posolda
parent 495669e7a4
commit 70d0f731f5
5 changed files with 23 additions and 15 deletions

View file

@ -18,11 +18,10 @@ package org.keycloak.models.light;
import org.keycloak.common.Profile;
import org.keycloak.common.Profile.Feature;
import org.keycloak.common.util.Base64;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.SubjectCredentialManager;
@ -35,11 +34,11 @@ import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility;
import com.fasterxml.jackson.annotation.JsonIncludeProperties;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
@ -80,17 +79,18 @@ public class LightweightUserAdapter extends AbstractInMemoryUserAdapter {
}
public static String getLightweightUserId(String id) {
try {
return id == null || id.length() < ID_PREFIX.length()
? null
: new String(Base64.decode(id.substring(ID_PREFIX.length())), StandardCharsets.UTF_8);
} catch (IOException ex) {
return null;
}
: id.substring(ID_PREFIX.length());
}
public LightweightUserAdapter(KeycloakSession session, String id) {
super(session, null, ID_PREFIX + Base64.encodeBytes(id.getBytes(StandardCharsets.UTF_8)));
super(session, null, ID_PREFIX + (id == null ? SecretGenerator.getInstance().randomString(16) : id));
}
public void setOwningUserSessionId(String id) {
this.id = ID_PREFIX + (id == null ? UUID.randomUUID().toString() : id);
update();
}
protected LightweightUserAdapter() {

View file

@ -37,6 +37,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.models.utils.AuthenticationFlowResolver;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.protocol.LoginProtocol;
@ -1069,6 +1070,11 @@ public class AuthenticationProcessor {
userSession = new UserSessionManager(session).createUserSession(authSession.getParentSession().getId(), realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol()
, remember, brokerSessionId, brokerUserId, persistenceState);
if (isLightweightUser(userSession.getUser())) {
LightweightUserAdapter lua = (LightweightUserAdapter) userSession.getUser();
lua.setOwningUserSessionId(userSession.getId());
}
} else if (userSession.getUser() == null || !AuthenticationManager.isSessionValid(realm, userSession)) {
userSession.restartSession(realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol()
, remember, brokerSessionId, brokerUserId);

View file

@ -75,7 +75,7 @@ public class IdpCreateUserIfUniqueAuthenticator extends AbstractIdpAuthenticator
logger.debugf("Transient brokering requested. Recording user details for account '%s' and from identity provider '%s' .",
username, brokerContext.getIdpConfig().getAlias());
federatedUser = new LightweightUserAdapter(session, brokerContext.getBrokerSessionId());
federatedUser = new LightweightUserAdapter(session, context.getAuthenticationSession().getParentSession().getId());
federatedUser.setUsername(username);
} else if (duplication == null) {
logger.debugf("No duplication detected. Creating account for user '%s' and linking with identity provider '%s' .",

View file

@ -576,7 +576,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
}
if (context.getIdpConfig().isTransientUsers()) {
user = new LightweightUserAdapter(session, UUID.randomUUID().toString());
user = new LightweightUserAdapter(session, context.getAuthenticationSession().getParentSession().getId());
} else {
user = session.users().addUser(realm, username);
}

View file

@ -230,8 +230,10 @@ public class UsersResource {
public UserResource user(final @PathParam("id") String id) {
UserModel user = null;
if (LightweightUserAdapter.isLightweightUser(id)) {
UserSessionModel userSession = session.sessions().getUserSessionByBrokerSessionId(realm, LightweightUserAdapter.getLightweightUserId(id));
UserSessionModel userSession = session.sessions().getUserSession(realm, LightweightUserAdapter.getLightweightUserId(id));
if (userSession != null) {
user = userSession.getUser();
}
} else {
user = session.users().getUserById(realm, id);
}