/** * Get status of a username in brute force detection * * @param username * @return */ @GET @Path("brute-force/usernames/{username}") @NoCache @Produces(MediaType.APPLICATION_JSON) public Map<String, Object> bruteForceUserStatus(@PathParam("username") String username) { auth.requireView(); Map<String, Object> data = new HashMap<>(); data.put("disabled", false); data.put("numFailures", 0); data.put("lastFailure", 0); data.put("lastIPFailure", "n/a"); if (!realm.isBruteForceProtected()) return data; UsernameLoginFailureModel model = session.sessions().getUserLoginFailure(realm, username.toLowerCase()); if (model == null) return data; if (session .getProvider(BruteForceProtector.class) .isTemporarilyDisabled(session, realm, username)) { data.put("disabled", true); } data.put("numFailures", model.getNumFailures()); data.put("lastFailure", model.getLastFailure()); data.put("lastIPFailure", model.getLastIPFailure()); return data; }
/** * Called after successful kerberos authentication * * @param realm realm * @param username username without realm prefix * @return finded or newly created user */ protected UserModel findOrCreateAuthenticatedUser(RealmModel realm, String username) { UserModel user = session.userStorage().getUserByUsername(username, realm); if (user != null) { logger.debugf("Kerberos authenticated user [%s] found in Keycloak storage", username); if (!model.getId().equals(user.getFederationLink())) { logger.warnf( "User with username [%s] already exists, but is not linked to provider [%s]", username, model.getDisplayName()); return null; } else { LDAPObject ldapObject = loadAndValidateUser(realm, user); if (ldapObject != null) { return proxy(realm, user, ldapObject); } else { logger.warnf( "User with username [%s] aready exists and is linked to provider [%s] but is not valid. Stale LDAP_ID on local user is: %s", username, model.getDisplayName(), user.getFirstAttribute(LDAPConstants.LDAP_ID)); logger.warn("Will re-create user"); session.userStorage().removeUser(realm, user); } } } // Creating user to local storage logger.debugf( "Kerberos authenticated user [%s] not in Keycloak storage. Creating him", username); return getUserByUsername(realm, username); }
protected void assertUser( String expectedUsername, String expectedEmail, String expectedFirstname, String expectedLastname, boolean updateProfileActionExpected) { KeycloakRule keycloakRule = getKeycloakRule(); KeycloakSession session = keycloakRule.startSession(); try { RealmManager manager = new RealmManager(session); RealmModel appRealm = manager.getRealm("test"); UserModel user = session.users().getUserByUsername(expectedUsername, appRealm); Assert.assertNotNull(user); Assert.assertEquals(user.getEmail(), expectedEmail); Assert.assertEquals(user.getFirstName(), expectedFirstname); Assert.assertEquals(user.getLastName(), expectedLastname); if (updateProfileActionExpected) { Assert.assertEquals( UserModel.RequiredAction.UPDATE_PROFILE.toString(), user.getRequiredActions().iterator().next()); } else { Assert.assertTrue(user.getRequiredActions().isEmpty()); } } finally { keycloakRule.stopSession(session, true); } }
/** * Set up a temporary password for the user * * <p>User will have to reset the temporary password next time they log in. * * @param id User id * @param pass A Temporary password */ @Path("{id}/reset-password") @PUT @Consumes(MediaType.APPLICATION_JSON) public void resetPassword(@PathParam("id") String id, CredentialRepresentation pass) { auth.requireManage(); UserModel user = session.users().getUserById(id, realm); if (user == null) { throw new NotFoundException("User not found"); } if (pass == null || pass.getValue() == null || !CredentialRepresentation.PASSWORD.equals(pass.getType())) { throw new BadRequestException("No password provided"); } UserCredentialModel cred = RepresentationToModel.convertCredential(pass); try { session.users().updateCredential(realm, user, cred); } catch (IllegalStateException ise) { throw new BadRequestException("Resetting to N old passwords is not allowed."); } catch (ModelReadOnlyException mre) { throw new BadRequestException("Can't reset password as account is read only"); } if (pass.isTemporary() != null && pass.isTemporary()) user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD); adminEvent.operation(OperationType.ACTION).resourcePath(uriInfo).success(); }
private static String createAdminToken(String username, String realm) { KeycloakSession session = keycloakRule.startSession(); try { RealmManager manager = new RealmManager(session); RealmModel adminRealm = manager.getRealm(realm); ClientModel adminConsole = adminRealm.getClientByClientId(Constants.ADMIN_CLI_CLIENT_ID); TokenManager tm = new TokenManager(); UserModel admin = session.users().getUserByUsername(username, adminRealm); ClientSessionModel clientSession = session.sessions().createClientSession(adminRealm, adminConsole); clientSession.setNote(OIDCLoginProtocol.ISSUER, "http://localhost:8081/auth/realms/" + realm); UserSessionModel userSession = session .sessions() .createUserSession(adminRealm, admin, "admin", null, "form", false, null, null); AccessToken token = tm.createClientAccessToken( session, tm.getAccess(null, true, adminConsole, admin), adminRealm, adminConsole, admin, userSession, clientSession); return tm.encodeToken(adminRealm, token); } finally { keycloakRule.stopSession(session, true); } }
public DemoApplication(@Context ServletContext servletContext) { super(servletContext); KeycloakSession session = factory.createSession(); session.getTransaction().begin(); install(new RealmManager(session)); session.getTransaction().commit(); }
/** * Get represenation of the user * * @param id User id * @return */ @Path("{id}") @GET @NoCache @Produces(MediaType.APPLICATION_JSON) public UserRepresentation getUser(final @PathParam("id") String id) { auth.requireView(); UserModel user = session.users().getUserById(id, realm); if (user == null) { throw new NotFoundException("User not found"); } UserRepresentation rep = ModelToRepresentation.toRepresentation(user); if (realm.isIdentityFederationEnabled()) { List<FederatedIdentityRepresentation> reps = getFederatedIdentities(user); rep.setFederatedIdentities(reps); } if (session .getProvider(BruteForceProtector.class) .isTemporarilyDisabled(session, realm, rep.getUsername())) { rep.setEnabled(false); } return rep; }
protected UserCredentialStore getStoreForUser(UserModel user) { if (StorageId.isLocalStorage(user)) { return (UserCredentialStore) session.userLocalStorage(); } else { return (UserCredentialStore) session.userFederatedStorage(); } }
@Test public void testMigrationModel() { KeycloakSession keycloakSession = keycloakRule.startSession(); Assert.assertEquals( keycloakSession.realms().getMigrationModel().getStoredVersion(), MigrationModel.LATEST_VERSION); keycloakSession.close(); }
public UserRepresentation getUserById(String realm, String id) { KeycloakSession session = server.getKeycloakSessionFactory().createSession(); try { return ModelToRepresentation.toRepresentation(session.getRealmByName(realm).getUserById(id)); } finally { session.close(); } }
protected UserModel getUser(String userId) { KeycloakSession samlServerSession = keycloakRule.startSession(); try { RealmModel brokerRealm = samlServerSession.realms().getRealm("test"); return samlServerSession.users().getUserById(userId, brokerRealm); } finally { keycloakRule.stopSession(samlServerSession, false); } }
protected <T> List<T> getCredentialProviders(RealmModel realm, Class<T> type) { List<T> list = new LinkedList<T>(); for (ProviderFactory f : session.getKeycloakSessionFactory().getProviderFactories(CredentialProvider.class)) { if (!Types.supports(CredentialInputUpdater.class, f, CredentialProviderFactory.class)) continue; list.add((T) session.getProvider(CredentialProvider.class, f.getId())); } return list; }
/** * Impersonate the user * * @param id User id * @return */ @Path("{id}/impersonation") @POST @NoCache @Produces(MediaType.APPLICATION_JSON) public Map<String, Object> impersonate(final @PathParam("id") String id) { auth.init(RealmAuth.Resource.IMPERSONATION); auth.requireManage(); UserModel user = session.users().getUserById(id, realm); if (user == null) { throw new NotFoundException("User not found"); } RealmModel authenticatedRealm = auth.getAuth().getRealm(); // if same realm logout before impersonation boolean sameRealm = false; if (authenticatedRealm.getId().equals(realm.getId())) { sameRealm = true; UserSessionModel userSession = session .sessions() .getUserSession(authenticatedRealm, auth.getAuth().getToken().getSessionState()); AuthenticationManager.expireIdentityCookie(realm, uriInfo, clientConnection); AuthenticationManager.expireRememberMeCookie(realm, uriInfo, clientConnection); AuthenticationManager.backchannelLogout( session, authenticatedRealm, userSession, uriInfo, clientConnection, headers, true); } EventBuilder event = new EventBuilder(realm, session, clientConnection); UserSessionModel userSession = session .sessions() .createUserSession( realm, user, user.getUsername(), clientConnection.getRemoteAddr(), "impersonate", false, null, null); AuthenticationManager.createLoginCookie( realm, userSession.getUser(), userSession, uriInfo, clientConnection); URI redirect = AccountService.accountServiceApplicationPage(uriInfo).build(realm.getName()); Map<String, Object> result = new HashMap<>(); result.put("sameRealm", sameRealm); result.put("redirect", redirect.toString()); event .event(EventType.IMPERSONATE) .session(userSession) .user(user) .detail(Details.IMPERSONATOR_REALM, authenticatedRealm.getName()) .detail(Details.IMPERSONATOR, auth.getAuth().getUser().getUsername()) .success(); return result; }
private ClientSessionModel createClientSession( UserModel user, String redirectUri, String clientId) { if (!user.isEnabled()) { throw new WebApplicationException( ErrorResponse.error("User is disabled", Response.Status.BAD_REQUEST)); } if (redirectUri != null && clientId == null) { throw new WebApplicationException( ErrorResponse.error("Client id missing", Response.Status.BAD_REQUEST)); } if (clientId == null) { clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID; } ClientModel client = realm.getClientByClientId(clientId); if (client == null || !client.isEnabled()) { throw new WebApplicationException( ErrorResponse.error(clientId + " not enabled", Response.Status.BAD_REQUEST)); } String redirect; if (redirectUri != null) { redirect = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realm, client); if (redirect == null) { throw new WebApplicationException( ErrorResponse.error("Invalid redirect uri.", Response.Status.BAD_REQUEST)); } } else { redirect = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); } UserSessionModel userSession = session .sessions() .createUserSession( realm, user, user.getUsername(), clientConnection.getRemoteAddr(), "form", false, null, null); // audit.session(userSession); ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); clientSession.setRedirectUri(redirect); clientSession.setUserSession(userSession); return clientSession; }
/** * Clear any user login failures for the user * * <p>This can release temporary disabled user * * @param username */ @Path("brute-force/usernames/{username}") @DELETE public void clearBruteForceForUser(@PathParam("username") String username) { auth.requireManage(); UsernameLoginFailureModel model = session.sessions().getUserLoginFailure(realm, username.toLowerCase()); if (model != null) { session.sessions().removeUserLoginFailure(realm, username); adminEvent.operation(OperationType.DELETE).resourcePath(uriInfo).success(); } }
@Path("email-verification") @GET public Response emailVerification( @QueryParam("code") String code, @QueryParam("key") String key) { event.event(EventType.VERIFY_EMAIL); if (key != null) { Checks checks = new Checks(); if (!checks.verifyCode(key, ClientSessionModel.Action.VERIFY_EMAIL.name())) { return checks.response; } ClientSessionCode accessCode = checks.clientCode; ClientSessionModel clientSession = accessCode.getClientSession(); UserSessionModel userSession = clientSession.getUserSession(); UserModel user = userSession.getUser(); initEvent(clientSession); user.setEmailVerified(true); user.removeRequiredAction(RequiredAction.VERIFY_EMAIL); event.event(EventType.VERIFY_EMAIL).detail(Details.EMAIL, user.getEmail()).success(); String actionCookieValue = getActionCookie(); if (actionCookieValue == null || !actionCookieValue.equals(userSession.getId())) { session.sessions().removeClientSession(realm, clientSession); return session .getProvider(LoginFormsProvider.class) .setSuccess(Messages.EMAIL_VERIFIED) .createInfoPage(); } event = event.clone().removeDetail(Details.EMAIL).event(EventType.LOGIN); return AuthenticationManager.nextActionAfterAuthentication( session, userSession, clientSession, clientConnection, request, uriInfo, event); } else { Checks checks = new Checks(); if (!checks.verifyCode(code, ClientSessionModel.Action.VERIFY_EMAIL.name())) { return checks.response; } ClientSessionCode accessCode = checks.clientCode; ClientSessionModel clientSession = accessCode.getClientSession(); UserSessionModel userSession = clientSession.getUserSession(); initEvent(clientSession); createActionCookie(realm, uriInfo, clientConnection, userSession.getId()); return session .getProvider(LoginFormsProvider.class) .setClientSessionCode(accessCode.getCode()) .setUser(userSession.getUser()) .createResponse(RequiredAction.VERIFY_EMAIL); } }
public void run() { final ArrayList<LoginEvent> events = new ArrayList<LoginEvent>(TRANSACTION_SIZE + 1); while (run) { try { LoginEvent take = queue.poll(2, TimeUnit.SECONDS); if (take == null) { continue; } try { events.add(take); queue.drainTo(events, TRANSACTION_SIZE); for (LoginEvent event : events) { if (event instanceof FailedLogin) { logFailure(event); } else { logSuccess(event); } } Collections.sort( events); // we sort to avoid deadlock due to ordered updates. Maybe I'm overthinking // this. KeycloakSession session = factory.createSession(); try { for (LoginEvent event : events) { if (event instanceof FailedLogin) { failure(session, event); } } session.getTransaction().commit(); } catch (Exception e) { session.getTransaction().rollback(); throw e; } finally { for (LoginEvent event : events) { if (event instanceof FailedLogin) { ((FailedLogin) event).latch.countDown(); } } events.clear(); session.close(); } } catch (Exception e) { logger.error("Failed processing event", e); } } catch (InterruptedException e) { break; } finally { shutdownLatch.countDown(); } } }
protected void updateProviderEditMode(UserFederationProvider.EditMode editMode) { KeycloakRule keycloakRule = getKeycloakRule(); KeycloakSession session = keycloakRule.startSession(); try { RealmModel realm = session.realms().getRealm("test"); UserFederationProviderModel kerberosProviderModel = realm.getUserFederationProviders().get(0); kerberosProviderModel.getConfig().put(LDAPConstants.EDIT_MODE, editMode.toString()); realm.updateUserFederationProvider(kerberosProviderModel); } finally { keycloakRule.stopSession(session, true); } }
public static UserModel addLocalUser( KeycloakSession session, RealmModel realm, String username, String email, String password) { UserModel user = session.userStorage().addUser(realm, username); user.setEmail(email); user.setEnabled(true); UserCredentialModel creds = new UserCredentialModel(); creds.setType(CredentialRepresentation.PASSWORD); creds.setValue(password); session.userCredentialManager().updateCredential(realm, user, creds); return user; }
@Override public Response sendError(ClientSessionModel clientSession, Error error) { setupResponseTypeAndMode(clientSession); String redirect = clientSession.getRedirectUri(); String state = clientSession.getNote(OIDCLoginProtocol.STATE_PARAM); OIDCRedirectUriBuilder redirectUri = OIDCRedirectUriBuilder.fromUri(redirect, responseMode) .addParam(OAuth2Constants.ERROR, translateError(error)); if (state != null) redirectUri.addParam(OAuth2Constants.STATE, state); session.sessions().removeClientSession(realm, clientSession); RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); return redirectUri.build(); }
/** * Remove a social login provider from user * * @param id User id * @param provider Social login provider id */ @Path("{id}/federated-identity/{provider}") @DELETE @NoCache public void removeFederatedIdentity( final @PathParam("id") String id, final @PathParam("provider") String provider) { auth.requireManage(); UserModel user = session.users().getUserById(id, realm); if (user == null) { throw new NotFoundException("User not found"); } if (!session.users().removeFederatedIdentity(realm, user, provider)) { throw new NotFoundException("Link not found"); } adminEvent.operation(OperationType.DELETE).resourcePath(uriInfo).success(); }
@Override public void postInit(KeycloakSessionFactory factory) { factory.register( event -> { if (event instanceof ClientRemovedEvent) { KeycloakSession keycloakSession = ((ClientRemovedEvent) event).getKeycloakSession(); AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class); PolicyStore policyStore = provider.getStoreFactory().getPolicyStore(); ClientModel removedClient = ((ClientRemovedEvent) event).getClient(); policyStore .findByType(getId()) .forEach( policy -> { List<String> clients = new ArrayList<>(); for (String clientId : getClients(policy)) { if (!clientId.equals(removedClient.getId())) { clients.add(clientId); } } try { if (clients.isEmpty()) { policyStore .findDependentPolicies(policy.getId()) .forEach( dependentPolicy -> { dependentPolicy.removeAssociatedPolicy(policy); }); policyStore.delete(policy.getId()); } else { policy .getConfig() .put("clients", JsonSerialization.writeValueAsString(clients)); } } catch (IOException e) { throw new RuntimeException( "Error while synchronizing clients with policy [" + policy.getName() + "].", e); } }); } }); }
@Override public CredentialValidationOutput authenticate( KeycloakSession session, RealmModel realm, CredentialInput input) { List<UserFederationProviderModel> fedProviderModels = realm.getUserFederationProviders(); List<UserFederationProvider> fedProviders = new ArrayList<UserFederationProvider>(); for (UserFederationProviderModel fedProviderModel : fedProviderModels) { UserFederationProvider provider = session.users().getFederationProvider(fedProviderModel); if (input instanceof UserCredentialModel && provider != null && provider.supportsCredentialType(input.getType())) { CredentialValidationOutput output = provider.validCredentials(realm, (UserCredentialModel) input); if (output != null) return output; } } List<CredentialAuthentication> list = UserStorageManager.getStorageProviders(session, realm, CredentialAuthentication.class); for (CredentialAuthentication auth : list) { if (auth.supportsCredentialAuthenticationFor(input.getType())) { CredentialValidationOutput output = auth.authenticate(realm, input); if (output != null) return output; } } list = getCredentialProviders(realm, CredentialAuthentication.class); for (CredentialAuthentication auth : list) { if (auth.supportsCredentialAuthenticationFor(input.getType())) { CredentialValidationOutput output = auth.authenticate(realm, input); if (output != null) return output; } } return null; }
@Override public boolean isConfiguredFor(RealmModel realm, UserModel user, String type) { if (!StorageId.isLocalStorage(user)) { String providerId = StorageId.resolveProviderId(user); UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, providerId); if (provider instanceof CredentialInputValidator) { CredentialInputValidator validator = (CredentialInputValidator) provider; if (validator.supportsCredentialType(type) && validator.isConfiguredFor(realm, user, type)) { return true; } } } else { // <deprecate> UserFederationProvider link = session.users().getFederationLink(realm, user); if (link != null) { if (link.isConfiguredFor(realm, user, type)) return true; } // </deprecate> else if (user.getFederationLink() != null) { UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, user.getFederationLink()); if (provider != null && provider instanceof CredentialInputValidator) { if (((CredentialInputValidator) provider).isConfiguredFor(realm, user, type)) return true; } } } return isConfiguredLocally(realm, user, type); }
@Override public void disableCredential(RealmModel realm, UserModel user, String credentialType) { if (!StorageId.isLocalStorage(user)) { String providerId = StorageId.resolveProviderId(user); UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, providerId); if (provider instanceof CredentialInputUpdater) { CredentialInputUpdater updater = (CredentialInputUpdater) provider; if (updater.supportsCredentialType(credentialType)) { updater.disableCredentialType(realm, user, credentialType); } } } else { UserFederationProvider link = session.users().getFederationLink(realm, user); if (link != null && link.getSupportedCredentialTypes().contains(credentialType)) { link.disableCredentialType(realm, user, credentialType); } else if (user.getFederationLink() != null) { UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, user.getFederationLink()); if (provider != null && provider instanceof CredentialInputUpdater) { ((CredentialInputUpdater) provider).disableCredentialType(realm, user, credentialType); } } } List<CredentialInputUpdater> credentialProviders = getCredentialProviders(realm, CredentialInputUpdater.class); for (CredentialInputUpdater updater : credentialProviders) { if (!updater.supportsCredentialType(credentialType)) continue; updater.disableCredentialType(realm, user, credentialType); } }
@Override public void updateCredential(RealmModel realm, UserModel user, CredentialInput input) { if (!StorageId.isLocalStorage(user)) { String providerId = StorageId.resolveProviderId(user); UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, providerId); if (provider instanceof CredentialInputUpdater) { CredentialInputUpdater updater = (CredentialInputUpdater) provider; if (updater.supportsCredentialType(input.getType())) { if (updater.updateCredential(realm, user, input)) return; } } } else { // <deprecated> UserFederationProvider link = session.users().getFederationLink(realm, user); if (link != null) { if (link.updateCredential(realm, user, input)) return; } // </deprecated> else if (user.getFederationLink() != null) { UserStorageProvider provider = UserStorageManager.getStorageProvider(session, realm, user.getFederationLink()); if (provider != null && provider instanceof CredentialInputUpdater) { if (((CredentialInputUpdater) provider).updateCredential(realm, user, input)) return; } } } List<CredentialInputUpdater> credentialProviders = getCredentialProviders(realm, CredentialInputUpdater.class); for (CredentialInputUpdater updater : credentialProviders) { if (!updater.supportsCredentialType(input.getType())) continue; if (updater.updateCredential(realm, user, input)) return; } }
/** * Base path for the admin REST API for one particular realm. * * @param headers * @param name realm name (not id!) * @return */ @Path("{realm}") public RealmAdminResource getRealmAdmin( @Context final HttpHeaders headers, @PathParam("realm") final String name) { RealmManager realmManager = new RealmManager(session); RealmModel realm = realmManager.getRealmByName(name); if (realm == null) throw new NotFoundException("Realm not found."); if (!auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm()) && !auth.getRealm().equals(realm)) { throw new ForbiddenException(); } RealmAuth realmAuth; if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) { realmAuth = new RealmAuth(auth, realm.getMasterAdminClient()); } else { realmAuth = new RealmAuth( auth, realm.getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()))); } AdminEventBuilder adminEvent = new AdminEventBuilder(realm, auth, session, clientConnection); session.getContext().setRealm(realm); RealmAdminResource adminResource = new RealmAdminResource(realmAuth, realm, tokenManager, adminEvent); ResteasyProviderFactory.getInstance().injectProperties(adminResource); // resourceContext.initResource(adminResource); return adminResource; }
public static String getIDPMetadataDescriptor( UriInfo uriInfo, KeycloakSession session, RealmModel realm) throws IOException { InputStream is = SamlService.class.getResourceAsStream("/idp-metadata-template.xml"); String template = StreamUtil.readString(is); template = template.replace( "${idp.entityID}", RealmsResource.realmBaseUrl(uriInfo).build(realm.getName()).toString()); template = template.replace( "${idp.sso.HTTP-POST}", RealmsResource.protocolUrl(uriInfo) .build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL) .toString()); template = template.replace( "${idp.sso.HTTP-Redirect}", RealmsResource.protocolUrl(uriInfo) .build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL) .toString()); template = template.replace( "${idp.sls.HTTP-POST}", RealmsResource.protocolUrl(uriInfo) .build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL) .toString()); template = template.replace( "${idp.signing.certificate}", PemUtils.encodeCertificate(session.keys().getActiveKey(realm).getCertificate())); return template; }
@DELETE @Path("{id}/groups/{groupId}") @NoCache public void removeMembership(@PathParam("id") String id, @PathParam("groupId") String groupId) { auth.requireManage(); UserModel user = session.users().getUserById(id, realm); if (user == null) { throw new NotFoundException("User not found"); } GroupModel group = session.realms().getGroupById(groupId, realm); if (group == null) { throw new NotFoundException("Group not found"); } if (user.isMemberOf(group)) user.leaveGroup(group); }
/** * Remove all user sessions associated with the user * * <p>Also send notification to all clients that have an admin URL to invalidate the sessions for * the particular user. * * @param id User id */ @Path("{id}/logout") @POST public void logout(final @PathParam("id") String id) { auth.requireManage(); UserModel user = session.users().getUserById(id, realm); if (user == null) { throw new NotFoundException("User not found"); } List<UserSessionModel> userSessions = session.sessions().getUserSessions(realm, user); for (UserSessionModel userSession : userSessions) { AuthenticationManager.backchannelLogout( session, realm, userSession, uriInfo, clientConnection, headers, true); } adminEvent.operation(OperationType.ACTION).resourcePath(uriInfo).success(); }