예제 #1
0
  public ApplicationsBean(KeycloakSession session, RealmModel realm, UserModel user) {

    Set<ClientModel> offlineClients =
        new UserSessionManager(session).findClientsWithOfflineToken(realm, user);

    List<ClientModel> realmClients = realm.getClients();
    for (ClientModel client : realmClients) {
      // Don't show bearerOnly clients
      if (client.isBearerOnly()) {
        continue;
      }

      Set<RoleModel> availableRoles = TokenManager.getAccess(null, false, client, user);
      // Don't show applications, which user doesn't have access into (any available roles)
      if (availableRoles.isEmpty()) {
        continue;
      }
      List<RoleModel> realmRolesAvailable = new LinkedList<RoleModel>();
      MultivaluedHashMap<String, ClientRoleEntry> resourceRolesAvailable =
          new MultivaluedHashMap<String, ClientRoleEntry>();
      processRoles(availableRoles, realmRolesAvailable, resourceRolesAvailable);

      List<RoleModel> realmRolesGranted = new LinkedList<RoleModel>();
      MultivaluedHashMap<String, ClientRoleEntry> resourceRolesGranted =
          new MultivaluedHashMap<String, ClientRoleEntry>();
      List<String> claimsGranted = new LinkedList<String>();
      if (client.isConsentRequired()) {
        UserConsentModel consent = user.getConsentByClient(client.getId());

        if (consent != null) {
          processRoles(consent.getGrantedRoles(), realmRolesGranted, resourceRolesGranted);

          for (ProtocolMapperModel protocolMapper : consent.getGrantedProtocolMappers()) {
            claimsGranted.add(protocolMapper.getConsentText());
          }
        }
      }

      List<String> additionalGrants = new ArrayList<>();
      if (offlineClients.contains(client)) {
        additionalGrants.add("${offlineToken}");
      }

      ApplicationEntry appEntry =
          new ApplicationEntry(
              realmRolesAvailable,
              resourceRolesAvailable,
              realmRolesGranted,
              resourceRolesGranted,
              client,
              claimsGranted,
              additionalGrants);
      applications.add(appEntry);
    }
  }
예제 #2
0
  /**
   * OAuth grant page. You should not invoked this directly!
   *
   * @param formData
   * @return
   */
  @Path("consent")
  @POST
  @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
  public Response processConsent(final MultivaluedMap<String, String> formData) {
    event.event(EventType.LOGIN).detail(Details.RESPONSE_TYPE, "code");

    if (!checkSsl()) {
      return ErrorPage.error(session, Messages.HTTPS_REQUIRED);
    }

    String code = formData.getFirst("code");

    ClientSessionCode accessCode = ClientSessionCode.parse(code, session, realm);
    if (accessCode == null || !accessCode.isValid(ClientSessionModel.Action.OAUTH_GRANT.name())) {
      event.error(Errors.INVALID_CODE);
      return ErrorPage.error(session, Messages.INVALID_ACCESS_CODE);
    }
    ClientSessionModel clientSession = accessCode.getClientSession();
    event.detail(Details.CODE_ID, clientSession.getId());

    String redirect = clientSession.getRedirectUri();
    UserSessionModel userSession = clientSession.getUserSession();
    UserModel user = userSession.getUser();
    ClientModel client = clientSession.getClient();

    event
        .client(client)
        .user(user)
        .detail(Details.RESPONSE_TYPE, "code")
        .detail(Details.REDIRECT_URI, redirect);

    event.detail(Details.AUTH_METHOD, userSession.getAuthMethod());
    event.detail(Details.USERNAME, userSession.getLoginUsername());
    if (userSession.isRememberMe()) {
      event.detail(Details.REMEMBER_ME, "true");
    }

    if (!AuthenticationManager.isSessionValid(realm, userSession)) {
      AuthenticationManager.backchannelLogout(
          session, realm, userSession, uriInfo, clientConnection, headers, true);
      event.error(Errors.INVALID_CODE);
      return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE);
    }
    event.session(userSession);

    if (formData.containsKey("cancel")) {
      LoginProtocol protocol =
          session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
      protocol.setRealm(realm).setHttpHeaders(headers).setUriInfo(uriInfo);
      event.error(Errors.REJECTED_BY_USER);
      return protocol.consentDenied(clientSession);
    }

    UserConsentModel grantedConsent = user.getConsentByClient(client.getId());
    if (grantedConsent == null) {
      grantedConsent = new UserConsentModel(client);
      user.addConsent(grantedConsent);
    }
    for (RoleModel role : accessCode.getRequestedRoles()) {
      grantedConsent.addGrantedRole(role);
    }
    for (ProtocolMapperModel protocolMapper : accessCode.getRequestedProtocolMappers()) {
      if (protocolMapper.isConsentRequired() && protocolMapper.getConsentText() != null) {
        grantedConsent.addGrantedProtocolMapper(protocolMapper);
      }
    }
    user.updateConsent(grantedConsent);

    event.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED);
    event.success();

    return authManager.redirectAfterSuccessfulFlow(
        session, realm, userSession, clientSession, request, uriInfo, clientConnection);
  }