@Path("federated-identity-update")
@GET
public Response processFederatedIdentityUpdate(
@QueryParam("action") String action,
@QueryParam("provider_id") String providerId,
@QueryParam("stateChecker") String stateChecker) {
if (auth == null) {
return login("identity");
}
require(AccountRoles.MANAGE_ACCOUNT);
csrfCheck(stateChecker);
UserModel user = auth.getUser();
if (Validation.isEmpty(providerId)) {
setReferrerOnPage();
return account
.setError(Messages.MISSING_IDENTITY_PROVIDER)
.createResponse(AccountPages.FEDERATED_IDENTITY);
}
AccountSocialAction accountSocialAction = AccountSocialAction.getAction(action);
if (accountSocialAction == null) {
setReferrerOnPage();
return account
.setError(Messages.INVALID_FEDERATED_IDENTITY_ACTION)
.createResponse(AccountPages.FEDERATED_IDENTITY);
}
boolean hasProvider = false;
for (IdentityProviderModel model : realm.getIdentityProviders()) {
if (model.getAlias().equals(providerId)) {
hasProvider = true;
}
}
if (!hasProvider) {
setReferrerOnPage();
return account
.setError(Messages.IDENTITY_PROVIDER_NOT_FOUND)
.createResponse(AccountPages.FEDERATED_IDENTITY);
}
if (!user.isEnabled()) {
setReferrerOnPage();
return account
.setError(Messages.ACCOUNT_DISABLED)
.createResponse(AccountPages.FEDERATED_IDENTITY);
}
switch (accountSocialAction) {
case ADD:
String redirectUri =
UriBuilder.fromUri(
Urls.accountFederatedIdentityPage(uriInfo.getBaseUri(), realm.getName()))
.build()
.toString();
try {
ClientSessionModel clientSession = auth.getClientSession();
ClientSessionCode clientSessionCode = new ClientSessionCode(realm, clientSession);
clientSessionCode.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
clientSession.setRedirectUri(redirectUri);
clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString());
return Response.temporaryRedirect(
Urls.identityProviderAuthnRequest(
this.uriInfo.getBaseUri(),
providerId,
realm.getName(),
clientSessionCode.getCode()))
.build();
} catch (Exception spe) {
setReferrerOnPage();
return account
.setError(Messages.IDENTITY_PROVIDER_REDIRECT_ERROR)
.createResponse(AccountPages.FEDERATED_IDENTITY);
}
case REMOVE:
FederatedIdentityModel link = session.users().getFederatedIdentity(user, providerId, realm);
if (link != null) {
// Removing last social provider is not possible if you don't have other possibility to
// authenticate
if (session.users().getFederatedIdentities(user, realm).size() > 1
|| user.getFederationLink() != null
|| isPasswordSet(user)) {
session.users().removeFederatedIdentity(realm, user, providerId);
logger.debugv(
"Social provider {0} removed successfully from user {1}",
providerId, user.getUsername());
event
.event(EventType.REMOVE_FEDERATED_IDENTITY)
.client(auth.getClient())
.user(auth.getUser())
.detail(Details.USERNAME, link.getUserId() + "@" + link.getIdentityProvider())
.success();
setReferrerOnPage();
return account
.setSuccess(Messages.IDENTITY_PROVIDER_REMOVED)
.createResponse(AccountPages.FEDERATED_IDENTITY);
} else {
setReferrerOnPage();
return account
.setError(Messages.FEDERATED_IDENTITY_REMOVING_LAST_PROVIDER)
.createResponse(AccountPages.FEDERATED_IDENTITY);
}
} else {
setReferrerOnPage();
return account
.setError(Messages.FEDERATED_IDENTITY_NOT_ACTIVE)
.createResponse(AccountPages.FEDERATED_IDENTITY);
}
default:
throw new IllegalArgumentException();
}
}
/**
* Update account password
*
* <p>Form params:
*
* <p>password - old password password-new pasword-confirm
*
* @param formData
* @return
*/
@Path("password")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response processPasswordUpdate(final MultivaluedMap<String, String> formData) {
if (auth == null) {
return login("password");
}
require(AccountRoles.MANAGE_ACCOUNT);
String action = formData.getFirst("submitAction");
if (action != null && action.equals("Cancel")) {
setReferrerOnPage();
return account.createResponse(AccountPages.PASSWORD);
}
csrfCheck(formData);
UserModel user = auth.getUser();
boolean requireCurrent = isPasswordSet(user);
account.setPasswordSet(requireCurrent);
String password = formData.getFirst("password");
String passwordNew = formData.getFirst("password-new");
String passwordConfirm = formData.getFirst("password-confirm");
if (requireCurrent) {
if (Validation.isBlank(password)) {
setReferrerOnPage();
return account.setError(Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
}
UserCredentialModel cred = UserCredentialModel.password(password);
if (!session.users().validCredentials(realm, user, cred)) {
setReferrerOnPage();
return account
.setError(Messages.INVALID_PASSWORD_EXISTING)
.createResponse(AccountPages.PASSWORD);
}
}
if (Validation.isEmpty(passwordNew)) {
setReferrerOnPage();
return account.setError(Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
}
if (!passwordNew.equals(passwordConfirm)) {
setReferrerOnPage();
return account
.setError(Messages.INVALID_PASSWORD_CONFIRM)
.createResponse(AccountPages.PASSWORD);
}
try {
session.users().updateCredential(realm, user, UserCredentialModel.password(passwordNew));
} catch (ModelReadOnlyException mre) {
setReferrerOnPage();
return account.setError(Messages.READ_ONLY_PASSWORD).createResponse(AccountPages.PASSWORD);
} catch (ModelException me) {
logger.error("Failed to update password", me);
setReferrerOnPage();
return account
.setError(me.getMessage(), me.getParameters())
.createResponse(AccountPages.PASSWORD);
} catch (Exception ape) {
logger.error("Failed to update password", ape);
setReferrerOnPage();
return account.setError(ape.getMessage()).createResponse(AccountPages.PASSWORD);
}
List<UserSessionModel> sessions = session.sessions().getUserSessions(realm, user);
for (UserSessionModel s : sessions) {
if (!s.getId().equals(auth.getSession().getId())) {
AuthenticationManager.backchannelLogout(
session, realm, s, uriInfo, clientConnection, headers, true);
}
}
event.event(EventType.UPDATE_PASSWORD).client(auth.getClient()).user(auth.getUser()).success();
setReferrerOnPage();
return account
.setPasswordSet(true)
.setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED)
.createResponse(AccountPages.PASSWORD);
}