Java Code Examples for org.keycloak.models.RealmModel#getSsoSessionMaxLifespan()
The following examples show how to use
org.keycloak.models.RealmModel#getSsoSessionMaxLifespan() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: SessionTimeoutValidationTest.java From keycloak with Apache License 2.0 | 6 votes |
|
@Test
@ModelTest
public void testIsSessionValid(KeycloakSession session) {
// KEYCLOAK-9833 Large SSO Session Idle/SSO Session Max causes login failure
RealmModel realm = session.realms().getRealmByName("test");
int ssoSessionIdleTimeoutOrig = realm.getSsoSessionIdleTimeout();
int ssoSessionMaxLifespanOrig = realm.getSsoSessionMaxLifespan();
UserSessionModel userSessionModel =
session.sessions().createUserSession(
realm,
session.users().getUserByUsername("user1", realm),
"user1", "127.0.0.1", "form", true, null, null
);
realm.setSsoSessionIdleTimeout(Integer.MAX_VALUE);
Assert.assertTrue("Session validataion with large SsoSessionIdleTimeout failed",
AuthenticationManager.isSessionValid(realm, userSessionModel));
realm.setSsoSessionMaxLifespan(Integer.MAX_VALUE);
Assert.assertTrue("Session validataion with large SsoSessionMaxLifespan failed",
AuthenticationManager.isSessionValid(realm, userSessionModel));
realm.setSsoSessionIdleTimeout(ssoSessionIdleTimeoutOrig);
realm.setSsoSessionMaxLifespan(ssoSessionMaxLifespanOrig);
}
Example 2
| Source File: AuthenticationManager.java From keycloak with Apache License 2.0 | 6 votes |
|
public static boolean isSessionValid(RealmModel realm, UserSessionModel userSession) {
if (userSession == null) {
logger.debug("No user session");
return false;
}
int currentTime = Time.currentTime();
// Additional time window is added for the case when session was updated in different DC and the update to current DC was postponed
int maxIdle = userSession.isRememberMe() && realm.getSsoSessionIdleTimeoutRememberMe() > 0 ?
realm.getSsoSessionIdleTimeoutRememberMe() : realm.getSsoSessionIdleTimeout();
int maxLifespan = userSession.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0 ?
realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan();
boolean sessionIdleOk = maxIdle > currentTime - userSession.getLastSessionRefresh() - SessionTimeoutHelper.IDLE_TIMEOUT_WINDOW_SECONDS;
boolean sessionMaxOk = maxLifespan > currentTime - userSession.getStarted();
return sessionIdleOk && sessionMaxOk;
}
Example 3
| Source File: AuthenticationManager.java From keycloak with Apache License 2.0 | 6 votes |
|
public static void createLoginCookie(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, UriInfo uriInfo, ClientConnection connection) {
String cookiePath = getIdentityCookiePath(realm, uriInfo);
String issuer = Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName());
IdentityCookieToken identityCookieToken = createIdentityToken(keycloakSession, realm, user, session, issuer);
String encoded = keycloakSession.tokens().encode(identityCookieToken);
boolean secureOnly = realm.getSslRequired().isRequired(connection);
int maxAge = NewCookie.DEFAULT_MAX_AGE;
if (session != null && session.isRememberMe()) {
maxAge = realm.getSsoSessionMaxLifespanRememberMe() > 0 ? realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan();
}
logger.debugv("Create login cookie - name: {0}, path: {1}, max-age: {2}", KEYCLOAK_IDENTITY_COOKIE, cookiePath, maxAge);
CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encoded, cookiePath, null, null, maxAge, secureOnly, true, SameSiteAttributeValue.NONE);
//builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);
String sessionCookieValue = realm.getName() + "/" + user.getId();
if (session != null) {
sessionCookieValue += "/" + session.getId();
}
// THIS SHOULD NOT BE A HTTPONLY COOKIE! It is used for OpenID Connect Iframe Session support!
// Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login
int sessionCookieMaxAge = session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0 ? realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan();
CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, sessionCookieMaxAge, secureOnly, false, SameSiteAttributeValue.NONE);
P3PHelper.addP3PHeader();
}
Example 4
| Source File: AuthenticationManager.java From keycloak with Apache License 2.0 | 5 votes |
|
public static IdentityCookieToken createIdentityToken(KeycloakSession keycloakSession, RealmModel realm, UserModel user, UserSessionModel session, String issuer) {
IdentityCookieToken token = new IdentityCookieToken();
token.id(KeycloakModelUtils.generateId());
token.issuedNow();
token.subject(user.getId());
token.issuer(issuer);
token.type(TokenUtil.TOKEN_TYPE_KEYCLOAK_ID);
if (session != null) {
token.setSessionState(session.getId());
}
if (session != null && session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0) {
token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespanRememberMe());
} else if (realm.getSsoSessionMaxLifespan() > 0) {
token.expiration(Time.currentTime() + realm.getSsoSessionMaxLifespan());
}
String stateChecker = (String) keycloakSession.getAttribute("state_checker");
if (stateChecker == null) {
stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
keycloakSession.setAttribute("state_checker", stateChecker);
}
token.getOtherClaims().put("state_checker", stateChecker);
return token;
}
