members:
- login: tiangolo
  avatar_url: https://avatars.githubusercontent.com/u/1326112
  url: https://github.com/tiangolo
- login: Kludex
  avatar_url: https://avatars.githubusercontent.com/u/7353520
  url: https://github.com/Kludex
- login: alejsdev
  avatar_url: https://avatars.githubusercontent.com/u/90076947
  url: https://github.com/alejsdev
- login: svlandeg
  avatar_url: https://avatars.githubusercontent.com/u/8796347

import org.lastaflute.web.UrlChain;
import org.lastaflute.web.login.credential.LoginCredential;
import org.lastaflute.web.login.exception.LoginFailureException;
import org.lastaflute.web.response.ActionResponse;
import org.lastaflute.web.response.HtmlResponse;

/**
 * SSO (Single Sign-On) action controller.
 *
 * This action handles SSO authentication flows including login, logout, and metadata

     * When enabled, similar search results are grouped together.
     */
    @Size(max = 10)
    public String resultCollapsed;

    /**
     * Enable or disable display of login link in the search interface.
     * When enabled, a login link is shown to unauthenticated users.
     */
    @Size(max = 10)
    public String loginLink;

    /**
     * Enable or disable thumbnail generation for documents.

 * OAuth, SPNEGO, or other authentication mechanisms. Each authenticator is responsible
 * for obtaining login credentials, resolving user information, and managing SSO
 * lifecycle operations like logout and metadata exchange.
 */
public interface SsoAuthenticator {

    /**
     * Gets the login credential for SSO authentication.
     * @return The login credential.
     */
    LoginCredential getLoginCredential();

    /**

### Redirection from OpenID Provider

        activityHelper.useEcsFormat = false;
        activityHelper.login(OptionalThing.empty());
        assertEquals("action:LOGIN\tuser:-\tpermissions:-", localLogMsg.get());

        activityHelper.login(createUser("testuser", new String[0]));
        assertEquals("action:LOGIN\tuser:testuser\tpermissions:-", localLogMsg.get());

        activityHelper.login(createUser("testuser", new String[] { "111", "222" }));

    /**
     * Creates KerberosCredentials using the specified JAAS login context.
     *
     * @param loginContextName the name of the JAAS login context
     * @throws LoginException if authentication fails
     */
    public KerberosCredentials(String loginContextName) throws LoginException {
        LoginContext lc = new LoginContext(loginContextName);
        lc.login();
        this.subject = lc.getSubject();
    }

    /**

    for query in \
      "IF DB_ID('gorm') IS NULL CREATE DATABASE gorm" \
      "IF SUSER_ID (N'gorm') IS NULL CREATE LOGIN gorm WITH PASSWORD = 'LoremIpsum86';" \
      "IF USER_ID (N'gorm') IS NULL CREATE USER gorm FROM LOGIN gorm; ALTER SERVER ROLE sysadmin ADD MEMBER [gorm];"
    do
      SQLCMDPASSWORD=LoremIpsum86 sqlcmd -U sa -S localhost:9930 -Q "$query" > /dev/null || true
    done
  else

Ela é apenas uma extensão do OAuth2 especificando algumas coisas que são relativamente ambíguas no OAuth2, para tentar torná-lo mais interoperável.

Por exemplo, o login do Google usa OpenID Connect (que por baixo dos panos usa OAuth2).

Mas o login do Facebook não tem suporte para OpenID Connect. Ele tem a própria implementação do OAuth2.

### OpenID (não "OpenID Connect")

     */
    public SsoLoginException(final String message) {
        super(message);
    }

    /**
     * Constructs a new SsoLoginException with the specified detail message and cause.
     *
     * @param message The detail message explaining the SSO login failure
     * @param e The underlying exception that caused this SSO login failure
     */