Search in sources :

Example 1 with RequestAuthenticator

use of org.keycloak.adapters.RequestAuthenticator in project keycloak by keycloak.

the class UndertowAuthenticationMechanism method authenticate.

@Override
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
    UndertowHttpFacade facade = createFacade(exchange);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (!deployment.isConfigured()) {
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }
    nodesRegistrationManagement.tryRegister(deployment);
    AdapterTokenStore tokenStore = getTokenStore(exchange, facade, deployment, securityContext);
    RequestAuthenticator authenticator = new UndertowRequestAuthenticator(facade, deployment, confidentialPort, securityContext, exchange, tokenStore);
    return keycloakAuthenticate(exchange, securityContext, authenticator);
}
Also used : RequestAuthenticator(org.keycloak.adapters.RequestAuthenticator) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) AdapterTokenStore(org.keycloak.adapters.AdapterTokenStore)

Example 2 with RequestAuthenticator

use of org.keycloak.adapters.RequestAuthenticator in project keycloak by keycloak.

the class KeycloakAuthenticationProcessingFilter method attemptAuthentication.

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
    log.debug("Attempting Keycloak authentication");
    HttpFacade facade = new SimpleHttpFacade(request, response);
    KeycloakDeployment deployment = adapterDeploymentContext.resolveDeployment(facade);
    // using Spring authenticationFailureHandler
    deployment.setDelegateBearerErrorResponseSending(true);
    AdapterTokenStore tokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment, request, response);
    RequestAuthenticator authenticator = requestAuthenticatorFactory.createRequestAuthenticator(facade, request, deployment, tokenStore, -1);
    AuthOutcome result = authenticator.authenticate();
    log.debug("Auth outcome: {}", result);
    if (AuthOutcome.FAILED.equals(result)) {
        AuthChallenge challenge = authenticator.getChallenge();
        if (challenge != null) {
            challenge.challenge(facade);
        }
        throw new KeycloakAuthenticationException("Invalid authorization header, see WWW-Authenticate header for details");
    }
    if (AuthOutcome.NOT_ATTEMPTED.equals(result)) {
        AuthChallenge challenge = authenticator.getChallenge();
        if (challenge != null) {
            challenge.challenge(facade);
        }
        if (deployment.isBearerOnly()) {
            // no redirection in this mode, throwing exception for the spring handler
            throw new KeycloakAuthenticationException("Authorization header not found,  see WWW-Authenticate header");
        } else {
            // let continue if challenged, it may redirect
            return null;
        }
    } else if (AuthOutcome.AUTHENTICATED.equals(result)) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Assert.notNull(authentication, "Authentication SecurityContextHolder was null");
        return authenticationManager.authenticate(authentication);
    } else {
        AuthChallenge challenge = authenticator.getChallenge();
        if (challenge != null) {
            challenge.challenge(facade);
        }
        return null;
    }
}
Also used : AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) RequestAuthenticator(org.keycloak.adapters.RequestAuthenticator) SimpleHttpFacade(org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade) HttpFacade(org.keycloak.adapters.spi.HttpFacade) Authentication(org.springframework.security.core.Authentication) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) SimpleHttpFacade(org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) KeycloakAuthenticationException(org.keycloak.adapters.springsecurity.KeycloakAuthenticationException) AdapterTokenStore(org.keycloak.adapters.AdapterTokenStore)

Example 3 with RequestAuthenticator

use of org.keycloak.adapters.RequestAuthenticator in project keycloak by keycloak.

the class UndertowKeycloakConsumer method handleRequest.

@Override
public void handleRequest(HttpServerExchange httpExchange) throws Exception {
    if (shouldSkip(httpExchange.getRequestPath())) {
        super.handleRequest(httpExchange);
        return;
    }
    // perform only non-blocking operation on exchange
    if (httpExchange.isInIoThread()) {
        httpExchange.dispatch(this);
        return;
    }
    OIDCUndertowHttpFacade facade = new OIDCUndertowHttpFacade(httpExchange);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
        LOG.fine("deployment not configured");
        return;
    }
    LOG.fine("executing PreAuthActionsHandler");
    SessionManagementBridge bridge = new SessionManagementBridge(userSessionManagement, sessionManager);
    PreAuthActionsHandler preAuth = new PreAuthActionsHandler(bridge, deploymentContext, facade);
    if (preAuth.handleRequest())
        return;
    SecurityContext securityContext = httpExchange.getSecurityContext();
    if (securityContext == null) {
        securityContext = new SecurityContextImpl(httpExchange, IDENTITY_MANAGER);
    }
    AdapterTokenStore tokenStore = getTokenStore(httpExchange, facade, deployment, securityContext);
    tokenStore.checkCurrentToken();
    LOG.fine("executing AuthenticatedActionsHandler");
    RequestAuthenticator authenticator = new UndertowRequestAuthenticator(facade, deployment, confidentialPort, securityContext, httpExchange, tokenStore);
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        LOG.fine("AUTHENTICATED");
        if (httpExchange.isResponseComplete()) {
            return;
        }
        AuthenticatedActionsHandler actions = new AuthenticatedActionsHandler(deployment, facade);
        if (actions.handledRequest()) {
            return;
        } else {
            final Account authenticatedAccount = securityContext.getAuthenticatedAccount();
            if (authenticatedAccount instanceof KeycloakUndertowAccount) {
                final KeycloakUndertowAccount kua = (KeycloakUndertowAccount) authenticatedAccount;
                httpExchange.putAttachment(KEYCLOAK_PRINCIPAL_KEY, (KeycloakPrincipal) kua.getPrincipal());
            }
            Set<String> roles = authenticatedAccount.getRoles();
            if (roles == null) {
                roles = Collections.EMPTY_SET;
            }
            LOG.log(Level.FINE, "Allowed roles: {0}, current roles: {1}", new Object[] { allowedRoles, roles });
            if (isRoleAllowed(roles, httpExchange)) {
                super.handleRequest(httpExchange);
            } else {
                httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
            }
            return;
        }
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        LOG.fine("challenge");
        challenge.challenge(facade);
        return;
    }
    httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
}
Also used : AuthenticatedActionsHandler(org.keycloak.adapters.AuthenticatedActionsHandler) Account(io.undertow.security.idm.Account) KeycloakUndertowAccount(org.keycloak.adapters.undertow.KeycloakUndertowAccount) SecurityContextImpl(io.undertow.security.impl.SecurityContextImpl) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) UndertowRequestAuthenticator(org.keycloak.adapters.undertow.UndertowRequestAuthenticator) RequestAuthenticator(org.keycloak.adapters.RequestAuthenticator) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) PreAuthActionsHandler(org.keycloak.adapters.PreAuthActionsHandler) KeycloakUndertowAccount(org.keycloak.adapters.undertow.KeycloakUndertowAccount) OIDCUndertowHttpFacade(org.keycloak.adapters.undertow.OIDCUndertowHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) SecurityContext(io.undertow.security.api.SecurityContext) SessionManagementBridge(org.keycloak.adapters.undertow.SessionManagementBridge) UndertowRequestAuthenticator(org.keycloak.adapters.undertow.UndertowRequestAuthenticator) AdapterTokenStore(org.keycloak.adapters.AdapterTokenStore)

Example 4 with RequestAuthenticator

use of org.keycloak.adapters.RequestAuthenticator in project keycloak by keycloak.

the class ServletKeycloakAuthMech method authenticate.

@Override
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
    UndertowHttpFacade facade = createFacade(exchange);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (!deployment.isConfigured()) {
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }
    nodesRegistrationManagement.tryRegister(deployment);
    RequestAuthenticator authenticator = createRequestAuthenticator(deployment, exchange, securityContext, facade);
    return keycloakAuthenticate(exchange, securityContext, authenticator);
}
Also used : RequestAuthenticator(org.keycloak.adapters.RequestAuthenticator) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment)

Example 5 with RequestAuthenticator

use of org.keycloak.adapters.RequestAuthenticator in project keycloak by keycloak.

the class KeycloakHttpServerAuthenticationMechanism method evaluateRequest.

@Override
public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
    LOGGER.debugf("Evaluating request for path [%s]", request.getRequestURI());
    AdapterDeploymentContext deploymentContext = getDeploymentContext(request);
    if (deploymentContext == null) {
        LOGGER.debugf("Ignoring request for path [%s] from mechanism [%s]. No deployment context found.", request.getRequestURI(), getMechanismName());
        request.noAuthenticationInProgress();
        return;
    }
    ElytronHttpFacade httpFacade = new ElytronHttpFacade(request, deploymentContext, callbackHandler);
    KeycloakDeployment deployment = httpFacade.getDeployment();
    if (!deployment.isConfigured()) {
        request.noAuthenticationInProgress();
        return;
    }
    RequestAuthenticator authenticator = createRequestAuthenticator(request, httpFacade, deployment);
    httpFacade.getTokenStore().checkCurrentToken();
    if (preActions(httpFacade, deploymentContext)) {
        LOGGER.debugf("Pre-actions has aborted the evaluation of [%s]", request.getRequestURI());
        httpFacade.authenticationInProgress();
        return;
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (AuthOutcome.AUTHENTICATED.equals(outcome)) {
        if (new AuthenticatedActionsHandler(deployment, httpFacade).handledRequest()) {
            httpFacade.authenticationInProgress();
        } else {
            httpFacade.authenticationComplete();
        }
        return;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        httpFacade.noAuthenticationInProgress(challenge);
        return;
    }
    if (AuthOutcome.FAILED.equals(outcome)) {
        httpFacade.getResponse().setStatus(403);
        httpFacade.authenticationFailed();
        return;
    }
    httpFacade.noAuthenticationInProgress();
}
Also used : AuthenticatedActionsHandler(org.keycloak.adapters.AuthenticatedActionsHandler) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) RequestAuthenticator(org.keycloak.adapters.RequestAuthenticator) AdapterDeploymentContext(org.keycloak.adapters.AdapterDeploymentContext) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)

Aggregations

KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)5 RequestAuthenticator (org.keycloak.adapters.RequestAuthenticator)5 AdapterTokenStore (org.keycloak.adapters.AdapterTokenStore)3 AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)3 AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)3 AuthenticatedActionsHandler (org.keycloak.adapters.AuthenticatedActionsHandler)2 SecurityContext (io.undertow.security.api.SecurityContext)1 Account (io.undertow.security.idm.Account)1 SecurityContextImpl (io.undertow.security.impl.SecurityContextImpl)1 AdapterDeploymentContext (org.keycloak.adapters.AdapterDeploymentContext)1 PreAuthActionsHandler (org.keycloak.adapters.PreAuthActionsHandler)1 HttpFacade (org.keycloak.adapters.spi.HttpFacade)1 KeycloakAuthenticationException (org.keycloak.adapters.springsecurity.KeycloakAuthenticationException)1 SimpleHttpFacade (org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade)1 KeycloakUndertowAccount (org.keycloak.adapters.undertow.KeycloakUndertowAccount)1 OIDCUndertowHttpFacade (org.keycloak.adapters.undertow.OIDCUndertowHttpFacade)1 SessionManagementBridge (org.keycloak.adapters.undertow.SessionManagementBridge)1 UndertowRequestAuthenticator (org.keycloak.adapters.undertow.UndertowRequestAuthenticator)1 Authentication (org.springframework.security.core.Authentication)1