Search in sources :

Example 6 with AuthChallenge

use of org.keycloak.adapters.spi.AuthChallenge in project keycloak by keycloak.

the class JaxrsBearerTokenFilterImpl method bearerAuthentication.

protected void bearerAuthentication(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment) {
    BearerTokenRequestAuthenticator authenticator = new BearerTokenRequestAuthenticator(resolvedDeployment);
    AuthOutcome outcome = authenticator.authenticate(facade);
    if (outcome == AuthOutcome.NOT_ATTEMPTED && resolvedDeployment.isEnableBasicAuth()) {
        authenticator = new BasicAuthRequestAuthenticator(resolvedDeployment);
        outcome = authenticator.authenticate(facade);
    }
    if (outcome == AuthOutcome.FAILED || outcome == AuthOutcome.NOT_ATTEMPTED) {
        AuthChallenge challenge = authenticator.getChallenge();
        log.fine("Authentication outcome: " + outcome);
        boolean challengeSent = challenge.challenge(facade);
        if (!challengeSent) {
            // Use some default status code
            facade.getResponse().setStatus(Response.Status.UNAUTHORIZED.getStatusCode());
        }
        // Send response now (if not already sent)
        if (!facade.isResponseFinished()) {
            facade.getResponse().end();
        }
        return;
    } else {
        if (verifySslFailed(facade, resolvedDeployment)) {
            return;
        }
    }
    propagateSecurityContext(facade, request, resolvedDeployment, authenticator);
    handleAuthActions(facade, resolvedDeployment);
}
Also used : BearerTokenRequestAuthenticator(org.keycloak.adapters.BearerTokenRequestAuthenticator) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) BasicAuthRequestAuthenticator(org.keycloak.adapters.BasicAuthRequestAuthenticator)

Example 7 with AuthChallenge

use of org.keycloak.adapters.spi.AuthChallenge in project keycloak by keycloak.

the class UndertowKeycloakConsumer method handleRequest.

@Override
public void handleRequest(HttpServerExchange httpExchange) throws Exception {
    if (shouldSkip(httpExchange.getRequestPath())) {
        super.handleRequest(httpExchange);
        return;
    }
    // perform only non-blocking operation on exchange
    if (httpExchange.isInIoThread()) {
        httpExchange.dispatch(this);
        return;
    }
    OIDCUndertowHttpFacade facade = new OIDCUndertowHttpFacade(httpExchange);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
        LOG.fine("deployment not configured");
        return;
    }
    LOG.fine("executing PreAuthActionsHandler");
    SessionManagementBridge bridge = new SessionManagementBridge(userSessionManagement, sessionManager);
    PreAuthActionsHandler preAuth = new PreAuthActionsHandler(bridge, deploymentContext, facade);
    if (preAuth.handleRequest())
        return;
    SecurityContext securityContext = httpExchange.getSecurityContext();
    if (securityContext == null) {
        securityContext = new SecurityContextImpl(httpExchange, IDENTITY_MANAGER);
    }
    AdapterTokenStore tokenStore = getTokenStore(httpExchange, facade, deployment, securityContext);
    tokenStore.checkCurrentToken();
    LOG.fine("executing AuthenticatedActionsHandler");
    RequestAuthenticator authenticator = new UndertowRequestAuthenticator(facade, deployment, confidentialPort, securityContext, httpExchange, tokenStore);
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        LOG.fine("AUTHENTICATED");
        if (httpExchange.isResponseComplete()) {
            return;
        }
        AuthenticatedActionsHandler actions = new AuthenticatedActionsHandler(deployment, facade);
        if (actions.handledRequest()) {
            return;
        } else {
            final Account authenticatedAccount = securityContext.getAuthenticatedAccount();
            if (authenticatedAccount instanceof KeycloakUndertowAccount) {
                final KeycloakUndertowAccount kua = (KeycloakUndertowAccount) authenticatedAccount;
                httpExchange.putAttachment(KEYCLOAK_PRINCIPAL_KEY, (KeycloakPrincipal) kua.getPrincipal());
            }
            Set<String> roles = authenticatedAccount.getRoles();
            if (roles == null) {
                roles = Collections.EMPTY_SET;
            }
            LOG.log(Level.FINE, "Allowed roles: {0}, current roles: {1}", new Object[] { allowedRoles, roles });
            if (isRoleAllowed(roles, httpExchange)) {
                super.handleRequest(httpExchange);
            } else {
                httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
            }
            return;
        }
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        LOG.fine("challenge");
        challenge.challenge(facade);
        return;
    }
    httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
}
Also used : AuthenticatedActionsHandler(org.keycloak.adapters.AuthenticatedActionsHandler) Account(io.undertow.security.idm.Account) KeycloakUndertowAccount(org.keycloak.adapters.undertow.KeycloakUndertowAccount) SecurityContextImpl(io.undertow.security.impl.SecurityContextImpl) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) UndertowRequestAuthenticator(org.keycloak.adapters.undertow.UndertowRequestAuthenticator) RequestAuthenticator(org.keycloak.adapters.RequestAuthenticator) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) PreAuthActionsHandler(org.keycloak.adapters.PreAuthActionsHandler) KeycloakUndertowAccount(org.keycloak.adapters.undertow.KeycloakUndertowAccount) OIDCUndertowHttpFacade(org.keycloak.adapters.undertow.OIDCUndertowHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) SecurityContext(io.undertow.security.api.SecurityContext) SessionManagementBridge(org.keycloak.adapters.undertow.SessionManagementBridge) UndertowRequestAuthenticator(org.keycloak.adapters.undertow.UndertowRequestAuthenticator) AdapterTokenStore(org.keycloak.adapters.AdapterTokenStore)

Example 8 with AuthChallenge

use of org.keycloak.adapters.spi.AuthChallenge in project keycloak by keycloak.

the class AbstractKeycloakAuthenticatorValve method authenticateInternal.

protected boolean authenticateInternal(Request request, HttpServletResponse response, Object loginConfig) throws IOException {
    CatalinaHttpFacade facade = new OIDCCatalinaHttpFacade(request, response);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        // needed for the EAP6/AS7 adapter relying on the tomcat core adapter
        facade.getResponse().sendError(401);
        return false;
    }
    AdapterTokenStore tokenStore = getTokenStore(request, facade, deployment);
    nodesRegistrationManagement.tryRegister(deployment);
    CatalinaRequestAuthenticator authenticator = createRequestAuthenticator(request, facade, deployment, tokenStore);
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        if (facade.isEnded()) {
            return false;
        }
        return true;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        challenge.challenge(facade);
    }
    return false;
}
Also used : AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) AdapterTokenStore(org.keycloak.adapters.AdapterTokenStore)

Example 9 with AuthChallenge

use of org.keycloak.adapters.spi.AuthChallenge in project keycloak by keycloak.

the class KeycloakHttpServerAuthenticationMechanism method evaluateRequest.

@Override
public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
    LOGGER.debugf("Evaluating request for path [%s]", request.getRequestURI());
    AdapterDeploymentContext deploymentContext = getDeploymentContext(request);
    if (deploymentContext == null) {
        LOGGER.debugf("Ignoring request for path [%s] from mechanism [%s]. No deployment context found.", request.getRequestURI(), getMechanismName());
        request.noAuthenticationInProgress();
        return;
    }
    ElytronHttpFacade httpFacade = new ElytronHttpFacade(request, deploymentContext, callbackHandler);
    KeycloakDeployment deployment = httpFacade.getDeployment();
    if (!deployment.isConfigured()) {
        request.noAuthenticationInProgress();
        return;
    }
    RequestAuthenticator authenticator = createRequestAuthenticator(request, httpFacade, deployment);
    httpFacade.getTokenStore().checkCurrentToken();
    if (preActions(httpFacade, deploymentContext)) {
        LOGGER.debugf("Pre-actions has aborted the evaluation of [%s]", request.getRequestURI());
        httpFacade.authenticationInProgress();
        return;
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (AuthOutcome.AUTHENTICATED.equals(outcome)) {
        if (new AuthenticatedActionsHandler(deployment, httpFacade).handledRequest()) {
            httpFacade.authenticationInProgress();
        } else {
            httpFacade.authenticationComplete();
        }
        return;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        httpFacade.noAuthenticationInProgress(challenge);
        return;
    }
    if (AuthOutcome.FAILED.equals(outcome)) {
        httpFacade.getResponse().setStatus(403);
        httpFacade.authenticationFailed();
        return;
    }
    httpFacade.noAuthenticationInProgress();
}
Also used : AuthenticatedActionsHandler(org.keycloak.adapters.AuthenticatedActionsHandler) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) RequestAuthenticator(org.keycloak.adapters.RequestAuthenticator) AdapterDeploymentContext(org.keycloak.adapters.AdapterDeploymentContext) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)

Example 10 with AuthChallenge

use of org.keycloak.adapters.spi.AuthChallenge in project keycloak by keycloak.

the class AbstractSamlAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (log.isTraceEnabled()) {
        log.trace("*** authenticate");
    }
    Request request = resolveRequest(req);
    JettyHttpFacade facade = new JettyHttpFacade(request, (HttpServletResponse) res);
    SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        log.debug("*** deployment isn't configured return false");
        return Authentication.UNAUTHENTICATED;
    }
    boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
    if (!mandatory && !isEndpoint)
        return new DeferredAuthentication(this);
    JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);
    SamlAuthenticator authenticator = null;
    if (isEndpoint) {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new SamlEndpoint(facade, deployment, sessionStore);
            }
        };
    } else {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new BrowserHandler(facade, deployment, sessionStore);
            }
        };
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        if (facade.isEnded()) {
            return Authentication.SEND_SUCCESS;
        }
        SamlSession samlSession = tokenStore.getAccount();
        Authentication authentication = register(request, samlSession);
        return authentication;
    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        logoutCurrent(request);
        if (deployment.getLogoutPage() != null) {
            forwardToLogoutPage(request, (HttpServletResponse) res, deployment);
        }
        return Authentication.SEND_CONTINUE;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        challenge.challenge(facade);
    }
    return Authentication.SEND_CONTINUE;
}
Also used : AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator) HttpFacade(org.keycloak.adapters.spi.HttpFacade) JettyHttpFacade(org.keycloak.adapters.jetty.spi.JettyHttpFacade) SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore) BrowserHandler(org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler) SamlEndpoint(org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint) Request(org.eclipse.jetty.server.Request) ServletRequest(javax.servlet.ServletRequest) JettyHttpFacade(org.keycloak.adapters.jetty.spi.JettyHttpFacade) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) SamlSession(org.keycloak.adapters.saml.SamlSession) SamlAuthenticationHandler(org.keycloak.adapters.saml.profile.SamlAuthenticationHandler) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication)

Aggregations

AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)13 AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)12 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)6 AdapterTokenStore (org.keycloak.adapters.AdapterTokenStore)4 AuthenticatedActionsHandler (org.keycloak.adapters.AuthenticatedActionsHandler)4 SamlAuthenticator (org.keycloak.adapters.saml.SamlAuthenticator)4 SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)4 PreAuthActionsHandler (org.keycloak.adapters.PreAuthActionsHandler)3 RequestAuthenticator (org.keycloak.adapters.RequestAuthenticator)3 SamlSessionStore (org.keycloak.adapters.saml.SamlSessionStore)3 HttpFacade (org.keycloak.adapters.spi.HttpFacade)3 ServletRequest (javax.servlet.ServletRequest)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 UserAuthentication (org.eclipse.jetty.security.UserAuthentication)2 DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)2 Authentication (org.eclipse.jetty.server.Authentication)2 Request (org.eclipse.jetty.server.Request)2 SamlSession (org.keycloak.adapters.saml.SamlSession)2