use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.
the class LoginFormsUtil method filterIdentityProviders.
public static List<IdentityProviderModel> filterIdentityProviders(Stream<IdentityProviderModel> providers, KeycloakSession session, AuthenticationFlowContext context) {
if (context != null) {
AuthenticationSessionModel authSession = context.getAuthenticationSession();
SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
final IdentityProviderModel existingIdp = (serializedCtx == null) ? null : serializedCtx.deserialize(session, authSession).getIdpConfig();
final Set<String> federatedIdentities;
if (context.getUser() != null) {
federatedIdentities = session.users().getFederatedIdentitiesStream(session.getContext().getRealm(), context.getUser()).map(federatedIdentityModel -> federatedIdentityModel.getIdentityProvider()).collect(Collectors.toSet());
} else {
federatedIdentities = null;
}
return providers.filter(p -> {
// Filter current IDP during first-broker-login flow. Re-authentication with the "linked" broker should not be possible
if (existingIdp == null)
return true;
return !Objects.equals(p.getAlias(), existingIdp.getAlias());
}).filter(idp -> {
// In case that we already have user established in authentication session, we show just providers already linked to this user
if (federatedIdentities == null)
return true;
return federatedIdentities.contains(idp.getAlias());
}).collect(Collectors.toList());
}
return providers.collect(Collectors.toList());
}
use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.
the class UserSessionLimitsAuthenticator method handleLimitExceeded.
private void handleLimitExceeded(AuthenticationFlowContext context, List<UserSessionModel> userSessions, String eventDetails) {
switch(behavior) {
case UserSessionLimitsAuthenticatorFactory.DENY_NEW_SESSION:
logger.info("Denying new session");
String errorMessage = Optional.ofNullable(context.getAuthenticatorConfig()).map(AuthenticatorConfigModel::getConfig).map(f -> f.get(UserSessionLimitsAuthenticatorFactory.ERROR_MESSAGE)).orElse(SESSION_LIMIT_EXCEEDED);
context.getEvent().error(Errors.GENERIC_AUTHENTICATION_ERROR);
Response challenge = context.form().setError(errorMessage).createErrorPage(Response.Status.FORBIDDEN);
context.failure(AuthenticationFlowError.GENERIC_AUTHENTICATION_ERROR, challenge, eventDetails, errorMessage);
break;
case UserSessionLimitsAuthenticatorFactory.TERMINATE_OLDEST_SESSION:
logger.info("Terminating oldest session");
logoutOldestSession(userSessions);
context.success();
break;
}
}
use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.
the class SetClientNoteAuthenticator method authenticate.
@Override
public void authenticate(AuthenticationFlowContext context) {
MultivaluedMap<String, String> inputData = context.getHttpRequest().getDecodedFormParameters();
AuthenticationSessionModel authSession = context.getAuthenticationSession();
inputData.keySet().stream().filter(paramName -> paramName.startsWith(PREFIX)).forEach(paramName -> {
String key = paramName.substring(PREFIX.length());
String value = inputData.getFirst(paramName);
logger.infof("Set authentication session client note %s=%s", key, value);
authSession.setClientNote(key, value);
});
context.success();
}
use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.
the class DenyAccessAuthenticator method authenticate.
@Override
public void authenticate(AuthenticationFlowContext context) {
String errorMessage = Optional.ofNullable(context.getAuthenticatorConfig()).map(AuthenticatorConfigModel::getConfig).map(f -> f.get(DenyAccessAuthenticatorFactory.ERROR_MESSAGE)).orElse(Messages.ACCESS_DENIED);
context.getEvent().error(Errors.ACCESS_DENIED);
Response challenge = context.form().setError(errorMessage).createErrorPage(Response.Status.UNAUTHORIZED);
context.failure(AuthenticationFlowError.ACCESS_DENIED, challenge);
}
use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.
the class IdentityProviderAuthenticator method redirect.
private void redirect(AuthenticationFlowContext context, String providerId) {
Optional<IdentityProviderModel> idp = context.getRealm().getIdentityProvidersStream().filter(IdentityProviderModel::isEnabled).filter(identityProvider -> Objects.equals(providerId, identityProvider.getAlias())).findFirst();
if (idp.isPresent()) {
String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
String clientId = context.getAuthenticationSession().getClient().getClientId();
String tabId = context.getAuthenticationSession().getTabId();
URI location = Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId, tabId);
if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null) {
location = UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY, context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build();
}
Response response = Response.seeOther(location).build();
// will forward the request to the IDP with prompt=none if the IDP accepts forwards with prompt=none.
if ("none".equals(context.getAuthenticationSession().getClientNote(OIDCLoginProtocol.PROMPT_PARAM)) && Boolean.valueOf(idp.get().getConfig().get(ACCEPTS_PROMPT_NONE))) {
context.getAuthenticationSession().setAuthNote(AuthenticationProcessor.FORWARDED_PASSIVE_LOGIN, "true");
}
LOG.debugf("Redirecting to %s", providerId);
context.forceChallenge(response);
return;
}
LOG.warnf("Provider not found or not enabled for realm %s", providerId);
context.attempted();
}
Aggregations