Search in sources :

Example 1 with AuthenticationFlowContext

use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.

the class LoginFormsUtil method filterIdentityProviders.

public static List<IdentityProviderModel> filterIdentityProviders(Stream<IdentityProviderModel> providers, KeycloakSession session, AuthenticationFlowContext context) {
    if (context != null) {
        AuthenticationSessionModel authSession = context.getAuthenticationSession();
        SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
        final IdentityProviderModel existingIdp = (serializedCtx == null) ? null : serializedCtx.deserialize(session, authSession).getIdpConfig();
        final Set<String> federatedIdentities;
        if (context.getUser() != null) {
            federatedIdentities = session.users().getFederatedIdentitiesStream(session.getContext().getRealm(), context.getUser()).map(federatedIdentityModel -> federatedIdentityModel.getIdentityProvider()).collect(Collectors.toSet());
        } else {
            federatedIdentities = null;
        }
        return providers.filter(p -> {
            // Filter current IDP during first-broker-login flow. Re-authentication with the "linked" broker should not be possible
            if (existingIdp == null)
                return true;
            return !Objects.equals(p.getAlias(), existingIdp.getAlias());
        }).filter(idp -> {
            // In case that we already have user established in authentication session, we show just providers already linked to this user
            if (federatedIdentities == null)
                return true;
            return federatedIdentities.contains(idp.getAlias());
        }).collect(Collectors.toList());
    }
    return providers.collect(Collectors.toList());
}
Also used : AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RealmModel(org.keycloak.models.RealmModel) AbstractIdpAuthenticator(org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator) KeycloakSession(org.keycloak.models.KeycloakSession) Set(java.util.Set) IdentityProviderModel(org.keycloak.models.IdentityProviderModel) Collectors(java.util.stream.Collectors) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) Objects(java.util.Objects) List(java.util.List) UserModel(org.keycloak.models.UserModel) Stream(java.util.stream.Stream) SerializedBrokeredIdentityContext(org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext) Map(java.util.Map) LoginFormsProvider(org.keycloak.forms.login.LoginFormsProvider) AuthenticationFlowContext(org.keycloak.authentication.AuthenticationFlowContext) LinkedList(java.util.LinkedList) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) SerializedBrokeredIdentityContext(org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext) IdentityProviderModel(org.keycloak.models.IdentityProviderModel)

Example 2 with AuthenticationFlowContext

use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.

the class UserSessionLimitsAuthenticator method handleLimitExceeded.

private void handleLimitExceeded(AuthenticationFlowContext context, List<UserSessionModel> userSessions, String eventDetails) {
    switch(behavior) {
        case UserSessionLimitsAuthenticatorFactory.DENY_NEW_SESSION:
            logger.info("Denying new session");
            String errorMessage = Optional.ofNullable(context.getAuthenticatorConfig()).map(AuthenticatorConfigModel::getConfig).map(f -> f.get(UserSessionLimitsAuthenticatorFactory.ERROR_MESSAGE)).orElse(SESSION_LIMIT_EXCEEDED);
            context.getEvent().error(Errors.GENERIC_AUTHENTICATION_ERROR);
            Response challenge = context.form().setError(errorMessage).createErrorPage(Response.Status.FORBIDDEN);
            context.failure(AuthenticationFlowError.GENERIC_AUTHENTICATION_ERROR, challenge, eventDetails, errorMessage);
            break;
        case UserSessionLimitsAuthenticatorFactory.TERMINATE_OLDEST_SESSION:
            logger.info("Terminating oldest session");
            logoutOldestSession(userSessions);
            context.success();
            break;
    }
}
Also used : ClientModel(org.keycloak.models.ClientModel) AuthenticationFlowError(org.keycloak.authentication.AuthenticationFlowError) Errors(org.keycloak.events.Errors) RealmModel(org.keycloak.models.RealmModel) Authenticator(org.keycloak.authentication.Authenticator) StringUtil(org.keycloak.utils.StringUtil) Logger(org.jboss.logging.Logger) KeycloakSession(org.keycloak.models.KeycloakSession) UserSessionModel(org.keycloak.models.UserSessionModel) Collectors(java.util.stream.Collectors) List(java.util.List) UserModel(org.keycloak.models.UserModel) AuthenticationManager(org.keycloak.services.managers.AuthenticationManager) Response(javax.ws.rs.core.Response) Map(java.util.Map) AuthenticatorConfigModel(org.keycloak.models.AuthenticatorConfigModel) Optional(java.util.Optional) AuthenticationFlowContext(org.keycloak.authentication.AuthenticationFlowContext) Comparator(java.util.Comparator) Collections(java.util.Collections) Response(javax.ws.rs.core.Response) AuthenticatorConfigModel(org.keycloak.models.AuthenticatorConfigModel)

Example 3 with AuthenticationFlowContext

use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.

the class SetClientNoteAuthenticator method authenticate.

@Override
public void authenticate(AuthenticationFlowContext context) {
    MultivaluedMap<String, String> inputData = context.getHttpRequest().getDecodedFormParameters();
    AuthenticationSessionModel authSession = context.getAuthenticationSession();
    inputData.keySet().stream().filter(paramName -> paramName.startsWith(PREFIX)).forEach(paramName -> {
        String key = paramName.substring(PREFIX.length());
        String value = inputData.getFirst(paramName);
        logger.infof("Set authentication session client note %s=%s", key, value);
        authSession.setClientNote(key, value);
    });
    context.success();
}
Also used : AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RealmModel(org.keycloak.models.RealmModel) Authenticator(org.keycloak.authentication.Authenticator) Logger(org.jboss.logging.Logger) ProviderConfigProperty(org.keycloak.provider.ProviderConfigProperty) KeycloakSession(org.keycloak.models.KeycloakSession) Config(org.keycloak.Config) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) List(java.util.List) UserModel(org.keycloak.models.UserModel) AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) KeycloakSessionFactory(org.keycloak.models.KeycloakSessionFactory) AuthenticatorFactory(org.keycloak.authentication.AuthenticatorFactory) AuthenticationFlowContext(org.keycloak.authentication.AuthenticationFlowContext) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel)

Example 4 with AuthenticationFlowContext

use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.

the class DenyAccessAuthenticator method authenticate.

@Override
public void authenticate(AuthenticationFlowContext context) {
    String errorMessage = Optional.ofNullable(context.getAuthenticatorConfig()).map(AuthenticatorConfigModel::getConfig).map(f -> f.get(DenyAccessAuthenticatorFactory.ERROR_MESSAGE)).orElse(Messages.ACCESS_DENIED);
    context.getEvent().error(Errors.ACCESS_DENIED);
    Response challenge = context.form().setError(errorMessage).createErrorPage(Response.Status.UNAUTHORIZED);
    context.failure(AuthenticationFlowError.ACCESS_DENIED, challenge);
}
Also used : AuthenticationFlowError(org.keycloak.authentication.AuthenticationFlowError) Errors(org.keycloak.events.Errors) RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) Response(javax.ws.rs.core.Response) Authenticator(org.keycloak.authentication.Authenticator) AuthenticatorConfigModel(org.keycloak.models.AuthenticatorConfigModel) KeycloakSession(org.keycloak.models.KeycloakSession) Optional(java.util.Optional) AuthenticationFlowContext(org.keycloak.authentication.AuthenticationFlowContext) Messages(org.keycloak.services.messages.Messages) Response(javax.ws.rs.core.Response) AuthenticatorConfigModel(org.keycloak.models.AuthenticatorConfigModel)

Example 5 with AuthenticationFlowContext

use of org.keycloak.authentication.AuthenticationFlowContext in project keycloak by keycloak.

the class IdentityProviderAuthenticator method redirect.

private void redirect(AuthenticationFlowContext context, String providerId) {
    Optional<IdentityProviderModel> idp = context.getRealm().getIdentityProvidersStream().filter(IdentityProviderModel::isEnabled).filter(identityProvider -> Objects.equals(providerId, identityProvider.getAlias())).findFirst();
    if (idp.isPresent()) {
        String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
        String clientId = context.getAuthenticationSession().getClient().getClientId();
        String tabId = context.getAuthenticationSession().getTabId();
        URI location = Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId, tabId);
        if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null) {
            location = UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY, context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build();
        }
        Response response = Response.seeOther(location).build();
        // will forward the request to the IDP with prompt=none if the IDP accepts forwards with prompt=none.
        if ("none".equals(context.getAuthenticationSession().getClientNote(OIDCLoginProtocol.PROMPT_PARAM)) && Boolean.valueOf(idp.get().getConfig().get(ACCEPTS_PROMPT_NONE))) {
            context.getAuthenticationSession().setAuthNote(AuthenticationProcessor.FORWARDED_PASSIVE_LOGIN, "true");
        }
        LOG.debugf("Redirecting to %s", providerId);
        context.forceChallenge(response);
        return;
    }
    LOG.warnf("Provider not found or not enabled for realm %s", providerId);
    context.attempted();
}
Also used : ClientSessionCode(org.keycloak.services.managers.ClientSessionCode) RealmModel(org.keycloak.models.RealmModel) Authenticator(org.keycloak.authentication.Authenticator) AuthenticationProcessor(org.keycloak.authentication.AuthenticationProcessor) Logger(org.jboss.logging.Logger) KeycloakSession(org.keycloak.models.KeycloakSession) AdapterConstants(org.keycloak.constants.AdapterConstants) IdentityProviderModel(org.keycloak.models.IdentityProviderModel) Objects(java.util.Objects) UserModel(org.keycloak.models.UserModel) Response(javax.ws.rs.core.Response) OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol) Optional(java.util.Optional) Urls(org.keycloak.services.Urls) UriBuilder(javax.ws.rs.core.UriBuilder) URI(java.net.URI) AuthenticationFlowContext(org.keycloak.authentication.AuthenticationFlowContext) OAuth2Constants(org.keycloak.OAuth2Constants) Response(javax.ws.rs.core.Response) IdentityProviderModel(org.keycloak.models.IdentityProviderModel) URI(java.net.URI)

Aggregations

AuthenticationFlowContext (org.keycloak.authentication.AuthenticationFlowContext)5 KeycloakSession (org.keycloak.models.KeycloakSession)5 RealmModel (org.keycloak.models.RealmModel)5 UserModel (org.keycloak.models.UserModel)5 Authenticator (org.keycloak.authentication.Authenticator)4 List (java.util.List)3 Optional (java.util.Optional)3 Response (javax.ws.rs.core.Response)3 Logger (org.jboss.logging.Logger)3 Map (java.util.Map)2 Objects (java.util.Objects)2 Collectors (java.util.stream.Collectors)2 MultivaluedMap (javax.ws.rs.core.MultivaluedMap)2 AuthenticationFlowError (org.keycloak.authentication.AuthenticationFlowError)2 Errors (org.keycloak.events.Errors)2 AuthenticatorConfigModel (org.keycloak.models.AuthenticatorConfigModel)2 IdentityProviderModel (org.keycloak.models.IdentityProviderModel)2 AuthenticationSessionModel (org.keycloak.sessions.AuthenticationSessionModel)2 URI (java.net.URI)1 Collections (java.util.Collections)1