Examples with AuthenticationFlowException org.keycloak.authentication.AuthenticationFlowException used on opensource projects

Example 1 with AuthenticationFlowException

use of org.keycloak.authentication.AuthenticationFlowException in project keycloak by keycloak.

the class AbstractIdpAuthenticator method action.

@Override
public void action(AuthenticationFlowContext context) {
    AuthenticationSessionModel clientSession = context.getAuthenticationSession();
    SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(clientSession, BROKERED_CONTEXT_NOTE);
    if (serializedCtx == null) {
        throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
    }
    BrokeredIdentityContext brokerContext = serializedCtx.deserialize(context.getSession(), clientSession);
    if (!brokerContext.getIdpConfig().isEnabled()) {
        sendFailureChallenge(context, Response.Status.BAD_REQUEST, Errors.IDENTITY_PROVIDER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
    }
    actionImpl(context, serializedCtx, brokerContext);
}

Example 2 with AuthenticationFlowException

use of org.keycloak.authentication.AuthenticationFlowException in project keycloak by keycloak.

the class AbstractIdpAuthenticator method getExistingUser.

public static UserModel getExistingUser(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession) {
    String existingUserId = authSession.getAuthNote(EXISTING_USER_INFO);
    if (existingUserId == null) {
        throw new AuthenticationFlowException("Unexpected state. There is no existing duplicated user identified in ClientSession", AuthenticationFlowError.INTERNAL_ERROR);
    }
    ExistingUserInfo duplication = ExistingUserInfo.deserialize(existingUserId);
    UserModel existingUser = session.users().getUserById(realm, duplication.getExistingUserId());
    if (existingUser == null) {
        throw new AuthenticationFlowException("User with ID '" + existingUserId + "' not found.", AuthenticationFlowError.INVALID_USER);
    }
    if (!existingUser.isEnabled()) {
        throw new AuthenticationFlowException("User with ID '" + existingUserId + "', username '" + existingUser.getUsername() + "' disabled.", AuthenticationFlowError.USER_DISABLED);
    }
    return existingUser;
}

Example 3 with AuthenticationFlowException

use of org.keycloak.authentication.AuthenticationFlowException in project keycloak by keycloak.

the class IdpConfirmLinkAuthenticator method actionImpl.

@Override
protected void actionImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) {
    MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
    String action = formData.getFirst("submitAction");
    if (action != null && action.equals("updateProfile")) {
        context.resetFlow(() -> {
            AuthenticationSessionModel authSession = context.getAuthenticationSession();
            serializedCtx.saveToAuthenticationSession(authSession, BROKERED_CONTEXT_NOTE);
            authSession.setAuthNote(ENFORCE_UPDATE_PROFILE, "true");
        });
    } else if (action != null && action.equals("linkAccount")) {
        context.success();
    } else {
        throw new AuthenticationFlowException("Unknown action: " + action, AuthenticationFlowError.INTERNAL_ERROR);
    }
}

Example 4 with AuthenticationFlowException

use of org.keycloak.authentication.AuthenticationFlowException in project keycloak by keycloak.

the class AuthenticationManager method executeAction.

private static Response executeAction(KeycloakSession session, AuthenticationSessionModel authSession, RequiredActionProviderModel model, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, boolean kcActionExecution) {
    RequiredActionFactory factory = (RequiredActionFactory) session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId());
    if (factory == null) {
        throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?");
    }
    RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory);
    RequiredActionProvider actionProvider = null;
    try {
        actionProvider = createRequiredAction(context);
    } catch (AuthenticationFlowException e) {
        if (e.getResponse() != null) {
            return e.getResponse();
        }
        throw e;
    }
    if (kcActionExecution) {
        if (actionProvider.initiatedActionSupport() == InitiatedActionSupport.NOT_SUPPORTED) {
            logger.debugv("Requested action {0} does not support being invoked with kc_action", factory.getId());
            setKcActionStatus(factory.getId(), RequiredActionContext.KcActionStatus.ERROR, authSession);
            return null;
        } else if (!model.isEnabled()) {
            logger.debugv("Requested action {0} is disabled and can't be invoked with kc_action", factory.getId());
            setKcActionStatus(factory.getId(), RequiredActionContext.KcActionStatus.ERROR, authSession);
            return null;
        } else {
            authSession.setClientNote(Constants.KC_ACTION_EXECUTING, factory.getId());
        }
    }
    actionProvider.requiredActionChallenge(context);
    if (context.getStatus() == RequiredActionContext.Status.FAILURE) {
        LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, context.getAuthenticationSession().getProtocol());
        protocol.setRealm(context.getRealm()).setHttpHeaders(context.getHttpRequest().getHttpHeaders()).setUriInfo(context.getUriInfo()).setEventBuilder(event);
        Response response = protocol.sendError(context.getAuthenticationSession(), Error.CONSENT_DENIED);
        event.error(Errors.REJECTED_BY_USER);
        return response;
    } else if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) {
        authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, model.getProviderId());
        return context.getChallenge();
    } else if (context.getStatus() == RequiredActionContext.Status.SUCCESS) {
        event.clone().event(EventType.CUSTOM_REQUIRED_ACTION).detail(Details.CUSTOM_REQUIRED_ACTION, factory.getId()).success();
        // don't have to perform the same action twice, so remove it from both the user and session required actions
        authSession.getAuthenticatedUser().removeRequiredAction(factory.getId());
        authSession.removeRequiredAction(factory.getId());
        setKcActionStatus(factory.getId(), RequiredActionContext.KcActionStatus.SUCCESS, authSession);
    }
    return null;
}

Example 5 with AuthenticationFlowException

use of org.keycloak.authentication.AuthenticationFlowException in project keycloak by keycloak.

the class ConditionalUserAttributeValue method matchCondition.

@Override
public boolean matchCondition(AuthenticationFlowContext context) {
    // Retrieve configuration
    Map<String, String> config = context.getAuthenticatorConfig().getConfig();
    String attributeName = config.get(ConditionalUserAttributeValueFactory.CONF_ATTRIBUTE_NAME);
    String attributeValue = config.get(ConditionalUserAttributeValueFactory.CONF_ATTRIBUTE_EXPECTED_VALUE);
    boolean negateOutput = Boolean.parseBoolean(config.get(ConditionalUserAttributeValueFactory.CONF_NOT));
    UserModel user = context.getUser();
    if (user == null) {
        throw new AuthenticationFlowException("authenticator: " + ConditionalUserAttributeValueFactory.PROVIDER_ID, AuthenticationFlowError.UNKNOWN_USER);
    }
    boolean result = user.getAttributeStream(attributeName).anyMatch(attr -> Objects.equals(attr, attributeValue));
    return negateOutput != result;
}