Examples with AuthenticationProcessor org.keycloak.authentication.AuthenticationProcessor used on opensource projects

Example 6 with AuthenticationProcessor

use of org.keycloak.authentication.AuthenticationProcessor in project keycloak by keycloak.

the class ClientRegistrationAuth method authenticatePublicClient.

private boolean authenticatePublicClient(ClientModel client) {
    if (client == null) {
        return false;
    }
    if (client.isPublicClient()) {
        return true;
    }
    AuthenticationProcessor processor = AuthorizeClientUtil.getAuthenticationProcessor(session, event);
    Response response = processor.authenticateClient();
    if (response != null) {
        event.client(client.getClientId()).error(Errors.NOT_ALLOWED);
        throw unauthorized("Failed to authenticate client");
    }
    ClientModel authClient = processor.getClient();
    if (authClient == null) {
        event.client(client.getClientId()).error(Errors.NOT_ALLOWED);
        throw unauthorized("No client authenticated");
    }
    if (!authClient.getClientId().equals(client.getClientId())) {
        event.client(client.getClientId()).error(Errors.NOT_ALLOWED);
        throw unauthorized("Different client authenticated");
    }
    checkClientProtocol(authClient);
    return true;
}

Example 7 with AuthenticationProcessor

use of org.keycloak.authentication.AuthenticationProcessor in project keycloak by keycloak.

the class AuthorizeClientUtil method getAuthenticationProcessor.

public static AuthenticationProcessor getAuthenticationProcessor(KeycloakSession session, EventBuilder event) {
    RealmModel realm = session.getContext().getRealm();
    AuthenticationFlowModel clientAuthFlow = realm.getClientAuthenticationFlow();
    String flowId = clientAuthFlow.getId();
    AuthenticationProcessor processor = new AuthenticationProcessor();
    processor.setFlowId(flowId).setConnection(session.getContext().getConnection()).setEventBuilder(event).setRealm(realm).setSession(session).setUriInfo(session.getContext().getUri()).setRequest(session.getContext().getContextObject(HttpRequest.class));
    return processor;
}

Example 8 with AuthenticationProcessor

use of org.keycloak.authentication.AuthenticationProcessor in project keycloak by keycloak.

the class AuthorizeClientUtil method authorizeClient.

public static ClientAuthResult authorizeClient(KeycloakSession session, EventBuilder event, Cors cors) {
    AuthenticationProcessor processor = getAuthenticationProcessor(session, event);
    Response response = processor.authenticateClient();
    if (response != null) {
        if (cors != null) {
            cors.allowAllOrigins();
            HttpResponse httpResponse = session.getContext().getContextObject(HttpResponse.class);
            cors.build(httpResponse);
        }
        throw new WebApplicationException(response);
    }
    ClientModel client = processor.getClient();
    if (client == null) {
        throwErrorResponseException(Errors.INVALID_CLIENT, "Client authentication ended, but client is null", Response.Status.BAD_REQUEST, cors.allowAllOrigins());
    }
    if (cors != null) {
        cors.allowedOrigins(session, client);
    }
    String protocol = client.getProtocol();
    if (protocol == null) {
        logger.warnf("Client '%s' doesn't have protocol set. Fallback to openid-connect. Please fix client configuration", client.getClientId());
        protocol = OIDCLoginProtocol.LOGIN_PROTOCOL;
    }
    if (!protocol.equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
        event.error(Errors.INVALID_CLIENT);
        throwErrorResponseException(Errors.INVALID_CLIENT, "Wrong client protocol.", Response.Status.BAD_REQUEST, cors);
    }
    session.getContext().setClient(client);
    return new ClientAuthResult(client, processor.getClientAuthAttributes());
}

Example 9 with AuthenticationProcessor

use of org.keycloak.authentication.AuthenticationProcessor in project keycloak by keycloak.

the class AuthorizationEndpointBase method handleBrowserAuthenticationRequest.

/**
 * Common method to handle browser authentication request in protocols unified way.
 *
 * @param authSession for current request
 * @param protocol handler for protocol used to initiate login
 * @param isPassive set to true if login should be passive (without login screen shown)
 * @param redirectToAuthentication if true redirect to flow url.  If initial call to protocol is a POST, you probably want to do this.  This is so we can disable the back button on browser
 * @return response to be returned to the browser
 */
protected Response handleBrowserAuthenticationRequest(AuthenticationSessionModel authSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication) {
    AuthenticationFlowModel flow = getAuthenticationFlow(authSession);
    String flowId = flow.getId();
    AuthenticationProcessor processor = createProcessor(authSession, flowId, LoginActionsService.AUTHENTICATE_PATH);
    event.detail(Details.CODE_ID, authSession.getParentSession().getId());
    if (isPassive) {
        // We cancel login if any authentication action or required action is required
        try {
            Response challenge = processor.authenticateOnly();
            if (challenge == null) {
            // nothing to do - user is already authenticated;
            } else {
                // KEYCLOAK-8043: forward the request with prompt=none to the default provider.
                if ("true".equals(authSession.getAuthNote(AuthenticationProcessor.FORWARDED_PASSIVE_LOGIN))) {
                    RestartLoginCookie.setRestartCookie(session, realm, clientConnection, session.getContext().getUri(), authSession);
                    if (redirectToAuthentication) {
                        return processor.redirectToFlow();
                    }
                    // no need to trigger authenticate, just return the challenge we got from authenticateOnly.
                    return challenge;
                } else {
                    Response response = protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED);
                    return response;
                }
            }
            AuthenticationManager.setClientScopesInSession(authSession);
            if (processor.nextRequiredAction() != null) {
                Response response = protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED);
                return response;
            }
        } catch (Exception e) {
            return processor.handleBrowserException(e);
        }
        return processor.finishAuthentication(protocol);
    } else {
        try {
            RestartLoginCookie.setRestartCookie(session, realm, clientConnection, session.getContext().getUri(), authSession);
            if (redirectToAuthentication) {
                return processor.redirectToFlow();
            }
            return processor.authenticate();
        } catch (Exception e) {
            return processor.handleBrowserException(e);
        }
    }
}

Example 10 with AuthenticationProcessor

use of org.keycloak.authentication.AuthenticationProcessor in project keycloak by keycloak.

the class AuthorizationEndpointBase method createProcessor.

protected AuthenticationProcessor createProcessor(AuthenticationSessionModel authSession, String flowId, String flowPath) {
    AuthenticationProcessor processor = new AuthenticationProcessor();
    processor.setAuthenticationSession(authSession).setFlowPath(flowPath).setFlowId(flowId).setBrowserFlow(true).setConnection(clientConnection).setEventBuilder(event).setRealm(realm).setSession(session).setUriInfo(session.getContext().getUri()).setRequest(httpRequest);
    authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath);
    return processor;
}