Search in sources :

Example 1 with SPNEGOAuthenticator

use of org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator in project keycloak by keycloak.

the class LDAPStorageProvider method authenticate.

@Override
public CredentialValidationOutput authenticate(RealmModel realm, CredentialInput cred) {
    if (!(cred instanceof UserCredentialModel))
        CredentialValidationOutput.failed();
    UserCredentialModel credential = (UserCredentialModel) cred;
    if (credential.getType().equals(UserCredentialModel.KERBEROS)) {
        if (kerberosConfig.isAllowKerberosAuthentication()) {
            String spnegoToken = credential.getChallengeResponse();
            SPNEGOAuthenticator spnegoAuthenticator = factory.createSPNEGOAuthenticator(spnegoToken, kerberosConfig);
            spnegoAuthenticator.authenticate();
            Map<String, String> state = new HashMap<String, String>();
            if (spnegoAuthenticator.isAuthenticated()) {
                // TODO: This assumes that LDAP "uid" is equal to kerberos principal name. Like uid "hnelson" and kerberos principal "hnelson@KEYCLOAK.ORG".
                // Check if it's correct or if LDAP attribute for mapping kerberos principal should be available (For ApacheDS it seems to be attribute "krb5PrincipalName" but on MSAD it's likely different)
                String username = spnegoAuthenticator.getAuthenticatedUsername();
                UserModel user = findOrCreateAuthenticatedUser(realm, username);
                if (user == null) {
                    logger.warnf("Kerberos/SPNEGO authentication succeeded with username [%s], but couldn't find or create user with federation provider [%s]", username, model.getName());
                    return CredentialValidationOutput.failed();
                } else {
                    String delegationCredential = spnegoAuthenticator.getSerializedDelegationCredential();
                    if (delegationCredential != null) {
                        state.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, delegationCredential);
                    }
                    return new CredentialValidationOutput(user, CredentialValidationOutput.Status.AUTHENTICATED, state);
                }
            } else if (spnegoAuthenticator.getResponseToken() != null) {
                // Case when SPNEGO handshake requires multiple steps
                logger.tracef("SPNEGO Handshake will continue");
                state.put(KerberosConstants.RESPONSE_TOKEN, spnegoAuthenticator.getResponseToken());
                return new CredentialValidationOutput(null, CredentialValidationOutput.Status.CONTINUE, state);
            } else {
                logger.tracef("SPNEGO Handshake not successful");
                return CredentialValidationOutput.failed();
            }
        }
    }
    return CredentialValidationOutput.failed();
}
Also used : CachedUserModel(org.keycloak.models.cache.CachedUserModel) UserModel(org.keycloak.models.UserModel) CredentialValidationOutput(org.keycloak.models.CredentialValidationOutput) HashMap(java.util.HashMap) SPNEGOAuthenticator(org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator) UserCredentialModel(org.keycloak.models.UserCredentialModel)

Example 2 with SPNEGOAuthenticator

use of org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator in project keycloak by keycloak.

the class KerberosFederationProvider method authenticate.

@Override
public CredentialValidationOutput authenticate(RealmModel realm, CredentialInput input) {
    if (!(input instanceof UserCredentialModel))
        return null;
    UserCredentialModel credential = (UserCredentialModel) input;
    if (credential.getType().equals(UserCredentialModel.KERBEROS)) {
        String spnegoToken = credential.getChallengeResponse();
        SPNEGOAuthenticator spnegoAuthenticator = factory.createSPNEGOAuthenticator(spnegoToken, kerberosConfig);
        spnegoAuthenticator.authenticate();
        Map<String, String> state = new HashMap<String, String>();
        if (spnegoAuthenticator.isAuthenticated()) {
            String username = spnegoAuthenticator.getAuthenticatedUsername();
            UserModel user = findOrCreateAuthenticatedUser(realm, username);
            if (user == null) {
                return CredentialValidationOutput.failed();
            } else {
                String delegationCredential = spnegoAuthenticator.getSerializedDelegationCredential();
                if (delegationCredential != null) {
                    state.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, delegationCredential);
                }
                return new CredentialValidationOutput(user, CredentialValidationOutput.Status.AUTHENTICATED, state);
            }
        } else if (spnegoAuthenticator.getResponseToken() != null) {
            // Case when SPNEGO handshake requires multiple steps
            logger.tracef("SPNEGO Handshake will continue");
            state.put(KerberosConstants.RESPONSE_TOKEN, spnegoAuthenticator.getResponseToken());
            return new CredentialValidationOutput(null, CredentialValidationOutput.Status.CONTINUE, state);
        } else {
            logger.tracef("SPNEGO Handshake not successful");
            return CredentialValidationOutput.failed();
        }
    } else {
        return null;
    }
}
Also used : UserModel(org.keycloak.models.UserModel) CredentialValidationOutput(org.keycloak.models.CredentialValidationOutput) HashMap(java.util.HashMap) SPNEGOAuthenticator(org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator) UserCredentialModel(org.keycloak.models.UserCredentialModel)

Aggregations

HashMap (java.util.HashMap)2 SPNEGOAuthenticator (org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator)2 CredentialValidationOutput (org.keycloak.models.CredentialValidationOutput)2 UserCredentialModel (org.keycloak.models.UserCredentialModel)2 UserModel (org.keycloak.models.UserModel)2 CachedUserModel (org.keycloak.models.cache.CachedUserModel)1