Search in sources :

Example 41 with AuthenticationExecutionModel

use of org.keycloak.models.AuthenticationExecutionModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method browserFlow.

public static void browserFlow(RealmModel realm, boolean migrate) {
    AuthenticationFlowModel browser = new AuthenticationFlowModel();
    browser.setAlias(BROWSER_FLOW);
    browser.setDescription("browser based authentication");
    browser.setProviderId("basic-flow");
    browser.setTopLevel(true);
    browser.setBuiltIn(true);
    browser = realm.addAuthenticationFlow(browser);
    realm.setBrowserFlow(browser);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(browser.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("auth-cookie");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(browser.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
    if (migrate && hasCredentialType(realm, RequiredCredentialModel.KERBEROS.getType())) {
        execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    }
    execution.setAuthenticator("auth-spnego");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    addIdentityProviderAuthenticator(realm, null);
    AuthenticationFlowModel forms = new AuthenticationFlowModel();
    forms.setTopLevel(false);
    forms.setBuiltIn(true);
    forms.setAlias(LOGIN_FORMS_FLOW);
    forms.setDescription("Username, password, otp and other auth forms.");
    forms.setProviderId("basic-flow");
    forms = realm.addAuthenticationFlow(forms);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(browser.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setFlowId(forms.getId());
    execution.setPriority(30);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    // forms
    // Username Password processing
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(forms.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("auth-username-password-form");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel conditionalOTP = new AuthenticationFlowModel();
    conditionalOTP.setTopLevel(false);
    conditionalOTP.setBuiltIn(true);
    conditionalOTP.setAlias("Browser - Conditional OTP");
    conditionalOTP.setDescription("Flow to determine if the OTP is required for the authentication");
    conditionalOTP.setProviderId("basic-flow");
    conditionalOTP = realm.addAuthenticationFlow(conditionalOTP);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(forms.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.CONDITIONAL);
    if (migrate && hasCredentialType(realm, RequiredCredentialModel.TOTP.getType())) {
        execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    }
    execution.setFlowId(conditionalOTP.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("conditional-user-configured");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    // otp processing
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("auth-otp-form");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 42 with AuthenticationExecutionModel

use of org.keycloak.models.AuthenticationExecutionModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method samlEcpProfile.

public static void samlEcpProfile(RealmModel realm) {
    AuthenticationFlowModel ecpFlow = new AuthenticationFlowModel();
    ecpFlow.setAlias(SAML_ECP_FLOW);
    ecpFlow.setDescription("SAML ECP Profile Authentication Flow");
    ecpFlow.setProviderId("basic-flow");
    ecpFlow.setTopLevel(true);
    ecpFlow.setBuiltIn(true);
    ecpFlow = realm.addAuthenticationFlow(ecpFlow);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(ecpFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("http-basic-authenticator");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 43 with AuthenticationExecutionModel

use of org.keycloak.models.AuthenticationExecutionModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method clientAuthFlow.

public static void clientAuthFlow(RealmModel realm) {
    AuthenticationFlowModel clients = new AuthenticationFlowModel();
    clients.setAlias(CLIENT_AUTHENTICATION_FLOW);
    clients.setDescription("Base authentication for clients");
    clients.setProviderId("client-flow");
    clients.setTopLevel(true);
    clients.setBuiltIn(true);
    clients = realm.addAuthenticationFlow(clients);
    realm.setClientAuthenticationFlow(clients);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(clients.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("client-secret");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(clients.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("client-jwt");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(clients.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("client-secret-jwt");
    execution.setPriority(30);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(clients.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("client-x509");
    execution.setPriority(40);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 44 with AuthenticationExecutionModel

use of org.keycloak.models.AuthenticationExecutionModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method httpChallengeFlow.

public static void httpChallengeFlow(RealmModel realm) {
    AuthenticationFlowModel challengeFlow = new AuthenticationFlowModel();
    challengeFlow.setAlias(HTTP_CHALLENGE_FLOW);
    challengeFlow.setDescription("An authentication flow based on challenge-response HTTP Authentication Schemes");
    challengeFlow.setProviderId("basic-flow");
    challengeFlow.setTopLevel(true);
    challengeFlow.setBuiltIn(true);
    challengeFlow = realm.addAuthenticationFlow(challengeFlow);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(challengeFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("no-cookie-redirect");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel authType = new AuthenticationFlowModel();
    authType.setTopLevel(false);
    authType.setBuiltIn(true);
    authType.setAlias("Authentication Options");
    authType.setDescription("Authentication options.");
    authType.setProviderId("basic-flow");
    authType = realm.addAuthenticationFlow(authType);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(challengeFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setFlowId(authType.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(authType.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("basic-auth");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(authType.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
    execution.setAuthenticator("basic-auth-otp");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(authType.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
    execution.setAuthenticator("auth-spnego");
    execution.setPriority(30);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 45 with AuthenticationExecutionModel

use of org.keycloak.models.AuthenticationExecutionModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method firstBrokerLoginFlow.

public static void firstBrokerLoginFlow(RealmModel realm, boolean migrate) {
    AuthenticationFlowModel firstBrokerLogin = new AuthenticationFlowModel();
    firstBrokerLogin.setAlias(FIRST_BROKER_LOGIN_FLOW);
    firstBrokerLogin.setDescription("Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account");
    firstBrokerLogin.setProviderId("basic-flow");
    firstBrokerLogin.setTopLevel(true);
    firstBrokerLogin.setBuiltIn(true);
    firstBrokerLogin = realm.addAuthenticationFlow(firstBrokerLogin);
    AuthenticatorConfigModel reviewProfileConfig = new AuthenticatorConfigModel();
    reviewProfileConfig.setAlias(IDP_REVIEW_PROFILE_CONFIG_ALIAS);
    Map<String, String> config = new HashMap<>();
    config.put("update.profile.on.first.login", IdentityProviderRepresentation.UPFLM_MISSING);
    reviewProfileConfig.setConfig(config);
    reviewProfileConfig = realm.addAuthenticatorConfig(reviewProfileConfig);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(firstBrokerLogin.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("idp-review-profile");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    execution.setAuthenticatorConfig(reviewProfileConfig.getId());
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel uniqueOrExistingFlow = new AuthenticationFlowModel();
    uniqueOrExistingFlow.setTopLevel(false);
    uniqueOrExistingFlow.setBuiltIn(true);
    uniqueOrExistingFlow.setAlias("User creation or linking");
    uniqueOrExistingFlow.setDescription("Flow for the existing/non-existing user alternatives");
    uniqueOrExistingFlow.setProviderId("basic-flow");
    uniqueOrExistingFlow = realm.addAuthenticationFlow(uniqueOrExistingFlow);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(firstBrokerLogin.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setFlowId(uniqueOrExistingFlow.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    AuthenticatorConfigModel createUserIfUniqueConfig = new AuthenticatorConfigModel();
    createUserIfUniqueConfig.setAlias(IDP_CREATE_UNIQUE_USER_CONFIG_ALIAS);
    config = new HashMap<>();
    config.put("require.password.update.after.registration", "false");
    createUserIfUniqueConfig.setConfig(config);
    createUserIfUniqueConfig = realm.addAuthenticatorConfig(createUserIfUniqueConfig);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(uniqueOrExistingFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("idp-create-user-if-unique");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    execution.setAuthenticatorConfig(createUserIfUniqueConfig.getId());
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel linkExistingAccountFlow = new AuthenticationFlowModel();
    linkExistingAccountFlow.setTopLevel(false);
    linkExistingAccountFlow.setBuiltIn(true);
    linkExistingAccountFlow.setAlias(FIRST_BROKER_LOGIN_HANDLE_EXISTING_SUBFLOW);
    linkExistingAccountFlow.setDescription("Handle what to do if there is existing account with same email/username like authenticated identity provider");
    linkExistingAccountFlow.setProviderId("basic-flow");
    linkExistingAccountFlow = realm.addAuthenticationFlow(linkExistingAccountFlow);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(uniqueOrExistingFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setFlowId(linkExistingAccountFlow.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(linkExistingAccountFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("idp-confirm-link");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel accountVerificationOptions = new AuthenticationFlowModel();
    accountVerificationOptions.setTopLevel(false);
    accountVerificationOptions.setBuiltIn(true);
    accountVerificationOptions.setAlias("Account verification options");
    accountVerificationOptions.setDescription("Method with which to verity the existing account");
    accountVerificationOptions.setProviderId("basic-flow");
    accountVerificationOptions = realm.addAuthenticationFlow(accountVerificationOptions);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(linkExistingAccountFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setFlowId(accountVerificationOptions.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(accountVerificationOptions.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("idp-email-verification");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel verifyByReauthenticationAccountFlow = new AuthenticationFlowModel();
    verifyByReauthenticationAccountFlow.setTopLevel(false);
    verifyByReauthenticationAccountFlow.setBuiltIn(true);
    verifyByReauthenticationAccountFlow.setAlias("Verify Existing Account by Re-authentication");
    verifyByReauthenticationAccountFlow.setDescription("Reauthentication of existing account");
    verifyByReauthenticationAccountFlow.setProviderId("basic-flow");
    verifyByReauthenticationAccountFlow = realm.addAuthenticationFlow(verifyByReauthenticationAccountFlow);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(accountVerificationOptions.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setFlowId(verifyByReauthenticationAccountFlow.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    // password + otp
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(verifyByReauthenticationAccountFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("idp-username-password-form");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel conditionalOTP = new AuthenticationFlowModel();
    conditionalOTP.setTopLevel(false);
    conditionalOTP.setBuiltIn(true);
    conditionalOTP.setAlias("First broker login - Conditional OTP");
    conditionalOTP.setDescription("Flow to determine if the OTP is required for the authentication");
    conditionalOTP.setProviderId("basic-flow");
    conditionalOTP = realm.addAuthenticationFlow(conditionalOTP);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(verifyByReauthenticationAccountFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.CONDITIONAL);
    if (migrate) {
        // Try to read OTP requirement from browser flow
        AuthenticationFlowModel browserFlow = realm.getBrowserFlow();
        if (browserFlow == null) {
            browserFlow = realm.getFlowByAlias(DefaultAuthenticationFlows.BROWSER_FLOW);
        }
        List<AuthenticationExecutionModel> browserExecutions = new LinkedList<>();
        KeycloakModelUtils.deepFindAuthenticationExecutions(realm, browserFlow, browserExecutions);
        for (AuthenticationExecutionModel browserExecution : browserExecutions) {
            if (browserExecution.isAuthenticatorFlow()) {
                if (realm.getAuthenticationExecutionsStream(browserExecution.getFlowId()).anyMatch(e -> e.getAuthenticator().equals("auth-otp-form"))) {
                    execution.setRequirement(browserExecution.getRequirement());
                }
            }
        }
    }
    execution.setFlowId(conditionalOTP.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("conditional-user-configured");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("auth-otp-form");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel) AuthenticatorConfigModel(org.keycloak.models.AuthenticatorConfigModel)

Aggregations

AuthenticationExecutionModel (org.keycloak.models.AuthenticationExecutionModel)51 AuthenticationFlowModel (org.keycloak.models.AuthenticationFlowModel)32 AuthenticatorConfigModel (org.keycloak.models.AuthenticatorConfigModel)11 Path (javax.ws.rs.Path)8 NoCache (org.jboss.resteasy.annotations.cache.NoCache)8 HashMap (java.util.HashMap)7 Response (javax.ws.rs.core.Response)7 RealmModel (org.keycloak.models.RealmModel)7 BadRequestException (javax.ws.rs.BadRequestException)6 NotFoundException (javax.ws.rs.NotFoundException)6 POST (javax.ws.rs.POST)6 ArrayList (java.util.ArrayList)5 LinkedList (java.util.LinkedList)5 Consumes (javax.ws.rs.Consumes)5 Before (org.junit.Before)5 ClientModel (org.keycloak.models.ClientModel)4 List (java.util.List)3 UserModel (org.keycloak.models.UserModel)3 MultivaluedMap (javax.ws.rs.core.MultivaluedMap)2 Logger (org.jboss.logging.Logger)2