Search in sources :

Example 1 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class MapAuthenticationFlowEntity method toModel.

static AuthenticationFlowModel toModel(MapAuthenticationFlowEntity entity) {
    AuthenticationFlowModel model = new AuthenticationFlowModel();
    model.setId(entity.getId());
    model.setAlias(entity.getAlias());
    Boolean builtIn = entity.isBuiltIn();
    model.setBuiltIn(builtIn == null ? false : builtIn);
    model.setDescription(entity.getDescription());
    model.setProviderId(entity.getProviderId());
    Boolean topLevel = entity.isTopLevel();
    model.setTopLevel(topLevel == null ? false : topLevel);
    return model;
}
Also used : AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 2 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class RepresentationToModel method importAuthenticationFlows.

public static Map<String, String> importAuthenticationFlows(RealmModel newRealm, RealmRepresentation rep) {
    Map<String, String> mappedFlows = new HashMap<>();
    if (rep.getAuthenticationFlows() == null) {
        // assume this is an old version being imported
        DefaultAuthenticationFlows.migrateFlows(newRealm);
    } else {
        for (AuthenticatorConfigRepresentation configRep : rep.getAuthenticatorConfig()) {
            if (configRep.getAlias() == null) {
                // this can happen only during import json files from keycloak 3.4.0 and older
                throw new IllegalStateException("Provided realm contains authenticator config with null alias. " + "It should be resolved by adding alias to the authenticator config before exporting the realm.");
            }
            AuthenticatorConfigModel model = toModel(configRep);
            newRealm.addAuthenticatorConfig(model);
        }
        for (AuthenticationFlowRepresentation flowRep : rep.getAuthenticationFlows()) {
            AuthenticationFlowModel model = toModel(flowRep);
            // make sure new id is generated for new AuthenticationFlowModel instance
            String previousId = model.getId();
            model.setId(null);
            model = newRealm.addAuthenticationFlow(model);
            // store the mapped ids so that clients can reference the correct flow when importing the authenticationFlowBindingOverrides
            mappedFlows.put(previousId, model.getId());
        }
        for (AuthenticationFlowRepresentation flowRep : rep.getAuthenticationFlows()) {
            AuthenticationFlowModel model = newRealm.getFlowByAlias(flowRep.getAlias());
            for (AuthenticationExecutionExportRepresentation exeRep : flowRep.getAuthenticationExecutions()) {
                AuthenticationExecutionModel execution = toModel(newRealm, model, exeRep);
                newRealm.addAuthenticatorExecution(execution);
            }
        }
    }
    if (rep.getBrowserFlow() == null) {
        newRealm.setBrowserFlow(newRealm.getFlowByAlias(DefaultAuthenticationFlows.BROWSER_FLOW));
    } else {
        newRealm.setBrowserFlow(newRealm.getFlowByAlias(rep.getBrowserFlow()));
    }
    if (rep.getRegistrationFlow() == null) {
        newRealm.setRegistrationFlow(newRealm.getFlowByAlias(DefaultAuthenticationFlows.REGISTRATION_FLOW));
    } else {
        newRealm.setRegistrationFlow(newRealm.getFlowByAlias(rep.getRegistrationFlow()));
    }
    if (rep.getDirectGrantFlow() == null) {
        newRealm.setDirectGrantFlow(newRealm.getFlowByAlias(DefaultAuthenticationFlows.DIRECT_GRANT_FLOW));
    } else {
        newRealm.setDirectGrantFlow(newRealm.getFlowByAlias(rep.getDirectGrantFlow()));
    }
    // reset credentials + client flow needs to be more defensive as they were added later (in 1.5 )
    if (rep.getResetCredentialsFlow() == null) {
        AuthenticationFlowModel resetFlow = newRealm.getFlowByAlias(DefaultAuthenticationFlows.RESET_CREDENTIALS_FLOW);
        if (resetFlow == null) {
            DefaultAuthenticationFlows.resetCredentialsFlow(newRealm);
        } else {
            newRealm.setResetCredentialsFlow(resetFlow);
        }
    } else {
        newRealm.setResetCredentialsFlow(newRealm.getFlowByAlias(rep.getResetCredentialsFlow()));
    }
    if (rep.getClientAuthenticationFlow() == null) {
        AuthenticationFlowModel clientFlow = newRealm.getFlowByAlias(DefaultAuthenticationFlows.CLIENT_AUTHENTICATION_FLOW);
        if (clientFlow == null) {
            DefaultAuthenticationFlows.clientAuthFlow(newRealm);
        } else {
            newRealm.setClientAuthenticationFlow(clientFlow);
        }
    } else {
        newRealm.setClientAuthenticationFlow(newRealm.getFlowByAlias(rep.getClientAuthenticationFlow()));
    }
    // Added in 1.7
    if (newRealm.getFlowByAlias(DefaultAuthenticationFlows.FIRST_BROKER_LOGIN_FLOW) == null) {
        DefaultAuthenticationFlows.firstBrokerLoginFlow(newRealm, true);
    }
    // Added in 2.2
    String defaultProvider = null;
    if (rep.getIdentityProviders() != null) {
        for (IdentityProviderRepresentation i : rep.getIdentityProviders()) {
            if (i.isEnabled() && i.isAuthenticateByDefault()) {
                defaultProvider = i.getProviderId();
                break;
            }
        }
    }
    // Added in 3.2
    if (rep.getDockerAuthenticationFlow() == null) {
        AuthenticationFlowModel dockerAuthenticationFlow = newRealm.getFlowByAlias(DefaultAuthenticationFlows.DOCKER_AUTH);
        if (dockerAuthenticationFlow == null) {
            DefaultAuthenticationFlows.dockerAuthenticationFlow(newRealm);
        } else {
            newRealm.setDockerAuthenticationFlow(dockerAuthenticationFlow);
        }
    } else {
        newRealm.setDockerAuthenticationFlow(newRealm.getFlowByAlias(rep.getDockerAuthenticationFlow()));
    }
    DefaultAuthenticationFlows.addIdentityProviderAuthenticator(newRealm, defaultProvider);
    return mappedFlows;
}
Also used : MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap) HashMap(java.util.HashMap) AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowRepresentation(org.keycloak.representations.idm.AuthenticationFlowRepresentation) IdentityProviderRepresentation(org.keycloak.representations.idm.IdentityProviderRepresentation) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel) AuthenticatorConfigModel(org.keycloak.models.AuthenticatorConfigModel) ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString) AuthenticationExecutionExportRepresentation(org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation)

Example 3 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class RepresentationToModel method toModel.

public static IdentityProviderModel toModel(RealmModel realm, IdentityProviderRepresentation representation, KeycloakSession session) {
    IdentityProviderFactory providerFactory = (IdentityProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(IdentityProvider.class, representation.getProviderId());
    if (providerFactory == null) {
        providerFactory = (IdentityProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(SocialIdentityProvider.class, representation.getProviderId());
    }
    if (providerFactory == null) {
        throw new IllegalArgumentException("Invalid identity provider id [" + representation.getProviderId() + "]");
    }
    IdentityProviderModel identityProviderModel = providerFactory.createConfig();
    identityProviderModel.setInternalId(representation.getInternalId());
    identityProviderModel.setAlias(representation.getAlias());
    identityProviderModel.setDisplayName(representation.getDisplayName());
    identityProviderModel.setProviderId(representation.getProviderId());
    identityProviderModel.setEnabled(representation.isEnabled());
    identityProviderModel.setLinkOnly(representation.isLinkOnly());
    identityProviderModel.setTrustEmail(representation.isTrustEmail());
    identityProviderModel.setAuthenticateByDefault(representation.isAuthenticateByDefault());
    identityProviderModel.setStoreToken(representation.isStoreToken());
    identityProviderModel.setAddReadTokenRoleOnCreate(representation.isAddReadTokenRoleOnCreate());
    identityProviderModel.setConfig(removeEmptyString(representation.getConfig()));
    String flowAlias = representation.getFirstBrokerLoginFlowAlias();
    if (flowAlias == null) {
        flowAlias = DefaultAuthenticationFlows.FIRST_BROKER_LOGIN_FLOW;
    }
    AuthenticationFlowModel flowModel = realm.getFlowByAlias(flowAlias);
    if (flowModel == null) {
        throw new ModelException("No available authentication flow with alias: " + flowAlias);
    }
    identityProviderModel.setFirstBrokerLoginFlowId(flowModel.getId());
    flowAlias = representation.getPostBrokerLoginFlowAlias();
    if (flowAlias == null || flowAlias.trim().length() == 0) {
        identityProviderModel.setPostBrokerLoginFlowId(null);
    } else {
        flowModel = realm.getFlowByAlias(flowAlias);
        if (flowModel == null) {
            throw new ModelException("No available authentication flow with alias: " + flowAlias);
        }
        identityProviderModel.setPostBrokerLoginFlowId(flowModel.getId());
    }
    identityProviderModel.validate(realm);
    return identityProviderModel;
}
Also used : ModelException(org.keycloak.models.ModelException) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel) SocialIdentityProvider(org.keycloak.broker.social.SocialIdentityProvider) IdentityProvider(org.keycloak.broker.provider.IdentityProvider) IdentityProviderModel(org.keycloak.models.IdentityProviderModel) ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString) IdentityProviderFactory(org.keycloak.broker.provider.IdentityProviderFactory)

Example 4 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class AuthenticationFlowResolver method resolveDirectGrantFlow.

public static AuthenticationFlowModel resolveDirectGrantFlow(AuthenticationSessionModel authSession) {
    AuthenticationFlowModel flow = null;
    ClientModel client = authSession.getClient();
    String clientFlow = client.getAuthenticationFlowBindingOverride(AuthenticationFlowBindings.DIRECT_GRANT_BINDING);
    if (clientFlow != null) {
        flow = authSession.getRealm().getAuthenticationFlowById(clientFlow);
        if (flow == null) {
            throw new ModelException("Client " + client.getClientId() + " has direct grant flow override, but this flow does not exist");
        }
        return flow;
    }
    return authSession.getRealm().getDirectGrantFlow();
}
Also used : ClientModel(org.keycloak.models.ClientModel) ModelException(org.keycloak.models.ModelException) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 5 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method resetCredentialsFlow.

public static void resetCredentialsFlow(RealmModel realm) {
    AuthenticationFlowModel reset = new AuthenticationFlowModel();
    reset.setAlias(RESET_CREDENTIALS_FLOW);
    reset.setDescription("Reset credentials for a user if they forgot their password or something");
    reset.setProviderId("basic-flow");
    reset.setTopLevel(true);
    reset.setBuiltIn(true);
    reset = realm.addAuthenticationFlow(reset);
    realm.setResetCredentialsFlow(reset);
    // username
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(reset.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("reset-credentials-choose-user");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    // send email
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(reset.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("reset-credential-email");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    // password
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(reset.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("reset-password");
    execution.setPriority(30);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel conditionalOTP = new AuthenticationFlowModel();
    conditionalOTP.setTopLevel(false);
    conditionalOTP.setBuiltIn(true);
    conditionalOTP.setAlias("Reset - Conditional OTP");
    conditionalOTP.setDescription("Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.");
    conditionalOTP.setProviderId("basic-flow");
    conditionalOTP = realm.addAuthenticationFlow(conditionalOTP);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(reset.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.CONDITIONAL);
    execution.setFlowId(conditionalOTP.getId());
    execution.setPriority(40);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("conditional-user-configured");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("reset-otp");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Aggregations

AuthenticationFlowModel (org.keycloak.models.AuthenticationFlowModel)60 AuthenticationExecutionModel (org.keycloak.models.AuthenticationExecutionModel)32 Path (javax.ws.rs.Path)14 RealmModel (org.keycloak.models.RealmModel)13 NoCache (org.jboss.resteasy.annotations.cache.NoCache)12 NotFoundException (javax.ws.rs.NotFoundException)9 AuthenticatorConfigModel (org.keycloak.models.AuthenticatorConfigModel)8 Consumes (javax.ws.rs.Consumes)7 POST (javax.ws.rs.POST)7 AuthenticationProcessor (org.keycloak.authentication.AuthenticationProcessor)7 BadRequestException (javax.ws.rs.BadRequestException)6 Produces (javax.ws.rs.Produces)6 Before (org.junit.Before)5 ClientModel (org.keycloak.models.ClientModel)5 HashMap (java.util.HashMap)4 GET (javax.ws.rs.GET)4 Response (javax.ws.rs.core.Response)3 IdentityProviderModel (org.keycloak.models.IdentityProviderModel)3 ModelException (org.keycloak.models.ModelException)3 ArrayList (java.util.ArrayList)2