Search in sources :

Example 46 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method browserFlow.

public static void browserFlow(RealmModel realm, boolean migrate) {
    AuthenticationFlowModel browser = new AuthenticationFlowModel();
    browser.setAlias(BROWSER_FLOW);
    browser.setDescription("browser based authentication");
    browser.setProviderId("basic-flow");
    browser.setTopLevel(true);
    browser.setBuiltIn(true);
    browser = realm.addAuthenticationFlow(browser);
    realm.setBrowserFlow(browser);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(browser.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("auth-cookie");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(browser.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
    if (migrate && hasCredentialType(realm, RequiredCredentialModel.KERBEROS.getType())) {
        execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    }
    execution.setAuthenticator("auth-spnego");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    addIdentityProviderAuthenticator(realm, null);
    AuthenticationFlowModel forms = new AuthenticationFlowModel();
    forms.setTopLevel(false);
    forms.setBuiltIn(true);
    forms.setAlias(LOGIN_FORMS_FLOW);
    forms.setDescription("Username, password, otp and other auth forms.");
    forms.setProviderId("basic-flow");
    forms = realm.addAuthenticationFlow(forms);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(browser.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setFlowId(forms.getId());
    execution.setPriority(30);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    // forms
    // Username Password processing
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(forms.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("auth-username-password-form");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel conditionalOTP = new AuthenticationFlowModel();
    conditionalOTP.setTopLevel(false);
    conditionalOTP.setBuiltIn(true);
    conditionalOTP.setAlias("Browser - Conditional OTP");
    conditionalOTP.setDescription("Flow to determine if the OTP is required for the authentication");
    conditionalOTP.setProviderId("basic-flow");
    conditionalOTP = realm.addAuthenticationFlow(conditionalOTP);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(forms.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.CONDITIONAL);
    if (migrate && hasCredentialType(realm, RequiredCredentialModel.TOTP.getType())) {
        execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    }
    execution.setFlowId(conditionalOTP.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("conditional-user-configured");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    // otp processing
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("auth-otp-form");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 47 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method samlEcpProfile.

public static void samlEcpProfile(RealmModel realm) {
    AuthenticationFlowModel ecpFlow = new AuthenticationFlowModel();
    ecpFlow.setAlias(SAML_ECP_FLOW);
    ecpFlow.setDescription("SAML ECP Profile Authentication Flow");
    ecpFlow.setProviderId("basic-flow");
    ecpFlow.setTopLevel(true);
    ecpFlow.setBuiltIn(true);
    ecpFlow = realm.addAuthenticationFlow(ecpFlow);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(ecpFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("http-basic-authenticator");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 48 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method clientAuthFlow.

public static void clientAuthFlow(RealmModel realm) {
    AuthenticationFlowModel clients = new AuthenticationFlowModel();
    clients.setAlias(CLIENT_AUTHENTICATION_FLOW);
    clients.setDescription("Base authentication for clients");
    clients.setProviderId("client-flow");
    clients.setTopLevel(true);
    clients.setBuiltIn(true);
    clients = realm.addAuthenticationFlow(clients);
    realm.setClientAuthenticationFlow(clients);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(clients.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("client-secret");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(clients.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("client-jwt");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(clients.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("client-secret-jwt");
    execution.setPriority(30);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(clients.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("client-x509");
    execution.setPriority(40);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 49 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method httpChallengeFlow.

public static void httpChallengeFlow(RealmModel realm) {
    AuthenticationFlowModel challengeFlow = new AuthenticationFlowModel();
    challengeFlow.setAlias(HTTP_CHALLENGE_FLOW);
    challengeFlow.setDescription("An authentication flow based on challenge-response HTTP Authentication Schemes");
    challengeFlow.setProviderId("basic-flow");
    challengeFlow.setTopLevel(true);
    challengeFlow.setBuiltIn(true);
    challengeFlow = realm.addAuthenticationFlow(challengeFlow);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(challengeFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("no-cookie-redirect");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel authType = new AuthenticationFlowModel();
    authType.setTopLevel(false);
    authType.setBuiltIn(true);
    authType.setAlias("Authentication Options");
    authType.setDescription("Authentication options.");
    authType.setProviderId("basic-flow");
    authType = realm.addAuthenticationFlow(authType);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(challengeFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setFlowId(authType.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(authType.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("basic-auth");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(authType.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
    execution.setAuthenticator("basic-auth-otp");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(authType.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
    execution.setAuthenticator("auth-spnego");
    execution.setPriority(30);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel)

Example 50 with AuthenticationFlowModel

use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.

the class DefaultAuthenticationFlows method firstBrokerLoginFlow.

public static void firstBrokerLoginFlow(RealmModel realm, boolean migrate) {
    AuthenticationFlowModel firstBrokerLogin = new AuthenticationFlowModel();
    firstBrokerLogin.setAlias(FIRST_BROKER_LOGIN_FLOW);
    firstBrokerLogin.setDescription("Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account");
    firstBrokerLogin.setProviderId("basic-flow");
    firstBrokerLogin.setTopLevel(true);
    firstBrokerLogin.setBuiltIn(true);
    firstBrokerLogin = realm.addAuthenticationFlow(firstBrokerLogin);
    AuthenticatorConfigModel reviewProfileConfig = new AuthenticatorConfigModel();
    reviewProfileConfig.setAlias(IDP_REVIEW_PROFILE_CONFIG_ALIAS);
    Map<String, String> config = new HashMap<>();
    config.put("update.profile.on.first.login", IdentityProviderRepresentation.UPFLM_MISSING);
    reviewProfileConfig.setConfig(config);
    reviewProfileConfig = realm.addAuthenticatorConfig(reviewProfileConfig);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(firstBrokerLogin.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("idp-review-profile");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    execution.setAuthenticatorConfig(reviewProfileConfig.getId());
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel uniqueOrExistingFlow = new AuthenticationFlowModel();
    uniqueOrExistingFlow.setTopLevel(false);
    uniqueOrExistingFlow.setBuiltIn(true);
    uniqueOrExistingFlow.setAlias("User creation or linking");
    uniqueOrExistingFlow.setDescription("Flow for the existing/non-existing user alternatives");
    uniqueOrExistingFlow.setProviderId("basic-flow");
    uniqueOrExistingFlow = realm.addAuthenticationFlow(uniqueOrExistingFlow);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(firstBrokerLogin.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setFlowId(uniqueOrExistingFlow.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    AuthenticatorConfigModel createUserIfUniqueConfig = new AuthenticatorConfigModel();
    createUserIfUniqueConfig.setAlias(IDP_CREATE_UNIQUE_USER_CONFIG_ALIAS);
    config = new HashMap<>();
    config.put("require.password.update.after.registration", "false");
    createUserIfUniqueConfig.setConfig(config);
    createUserIfUniqueConfig = realm.addAuthenticatorConfig(createUserIfUniqueConfig);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(uniqueOrExistingFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("idp-create-user-if-unique");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    execution.setAuthenticatorConfig(createUserIfUniqueConfig.getId());
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel linkExistingAccountFlow = new AuthenticationFlowModel();
    linkExistingAccountFlow.setTopLevel(false);
    linkExistingAccountFlow.setBuiltIn(true);
    linkExistingAccountFlow.setAlias(FIRST_BROKER_LOGIN_HANDLE_EXISTING_SUBFLOW);
    linkExistingAccountFlow.setDescription("Handle what to do if there is existing account with same email/username like authenticated identity provider");
    linkExistingAccountFlow.setProviderId("basic-flow");
    linkExistingAccountFlow = realm.addAuthenticationFlow(linkExistingAccountFlow);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(uniqueOrExistingFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setFlowId(linkExistingAccountFlow.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(linkExistingAccountFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("idp-confirm-link");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel accountVerificationOptions = new AuthenticationFlowModel();
    accountVerificationOptions.setTopLevel(false);
    accountVerificationOptions.setBuiltIn(true);
    accountVerificationOptions.setAlias("Account verification options");
    accountVerificationOptions.setDescription("Method with which to verity the existing account");
    accountVerificationOptions.setProviderId("basic-flow");
    accountVerificationOptions = realm.addAuthenticationFlow(accountVerificationOptions);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(linkExistingAccountFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setFlowId(accountVerificationOptions.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(accountVerificationOptions.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setAuthenticator("idp-email-verification");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel verifyByReauthenticationAccountFlow = new AuthenticationFlowModel();
    verifyByReauthenticationAccountFlow.setTopLevel(false);
    verifyByReauthenticationAccountFlow.setBuiltIn(true);
    verifyByReauthenticationAccountFlow.setAlias("Verify Existing Account by Re-authentication");
    verifyByReauthenticationAccountFlow.setDescription("Reauthentication of existing account");
    verifyByReauthenticationAccountFlow.setProviderId("basic-flow");
    verifyByReauthenticationAccountFlow = realm.addAuthenticationFlow(verifyByReauthenticationAccountFlow);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(accountVerificationOptions.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
    execution.setFlowId(verifyByReauthenticationAccountFlow.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    // password + otp
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(verifyByReauthenticationAccountFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("idp-username-password-form");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    AuthenticationFlowModel conditionalOTP = new AuthenticationFlowModel();
    conditionalOTP.setTopLevel(false);
    conditionalOTP.setBuiltIn(true);
    conditionalOTP.setAlias("First broker login - Conditional OTP");
    conditionalOTP.setDescription("Flow to determine if the OTP is required for the authentication");
    conditionalOTP.setProviderId("basic-flow");
    conditionalOTP = realm.addAuthenticationFlow(conditionalOTP);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(verifyByReauthenticationAccountFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.CONDITIONAL);
    if (migrate) {
        // Try to read OTP requirement from browser flow
        AuthenticationFlowModel browserFlow = realm.getBrowserFlow();
        if (browserFlow == null) {
            browserFlow = realm.getFlowByAlias(DefaultAuthenticationFlows.BROWSER_FLOW);
        }
        List<AuthenticationExecutionModel> browserExecutions = new LinkedList<>();
        KeycloakModelUtils.deepFindAuthenticationExecutions(realm, browserFlow, browserExecutions);
        for (AuthenticationExecutionModel browserExecution : browserExecutions) {
            if (browserExecution.isAuthenticatorFlow()) {
                if (realm.getAuthenticationExecutionsStream(browserExecution.getFlowId()).anyMatch(e -> e.getAuthenticator().equals("auth-otp-form"))) {
                    execution.setRequirement(browserExecution.getRequirement());
                }
            }
        }
    }
    execution.setFlowId(conditionalOTP.getId());
    execution.setPriority(20);
    execution.setAuthenticatorFlow(true);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("conditional-user-configured");
    execution.setPriority(10);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
    execution = new AuthenticationExecutionModel();
    execution.setParentFlow(conditionalOTP.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
    execution.setAuthenticator("auth-otp-form");
    execution.setPriority(20);
    execution.setAuthenticatorFlow(false);
    realm.addAuthenticatorExecution(execution);
}
Also used : AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) AuthenticationFlowModel(org.keycloak.models.AuthenticationFlowModel) AuthenticatorConfigModel(org.keycloak.models.AuthenticatorConfigModel)

Aggregations

AuthenticationFlowModel (org.keycloak.models.AuthenticationFlowModel)60 AuthenticationExecutionModel (org.keycloak.models.AuthenticationExecutionModel)32 Path (javax.ws.rs.Path)14 RealmModel (org.keycloak.models.RealmModel)13 NoCache (org.jboss.resteasy.annotations.cache.NoCache)12 NotFoundException (javax.ws.rs.NotFoundException)9 AuthenticatorConfigModel (org.keycloak.models.AuthenticatorConfigModel)8 Consumes (javax.ws.rs.Consumes)7 POST (javax.ws.rs.POST)7 AuthenticationProcessor (org.keycloak.authentication.AuthenticationProcessor)7 BadRequestException (javax.ws.rs.BadRequestException)6 Produces (javax.ws.rs.Produces)6 Before (org.junit.Before)5 ClientModel (org.keycloak.models.ClientModel)5 HashMap (java.util.HashMap)4 GET (javax.ws.rs.GET)4 Response (javax.ws.rs.core.Response)3 IdentityProviderModel (org.keycloak.models.IdentityProviderModel)3 ModelException (org.keycloak.models.ModelException)3 ArrayList (java.util.ArrayList)2