use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.
the class MigrateTo8_0_2 method migrateAuthenticationFlowsWithAlternativeRequirements.
protected void migrateAuthenticationFlowsWithAlternativeRequirements(RealmModel realm) {
for (AuthenticationFlowModel flow : realm.getAuthenticationFlowsStream().collect(Collectors.toList())) {
List<AuthenticationExecutionModel> executions = realm.getAuthenticationExecutionsStream(flow.getId()).collect(Collectors.toList());
Set<AuthenticationExecutionModel.Requirement> requirements = executions.stream().map(AuthenticationExecutionModel::getRequirement).collect(Collectors.toSet());
// to try to preserve same behaviour as in previous versions
if (requirements.contains(REQUIRED) || requirements.contains(CONDITIONAL) && requirements.contains(ALTERNATIVE)) {
// Suffix used just to avoid name conflicts
AtomicInteger suffix = new AtomicInteger(0);
LinkedList<AuthenticationExecutionModel> alternativesToMigrate = new LinkedList<>();
for (AuthenticationExecutionModel execution : executions) {
if (AuthenticationExecutionModel.Requirement.ALTERNATIVE.equals(execution.getRequirement())) {
alternativesToMigrate.add(execution);
}
// If we have some REQUIRED then ALTERNATIVE and then REQUIRED/CONDITIONAL, we migrate the alternatives to the new subflow.
if (REQUIRED.equals(execution.getRequirement()) || CONDITIONAL.equals(execution.getRequirement())) {
if (!alternativesToMigrate.isEmpty()) {
migrateAlternatives(realm, flow, alternativesToMigrate, suffix.get());
suffix.addAndGet(1);
alternativesToMigrate.clear();
}
}
}
if (!alternativesToMigrate.isEmpty()) {
migrateAlternatives(realm, flow, alternativesToMigrate, suffix.get());
}
}
}
}
use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.
the class MigrateTo8_0_2 method migrateAlternatives.
private void migrateAlternatives(RealmModel realm, AuthenticationFlowModel parentFlow, LinkedList<AuthenticationExecutionModel> alternativesToMigrate, int suffix) {
LOG.debugf("Migrating %d ALTERNATIVE executions in the flow '%s' of realm '%s' to separate subflow", alternativesToMigrate.size(), parentFlow.getAlias(), realm.getName());
AuthenticationFlowModel newFlow = new AuthenticationFlowModel();
newFlow.setTopLevel(false);
newFlow.setBuiltIn(parentFlow.isBuiltIn());
newFlow.setAlias(parentFlow.getAlias() + " - Alternatives - " + suffix);
newFlow.setDescription("Subflow of " + parentFlow.getAlias() + " with alternative executions");
newFlow.setProviderId("basic-flow");
newFlow = realm.addAuthenticationFlow(newFlow);
AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
execution.setParentFlow(parentFlow.getId());
execution.setRequirement(REQUIRED);
execution.setFlowId(newFlow.getId());
// Use same priority as the first ALTERNATIVE as new execution will defacto replace it in the parent flow
execution.setPriority(alternativesToMigrate.getFirst().getPriority());
execution.setAuthenticatorFlow(true);
realm.addAuthenticatorExecution(execution);
int priority = 0;
for (AuthenticationExecutionModel ex : alternativesToMigrate) {
priority += 10;
ex.setParentFlow(newFlow.getId());
ex.setPriority(priority);
realm.updateAuthenticatorExecution(ex);
}
}
use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.
the class MigrateTo1_7_0 method migrateRealm.
protected void migrateRealm(KeycloakSession session, RealmModel realm) {
// Set default accessToken timeout for implicit flow
realm.setAccessTokenLifespanForImplicitFlow(Constants.DEFAULT_ACCESS_TOKEN_LIFESPAN_FOR_IMPLICIT_FLOW_TIMEOUT);
// Add 'admin-cli' builtin client
MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class);
migrationProvider.setupAdminCli(realm);
// add firstBrokerLogin flow and set it to all identityProviders
DefaultAuthenticationFlows.migrateFlows(realm);
AuthenticationFlowModel firstBrokerLoginFlow = realm.getFlowByAlias(DefaultAuthenticationFlows.FIRST_BROKER_LOGIN_FLOW);
realm.getIdentityProvidersStream().filter(provider -> provider.getFirstBrokerLoginFlowId() == null).forEach(provider -> {
provider.setFirstBrokerLoginFlowId(firstBrokerLoginFlow.getId());
realm.updateIdentityProvider(provider);
});
}
use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.
the class AuthenticationFlowResolver method resolveBrowserFlow.
public static AuthenticationFlowModel resolveBrowserFlow(AuthenticationSessionModel authSession) {
AuthenticationFlowModel flow = null;
ClientModel client = authSession.getClient();
String clientFlow = client.getAuthenticationFlowBindingOverride(AuthenticationFlowBindings.BROWSER_BINDING);
if (clientFlow != null) {
flow = authSession.getRealm().getAuthenticationFlowById(clientFlow);
if (flow == null) {
throw new ModelException("Client " + client.getClientId() + " has browser flow override, but this flow does not exist");
}
return flow;
}
return authSession.getRealm().getBrowserFlow();
}
use of org.keycloak.models.AuthenticationFlowModel in project keycloak by keycloak.
the class MigrateTo8_0_0 method migrateOptionalAuthenticationExecution.
public static void migrateOptionalAuthenticationExecution(RealmModel realm, AuthenticationFlowModel parentFlow, AuthenticationExecutionModel optionalExecution, boolean updateOptionalExecution) {
LOG.debugf("Migrating optional execution '%s' of flow '%s' of realm '%s' to subflow", optionalExecution.getAuthenticator(), parentFlow.getAlias(), realm.getName());
AuthenticationFlowModel conditionalOTP = new AuthenticationFlowModel();
conditionalOTP.setTopLevel(false);
conditionalOTP.setBuiltIn(parentFlow.isBuiltIn());
conditionalOTP.setAlias(parentFlow.getAlias() + " - " + optionalExecution.getAuthenticator() + " - Conditional");
conditionalOTP.setDescription("Flow to determine if the " + optionalExecution.getAuthenticator() + " authenticator should be used or not.");
conditionalOTP.setProviderId("basic-flow");
conditionalOTP = realm.addAuthenticationFlow(conditionalOTP);
AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
execution.setParentFlow(parentFlow.getId());
execution.setRequirement(AuthenticationExecutionModel.Requirement.CONDITIONAL);
execution.setFlowId(conditionalOTP.getId());
execution.setPriority(optionalExecution.getPriority());
execution.setAuthenticatorFlow(true);
realm.addAuthenticatorExecution(execution);
execution = new AuthenticationExecutionModel();
execution.setParentFlow(conditionalOTP.getId());
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
execution.setAuthenticator("conditional-user-configured");
execution.setPriority(10);
execution.setAuthenticatorFlow(false);
realm.addAuthenticatorExecution(execution);
// Move optionalExecution as child of newly created parent flow
optionalExecution.setParentFlow(conditionalOTP.getId());
optionalExecution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
optionalExecution.setPriority(20);
// In case of JSON migration, the execution is not yet in DB and will be added later
if (updateOptionalExecution) {
realm.updateAuthenticatorExecution(optionalExecution);
}
}
Aggregations