Example 1 with WebAuthnPolicy
use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.
the class WebAuthnAuthenticator method authenticate.
public void authenticate(AuthenticationFlowContext context) {
LoginFormsProvider form = context.form();
Challenge challenge = new DefaultChallenge();
String challengeValue = Base64Url.encode(challenge.getValue());
context.getAuthenticationSession().setAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE, challengeValue);
form.setAttribute(WebAuthnConstants.CHALLENGE, challengeValue);
WebAuthnPolicy policy = getWebAuthnPolicy(context);
String rpId = getRpID(context);
form.setAttribute(WebAuthnConstants.RP_ID, rpId);
form.setAttribute(WebAuthnConstants.CREATE_TIMEOUT, policy.getCreateTimeout());
UserModel user = context.getUser();
boolean isUserIdentified = false;
if (user != null) {
// in 2 Factor Scenario where the user has already been identified
WebAuthnAuthenticatorsBean authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, getCredentialType());
if (authenticators.getAuthenticators().isEmpty()) {
// require the user to register webauthn authenticator
return;
}
isUserIdentified = true;
form.setAttribute(WebAuthnConstants.ALLOWED_AUTHENTICATORS, authenticators);
} else {
// in ID-less & Password-less Scenario
// NOP
}
form.setAttribute(WebAuthnConstants.IS_USER_IDENTIFIED, Boolean.toString(isUserIdentified));
// read options from policy
String userVerificationRequirement = policy.getUserVerificationRequirement();
form.setAttribute(WebAuthnConstants.USER_VERIFICATION, userVerificationRequirement);
form.setAttribute(WebAuthnConstants.SHOULD_DISPLAY_AUTHENTICATORS, shouldDisplayAuthenticators(context));
context.challenge(form.createLoginWebAuthn());
}
Also used :
UserModel(org.keycloak.models.UserModel)
DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge)
LoginFormsProvider(org.keycloak.forms.login.LoginFormsProvider)
WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy)
WebAuthnAuthenticatorsBean(org.keycloak.forms.login.freemarker.model.WebAuthnAuthenticatorsBean)
Challenge(com.webauthn4j.data.client.challenge.Challenge)
DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge)
Example 2 with WebAuthnPolicy
use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.
the class RepresentationToModel method getWebAuthnPolicyPasswordless.
private static WebAuthnPolicy getWebAuthnPolicyPasswordless(RealmRepresentation rep) {
WebAuthnPolicy webAuthnPolicy = new WebAuthnPolicy();
String webAuthnPolicyRpEntityName = rep.getWebAuthnPolicyPasswordlessRpEntityName();
if (webAuthnPolicyRpEntityName == null || webAuthnPolicyRpEntityName.isEmpty())
webAuthnPolicyRpEntityName = Constants.DEFAULT_WEBAUTHN_POLICY_RP_ENTITY_NAME;
webAuthnPolicy.setRpEntityName(webAuthnPolicyRpEntityName);
List<String> webAuthnPolicySignatureAlgorithms = rep.getWebAuthnPolicyPasswordlessSignatureAlgorithms();
if (webAuthnPolicySignatureAlgorithms == null || webAuthnPolicySignatureAlgorithms.isEmpty())
webAuthnPolicySignatureAlgorithms = Arrays.asList(Constants.DEFAULT_WEBAUTHN_POLICY_SIGNATURE_ALGORITHMS.split(","));
webAuthnPolicy.setSignatureAlgorithm(webAuthnPolicySignatureAlgorithms);
String webAuthnPolicyRpId = rep.getWebAuthnPolicyPasswordlessRpId();
if (webAuthnPolicyRpId == null || webAuthnPolicyRpId.isEmpty())
webAuthnPolicyRpId = "";
webAuthnPolicy.setRpId(webAuthnPolicyRpId);
String webAuthnPolicyAttestationConveyancePreference = rep.getWebAuthnPolicyPasswordlessAttestationConveyancePreference();
if (webAuthnPolicyAttestationConveyancePreference == null || webAuthnPolicyAttestationConveyancePreference.isEmpty())
webAuthnPolicyAttestationConveyancePreference = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
webAuthnPolicy.setAttestationConveyancePreference(webAuthnPolicyAttestationConveyancePreference);
String webAuthnPolicyAuthenticatorAttachment = rep.getWebAuthnPolicyPasswordlessAuthenticatorAttachment();
if (webAuthnPolicyAuthenticatorAttachment == null || webAuthnPolicyAuthenticatorAttachment.isEmpty())
webAuthnPolicyAuthenticatorAttachment = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
webAuthnPolicy.setAuthenticatorAttachment(webAuthnPolicyAuthenticatorAttachment);
String webAuthnPolicyRequireResidentKey = rep.getWebAuthnPolicyPasswordlessRequireResidentKey();
if (webAuthnPolicyRequireResidentKey == null || webAuthnPolicyRequireResidentKey.isEmpty())
webAuthnPolicyRequireResidentKey = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
webAuthnPolicy.setRequireResidentKey(webAuthnPolicyRequireResidentKey);
String webAuthnPolicyUserVerificationRequirement = rep.getWebAuthnPolicyPasswordlessUserVerificationRequirement();
if (webAuthnPolicyUserVerificationRequirement == null || webAuthnPolicyUserVerificationRequirement.isEmpty())
webAuthnPolicyUserVerificationRequirement = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
webAuthnPolicy.setUserVerificationRequirement(webAuthnPolicyUserVerificationRequirement);
Integer webAuthnPolicyCreateTimeout = rep.getWebAuthnPolicyPasswordlessCreateTimeout();
if (webAuthnPolicyCreateTimeout != null)
webAuthnPolicy.setCreateTimeout(webAuthnPolicyCreateTimeout);
else
webAuthnPolicy.setCreateTimeout(0);
Boolean webAuthnPolicyAvoidSameAuthenticatorRegister = rep.isWebAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister();
if (webAuthnPolicyAvoidSameAuthenticatorRegister != null)
webAuthnPolicy.setAvoidSameAuthenticatorRegister(webAuthnPolicyAvoidSameAuthenticatorRegister);
List<String> webAuthnPolicyAcceptableAaguids = rep.getWebAuthnPolicyPasswordlessAcceptableAaguids();
if (webAuthnPolicyAcceptableAaguids != null)
webAuthnPolicy.setAcceptableAaguids(webAuthnPolicyAcceptableAaguids);
return webAuthnPolicy;
}
Also used :
WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy)
ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString)
Example 3 with WebAuthnPolicy
use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.
the class RepresentationToModel method getWebAuthnPolicyTwoFactor.
private static WebAuthnPolicy getWebAuthnPolicyTwoFactor(RealmRepresentation rep) {
WebAuthnPolicy webAuthnPolicy = new WebAuthnPolicy();
String webAuthnPolicyRpEntityName = rep.getWebAuthnPolicyRpEntityName();
if (webAuthnPolicyRpEntityName == null || webAuthnPolicyRpEntityName.isEmpty())
webAuthnPolicyRpEntityName = Constants.DEFAULT_WEBAUTHN_POLICY_RP_ENTITY_NAME;
webAuthnPolicy.setRpEntityName(webAuthnPolicyRpEntityName);
List<String> webAuthnPolicySignatureAlgorithms = rep.getWebAuthnPolicySignatureAlgorithms();
if (webAuthnPolicySignatureAlgorithms == null || webAuthnPolicySignatureAlgorithms.isEmpty())
webAuthnPolicySignatureAlgorithms = Arrays.asList(Constants.DEFAULT_WEBAUTHN_POLICY_SIGNATURE_ALGORITHMS.split(","));
webAuthnPolicy.setSignatureAlgorithm(webAuthnPolicySignatureAlgorithms);
String webAuthnPolicyRpId = rep.getWebAuthnPolicyRpId();
if (webAuthnPolicyRpId == null || webAuthnPolicyRpId.isEmpty())
webAuthnPolicyRpId = "";
webAuthnPolicy.setRpId(webAuthnPolicyRpId);
String webAuthnPolicyAttestationConveyancePreference = rep.getWebAuthnPolicyAttestationConveyancePreference();
if (webAuthnPolicyAttestationConveyancePreference == null || webAuthnPolicyAttestationConveyancePreference.isEmpty())
webAuthnPolicyAttestationConveyancePreference = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
webAuthnPolicy.setAttestationConveyancePreference(webAuthnPolicyAttestationConveyancePreference);
String webAuthnPolicyAuthenticatorAttachment = rep.getWebAuthnPolicyAuthenticatorAttachment();
if (webAuthnPolicyAuthenticatorAttachment == null || webAuthnPolicyAuthenticatorAttachment.isEmpty())
webAuthnPolicyAuthenticatorAttachment = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
webAuthnPolicy.setAuthenticatorAttachment(webAuthnPolicyAuthenticatorAttachment);
String webAuthnPolicyRequireResidentKey = rep.getWebAuthnPolicyRequireResidentKey();
if (webAuthnPolicyRequireResidentKey == null || webAuthnPolicyRequireResidentKey.isEmpty())
webAuthnPolicyRequireResidentKey = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
webAuthnPolicy.setRequireResidentKey(webAuthnPolicyRequireResidentKey);
String webAuthnPolicyUserVerificationRequirement = rep.getWebAuthnPolicyUserVerificationRequirement();
if (webAuthnPolicyUserVerificationRequirement == null || webAuthnPolicyUserVerificationRequirement.isEmpty())
webAuthnPolicyUserVerificationRequirement = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
webAuthnPolicy.setUserVerificationRequirement(webAuthnPolicyUserVerificationRequirement);
Integer webAuthnPolicyCreateTimeout = rep.getWebAuthnPolicyCreateTimeout();
if (webAuthnPolicyCreateTimeout != null)
webAuthnPolicy.setCreateTimeout(webAuthnPolicyCreateTimeout);
else
webAuthnPolicy.setCreateTimeout(0);
Boolean webAuthnPolicyAvoidSameAuthenticatorRegister = rep.isWebAuthnPolicyAvoidSameAuthenticatorRegister();
if (webAuthnPolicyAvoidSameAuthenticatorRegister != null)
webAuthnPolicy.setAvoidSameAuthenticatorRegister(webAuthnPolicyAvoidSameAuthenticatorRegister);
List<String> webAuthnPolicyAcceptableAaguids = rep.getWebAuthnPolicyAcceptableAaguids();
if (webAuthnPolicyAcceptableAaguids != null)
webAuthnPolicy.setAcceptableAaguids(webAuthnPolicyAcceptableAaguids);
return webAuthnPolicy;
}
Also used :
WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy)
ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString)
Example 4 with WebAuthnPolicy
use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.
the class MapWebAuthnPolicyEntity method toModel.
static WebAuthnPolicy toModel(MapWebAuthnPolicyEntity entity) {
if (entity == null)
return null;
WebAuthnPolicy model = new WebAuthnPolicy();
model.setRpEntityName(entity.getRpEntityName());
model.setSignatureAlgorithm(entity.getSignatureAlgorithms());
model.setRpId(entity.getRpId());
model.setAttestationConveyancePreference(entity.getAttestationConveyancePreference());
model.setAuthenticatorAttachment(entity.getAuthenticatorAttachment());
model.setRequireResidentKey(entity.getRequireResidentKey());
model.setUserVerificationRequirement(entity.getUserVerificationRequirement());
model.setCreateTimeout(entity.getCreateTimeout());
model.setAvoidSameAuthenticatorRegister(entity.isAvoidSameAuthenticatorRegister());
model.setAcceptableAaguids(entity.getAcceptableAaguids() == null ? null : new LinkedList<>(entity.getAcceptableAaguids()));
return model;
}
Also used :
WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy)
LinkedList(java.util.LinkedList)
Example 5 with WebAuthnPolicy
use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.
the class WebAuthnRegister method requiredActionChallenge.
@Override
public void requiredActionChallenge(RequiredActionContext context) {
UserModel userModel = context.getUser();
// Use standard UTF-8 charset to get bytes from string.
// Otherwise the platform's default charset is used and it might cause problems later when
// decoded on different system.
String userId = Base64Url.encode(userModel.getId().getBytes(StandardCharsets.UTF_8));
String username = userModel.getUsername();
Challenge challenge = new DefaultChallenge();
String challengeValue = Base64Url.encode(challenge.getValue());
context.getAuthenticationSession().setAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE, challengeValue);
// construct parameters for calling WebAuthn API navigator.credential.create()
// mandatory
WebAuthnPolicy policy = getWebAuthnPolicy(context);
List<String> signatureAlgorithmsList = policy.getSignatureAlgorithm();
String signatureAlgorithms = stringifySignatureAlgorithms(signatureAlgorithmsList);
String rpEntityName = policy.getRpEntityName();
// optional
String rpId = policy.getRpId();
if (rpId == null || rpId.isEmpty())
rpId = context.getUriInfo().getBaseUri().getHost();
String attestationConveyancePreference = policy.getAttestationConveyancePreference();
String authenticatorAttachment = policy.getAuthenticatorAttachment();
String requireResidentKey = policy.getRequireResidentKey();
String userVerificationRequirement = policy.getUserVerificationRequirement();
long createTimeout = policy.getCreateTimeout();
boolean avoidSameAuthenticatorRegister = policy.isAvoidSameAuthenticatorRegister();
String excludeCredentialIds = "";
if (avoidSameAuthenticatorRegister) {
excludeCredentialIds = session.userCredentialManager().getStoredCredentialsByTypeStream(context.getRealm(), userModel, getCredentialType()).map(credentialModel -> {
WebAuthnCredentialModel credModel = WebAuthnCredentialModel.createFromCredentialModel(credentialModel);
return Base64Url.encodeBase64ToBase64Url(credModel.getWebAuthnCredentialData().getCredentialId());
}).collect(Collectors.joining(","));
}
String isSetRetry = null;
if (isFormDataRequest(context.getHttpRequest())) {
isSetRetry = context.getHttpRequest().getDecodedFormParameters().getFirst(WebAuthnConstants.IS_SET_RETRY);
}
Response form = context.form().setAttribute(WebAuthnConstants.CHALLENGE, challengeValue).setAttribute(WebAuthnConstants.USER_ID, userId).setAttribute(WebAuthnConstants.USER_NAME, username).setAttribute(WebAuthnConstants.RP_ENTITY_NAME, rpEntityName).setAttribute(WebAuthnConstants.SIGNATURE_ALGORITHMS, signatureAlgorithms).setAttribute(WebAuthnConstants.RP_ID, rpId).setAttribute(WebAuthnConstants.ATTESTATION_CONVEYANCE_PREFERENCE, attestationConveyancePreference).setAttribute(WebAuthnConstants.AUTHENTICATOR_ATTACHMENT, authenticatorAttachment).setAttribute(WebAuthnConstants.REQUIRE_RESIDENT_KEY, requireResidentKey).setAttribute(WebAuthnConstants.USER_VERIFICATION_REQUIREMENT, userVerificationRequirement).setAttribute(WebAuthnConstants.CREATE_TIMEOUT, createTimeout).setAttribute(WebAuthnConstants.EXCLUDE_CREDENTIAL_IDS, excludeCredentialIds).setAttribute(WebAuthnConstants.IS_SET_RETRY, isSetRetry).createForm("webauthn-register.ftl");
context.challenge(form);
}
Also used :
UserModel(org.keycloak.models.UserModel)
Response(javax.ws.rs.core.Response)
DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge)
WebAuthnCredentialModel(org.keycloak.models.credential.WebAuthnCredentialModel)
WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy)
Challenge(com.webauthn4j.data.client.challenge.Challenge)
DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge)
Aggregations
WebAuthnPolicy (org.keycloak.models.WebAuthnPolicy)9
ArtifactBindingUtils.computeArtifactBindingIdentifierString (org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString)4
Challenge (com.webauthn4j.data.client.challenge.Challenge)3
DefaultChallenge (com.webauthn4j.data.client.challenge.DefaultChallenge)3
HashSet (java.util.HashSet)3
HashMap (java.util.HashMap)2
LinkedList (java.util.LinkedList)2
Map (java.util.Map)2
MultivaluedHashMap (org.keycloak.common.util.MultivaluedHashMap)2
OAuth2DeviceConfig (org.keycloak.models.OAuth2DeviceConfig)2
UserModel (org.keycloak.models.UserModel)2
WebAuthnCredentialModel (org.keycloak.models.credential.WebAuthnCredentialModel)2
WebAuthnRegistrationManager (com.webauthn4j.WebAuthnRegistrationManager)1
RegistrationData (com.webauthn4j.data.RegistrationData)1
RegistrationParameters (com.webauthn4j.data.RegistrationParameters)1
RegistrationRequest (com.webauthn4j.data.RegistrationRequest)1
Origin (com.webauthn4j.data.client.Origin)1
ServerProperty (com.webauthn4j.server.ServerProperty)1
WebAuthnException (com.webauthn4j.util.exception.WebAuthnException)1
ArrayList (java.util.ArrayList)1
