Search in sources :

Example 1 with WebAuthnPolicy

use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.

the class WebAuthnAuthenticator method authenticate.

public void authenticate(AuthenticationFlowContext context) {
    LoginFormsProvider form = context.form();
    Challenge challenge = new DefaultChallenge();
    String challengeValue = Base64Url.encode(challenge.getValue());
    context.getAuthenticationSession().setAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE, challengeValue);
    form.setAttribute(WebAuthnConstants.CHALLENGE, challengeValue);
    WebAuthnPolicy policy = getWebAuthnPolicy(context);
    String rpId = getRpID(context);
    form.setAttribute(WebAuthnConstants.RP_ID, rpId);
    form.setAttribute(WebAuthnConstants.CREATE_TIMEOUT, policy.getCreateTimeout());
    UserModel user = context.getUser();
    boolean isUserIdentified = false;
    if (user != null) {
        // in 2 Factor Scenario where the user has already been identified
        WebAuthnAuthenticatorsBean authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, getCredentialType());
        if (authenticators.getAuthenticators().isEmpty()) {
            // require the user to register webauthn authenticator
            return;
        }
        isUserIdentified = true;
        form.setAttribute(WebAuthnConstants.ALLOWED_AUTHENTICATORS, authenticators);
    } else {
    // in ID-less & Password-less Scenario
    // NOP
    }
    form.setAttribute(WebAuthnConstants.IS_USER_IDENTIFIED, Boolean.toString(isUserIdentified));
    // read options from policy
    String userVerificationRequirement = policy.getUserVerificationRequirement();
    form.setAttribute(WebAuthnConstants.USER_VERIFICATION, userVerificationRequirement);
    form.setAttribute(WebAuthnConstants.SHOULD_DISPLAY_AUTHENTICATORS, shouldDisplayAuthenticators(context));
    context.challenge(form.createLoginWebAuthn());
}
Also used : UserModel(org.keycloak.models.UserModel) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) LoginFormsProvider(org.keycloak.forms.login.LoginFormsProvider) WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy) WebAuthnAuthenticatorsBean(org.keycloak.forms.login.freemarker.model.WebAuthnAuthenticatorsBean) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge)

Example 2 with WebAuthnPolicy

use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.

the class RepresentationToModel method getWebAuthnPolicyPasswordless.

private static WebAuthnPolicy getWebAuthnPolicyPasswordless(RealmRepresentation rep) {
    WebAuthnPolicy webAuthnPolicy = new WebAuthnPolicy();
    String webAuthnPolicyRpEntityName = rep.getWebAuthnPolicyPasswordlessRpEntityName();
    if (webAuthnPolicyRpEntityName == null || webAuthnPolicyRpEntityName.isEmpty())
        webAuthnPolicyRpEntityName = Constants.DEFAULT_WEBAUTHN_POLICY_RP_ENTITY_NAME;
    webAuthnPolicy.setRpEntityName(webAuthnPolicyRpEntityName);
    List<String> webAuthnPolicySignatureAlgorithms = rep.getWebAuthnPolicyPasswordlessSignatureAlgorithms();
    if (webAuthnPolicySignatureAlgorithms == null || webAuthnPolicySignatureAlgorithms.isEmpty())
        webAuthnPolicySignatureAlgorithms = Arrays.asList(Constants.DEFAULT_WEBAUTHN_POLICY_SIGNATURE_ALGORITHMS.split(","));
    webAuthnPolicy.setSignatureAlgorithm(webAuthnPolicySignatureAlgorithms);
    String webAuthnPolicyRpId = rep.getWebAuthnPolicyPasswordlessRpId();
    if (webAuthnPolicyRpId == null || webAuthnPolicyRpId.isEmpty())
        webAuthnPolicyRpId = "";
    webAuthnPolicy.setRpId(webAuthnPolicyRpId);
    String webAuthnPolicyAttestationConveyancePreference = rep.getWebAuthnPolicyPasswordlessAttestationConveyancePreference();
    if (webAuthnPolicyAttestationConveyancePreference == null || webAuthnPolicyAttestationConveyancePreference.isEmpty())
        webAuthnPolicyAttestationConveyancePreference = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
    webAuthnPolicy.setAttestationConveyancePreference(webAuthnPolicyAttestationConveyancePreference);
    String webAuthnPolicyAuthenticatorAttachment = rep.getWebAuthnPolicyPasswordlessAuthenticatorAttachment();
    if (webAuthnPolicyAuthenticatorAttachment == null || webAuthnPolicyAuthenticatorAttachment.isEmpty())
        webAuthnPolicyAuthenticatorAttachment = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
    webAuthnPolicy.setAuthenticatorAttachment(webAuthnPolicyAuthenticatorAttachment);
    String webAuthnPolicyRequireResidentKey = rep.getWebAuthnPolicyPasswordlessRequireResidentKey();
    if (webAuthnPolicyRequireResidentKey == null || webAuthnPolicyRequireResidentKey.isEmpty())
        webAuthnPolicyRequireResidentKey = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
    webAuthnPolicy.setRequireResidentKey(webAuthnPolicyRequireResidentKey);
    String webAuthnPolicyUserVerificationRequirement = rep.getWebAuthnPolicyPasswordlessUserVerificationRequirement();
    if (webAuthnPolicyUserVerificationRequirement == null || webAuthnPolicyUserVerificationRequirement.isEmpty())
        webAuthnPolicyUserVerificationRequirement = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
    webAuthnPolicy.setUserVerificationRequirement(webAuthnPolicyUserVerificationRequirement);
    Integer webAuthnPolicyCreateTimeout = rep.getWebAuthnPolicyPasswordlessCreateTimeout();
    if (webAuthnPolicyCreateTimeout != null)
        webAuthnPolicy.setCreateTimeout(webAuthnPolicyCreateTimeout);
    else
        webAuthnPolicy.setCreateTimeout(0);
    Boolean webAuthnPolicyAvoidSameAuthenticatorRegister = rep.isWebAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister();
    if (webAuthnPolicyAvoidSameAuthenticatorRegister != null)
        webAuthnPolicy.setAvoidSameAuthenticatorRegister(webAuthnPolicyAvoidSameAuthenticatorRegister);
    List<String> webAuthnPolicyAcceptableAaguids = rep.getWebAuthnPolicyPasswordlessAcceptableAaguids();
    if (webAuthnPolicyAcceptableAaguids != null)
        webAuthnPolicy.setAcceptableAaguids(webAuthnPolicyAcceptableAaguids);
    return webAuthnPolicy;
}
Also used : WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy) ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString)

Example 3 with WebAuthnPolicy

use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.

the class RepresentationToModel method getWebAuthnPolicyTwoFactor.

private static WebAuthnPolicy getWebAuthnPolicyTwoFactor(RealmRepresentation rep) {
    WebAuthnPolicy webAuthnPolicy = new WebAuthnPolicy();
    String webAuthnPolicyRpEntityName = rep.getWebAuthnPolicyRpEntityName();
    if (webAuthnPolicyRpEntityName == null || webAuthnPolicyRpEntityName.isEmpty())
        webAuthnPolicyRpEntityName = Constants.DEFAULT_WEBAUTHN_POLICY_RP_ENTITY_NAME;
    webAuthnPolicy.setRpEntityName(webAuthnPolicyRpEntityName);
    List<String> webAuthnPolicySignatureAlgorithms = rep.getWebAuthnPolicySignatureAlgorithms();
    if (webAuthnPolicySignatureAlgorithms == null || webAuthnPolicySignatureAlgorithms.isEmpty())
        webAuthnPolicySignatureAlgorithms = Arrays.asList(Constants.DEFAULT_WEBAUTHN_POLICY_SIGNATURE_ALGORITHMS.split(","));
    webAuthnPolicy.setSignatureAlgorithm(webAuthnPolicySignatureAlgorithms);
    String webAuthnPolicyRpId = rep.getWebAuthnPolicyRpId();
    if (webAuthnPolicyRpId == null || webAuthnPolicyRpId.isEmpty())
        webAuthnPolicyRpId = "";
    webAuthnPolicy.setRpId(webAuthnPolicyRpId);
    String webAuthnPolicyAttestationConveyancePreference = rep.getWebAuthnPolicyAttestationConveyancePreference();
    if (webAuthnPolicyAttestationConveyancePreference == null || webAuthnPolicyAttestationConveyancePreference.isEmpty())
        webAuthnPolicyAttestationConveyancePreference = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
    webAuthnPolicy.setAttestationConveyancePreference(webAuthnPolicyAttestationConveyancePreference);
    String webAuthnPolicyAuthenticatorAttachment = rep.getWebAuthnPolicyAuthenticatorAttachment();
    if (webAuthnPolicyAuthenticatorAttachment == null || webAuthnPolicyAuthenticatorAttachment.isEmpty())
        webAuthnPolicyAuthenticatorAttachment = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
    webAuthnPolicy.setAuthenticatorAttachment(webAuthnPolicyAuthenticatorAttachment);
    String webAuthnPolicyRequireResidentKey = rep.getWebAuthnPolicyRequireResidentKey();
    if (webAuthnPolicyRequireResidentKey == null || webAuthnPolicyRequireResidentKey.isEmpty())
        webAuthnPolicyRequireResidentKey = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
    webAuthnPolicy.setRequireResidentKey(webAuthnPolicyRequireResidentKey);
    String webAuthnPolicyUserVerificationRequirement = rep.getWebAuthnPolicyUserVerificationRequirement();
    if (webAuthnPolicyUserVerificationRequirement == null || webAuthnPolicyUserVerificationRequirement.isEmpty())
        webAuthnPolicyUserVerificationRequirement = Constants.DEFAULT_WEBAUTHN_POLICY_NOT_SPECIFIED;
    webAuthnPolicy.setUserVerificationRequirement(webAuthnPolicyUserVerificationRequirement);
    Integer webAuthnPolicyCreateTimeout = rep.getWebAuthnPolicyCreateTimeout();
    if (webAuthnPolicyCreateTimeout != null)
        webAuthnPolicy.setCreateTimeout(webAuthnPolicyCreateTimeout);
    else
        webAuthnPolicy.setCreateTimeout(0);
    Boolean webAuthnPolicyAvoidSameAuthenticatorRegister = rep.isWebAuthnPolicyAvoidSameAuthenticatorRegister();
    if (webAuthnPolicyAvoidSameAuthenticatorRegister != null)
        webAuthnPolicy.setAvoidSameAuthenticatorRegister(webAuthnPolicyAvoidSameAuthenticatorRegister);
    List<String> webAuthnPolicyAcceptableAaguids = rep.getWebAuthnPolicyAcceptableAaguids();
    if (webAuthnPolicyAcceptableAaguids != null)
        webAuthnPolicy.setAcceptableAaguids(webAuthnPolicyAcceptableAaguids);
    return webAuthnPolicy;
}
Also used : WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy) ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString)

Example 4 with WebAuthnPolicy

use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.

the class MapWebAuthnPolicyEntity method toModel.

static WebAuthnPolicy toModel(MapWebAuthnPolicyEntity entity) {
    if (entity == null)
        return null;
    WebAuthnPolicy model = new WebAuthnPolicy();
    model.setRpEntityName(entity.getRpEntityName());
    model.setSignatureAlgorithm(entity.getSignatureAlgorithms());
    model.setRpId(entity.getRpId());
    model.setAttestationConveyancePreference(entity.getAttestationConveyancePreference());
    model.setAuthenticatorAttachment(entity.getAuthenticatorAttachment());
    model.setRequireResidentKey(entity.getRequireResidentKey());
    model.setUserVerificationRequirement(entity.getUserVerificationRequirement());
    model.setCreateTimeout(entity.getCreateTimeout());
    model.setAvoidSameAuthenticatorRegister(entity.isAvoidSameAuthenticatorRegister());
    model.setAcceptableAaguids(entity.getAcceptableAaguids() == null ? null : new LinkedList<>(entity.getAcceptableAaguids()));
    return model;
}
Also used : WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy) LinkedList(java.util.LinkedList)

Example 5 with WebAuthnPolicy

use of org.keycloak.models.WebAuthnPolicy in project keycloak by keycloak.

the class WebAuthnRegister method requiredActionChallenge.

@Override
public void requiredActionChallenge(RequiredActionContext context) {
    UserModel userModel = context.getUser();
    // Use standard UTF-8 charset to get bytes from string.
    // Otherwise the platform's default charset is used and it might cause problems later when
    // decoded on different system.
    String userId = Base64Url.encode(userModel.getId().getBytes(StandardCharsets.UTF_8));
    String username = userModel.getUsername();
    Challenge challenge = new DefaultChallenge();
    String challengeValue = Base64Url.encode(challenge.getValue());
    context.getAuthenticationSession().setAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE, challengeValue);
    // construct parameters for calling WebAuthn API navigator.credential.create()
    // mandatory
    WebAuthnPolicy policy = getWebAuthnPolicy(context);
    List<String> signatureAlgorithmsList = policy.getSignatureAlgorithm();
    String signatureAlgorithms = stringifySignatureAlgorithms(signatureAlgorithmsList);
    String rpEntityName = policy.getRpEntityName();
    // optional
    String rpId = policy.getRpId();
    if (rpId == null || rpId.isEmpty())
        rpId = context.getUriInfo().getBaseUri().getHost();
    String attestationConveyancePreference = policy.getAttestationConveyancePreference();
    String authenticatorAttachment = policy.getAuthenticatorAttachment();
    String requireResidentKey = policy.getRequireResidentKey();
    String userVerificationRequirement = policy.getUserVerificationRequirement();
    long createTimeout = policy.getCreateTimeout();
    boolean avoidSameAuthenticatorRegister = policy.isAvoidSameAuthenticatorRegister();
    String excludeCredentialIds = "";
    if (avoidSameAuthenticatorRegister) {
        excludeCredentialIds = session.userCredentialManager().getStoredCredentialsByTypeStream(context.getRealm(), userModel, getCredentialType()).map(credentialModel -> {
            WebAuthnCredentialModel credModel = WebAuthnCredentialModel.createFromCredentialModel(credentialModel);
            return Base64Url.encodeBase64ToBase64Url(credModel.getWebAuthnCredentialData().getCredentialId());
        }).collect(Collectors.joining(","));
    }
    String isSetRetry = null;
    if (isFormDataRequest(context.getHttpRequest())) {
        isSetRetry = context.getHttpRequest().getDecodedFormParameters().getFirst(WebAuthnConstants.IS_SET_RETRY);
    }
    Response form = context.form().setAttribute(WebAuthnConstants.CHALLENGE, challengeValue).setAttribute(WebAuthnConstants.USER_ID, userId).setAttribute(WebAuthnConstants.USER_NAME, username).setAttribute(WebAuthnConstants.RP_ENTITY_NAME, rpEntityName).setAttribute(WebAuthnConstants.SIGNATURE_ALGORITHMS, signatureAlgorithms).setAttribute(WebAuthnConstants.RP_ID, rpId).setAttribute(WebAuthnConstants.ATTESTATION_CONVEYANCE_PREFERENCE, attestationConveyancePreference).setAttribute(WebAuthnConstants.AUTHENTICATOR_ATTACHMENT, authenticatorAttachment).setAttribute(WebAuthnConstants.REQUIRE_RESIDENT_KEY, requireResidentKey).setAttribute(WebAuthnConstants.USER_VERIFICATION_REQUIREMENT, userVerificationRequirement).setAttribute(WebAuthnConstants.CREATE_TIMEOUT, createTimeout).setAttribute(WebAuthnConstants.EXCLUDE_CREDENTIAL_IDS, excludeCredentialIds).setAttribute(WebAuthnConstants.IS_SET_RETRY, isSetRetry).createForm("webauthn-register.ftl");
    context.challenge(form);
}
Also used : UserModel(org.keycloak.models.UserModel) Response(javax.ws.rs.core.Response) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) WebAuthnCredentialModel(org.keycloak.models.credential.WebAuthnCredentialModel) WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge)

Aggregations

WebAuthnPolicy (org.keycloak.models.WebAuthnPolicy)9 ArtifactBindingUtils.computeArtifactBindingIdentifierString (org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString)4 Challenge (com.webauthn4j.data.client.challenge.Challenge)3 DefaultChallenge (com.webauthn4j.data.client.challenge.DefaultChallenge)3 HashSet (java.util.HashSet)3 HashMap (java.util.HashMap)2 LinkedList (java.util.LinkedList)2 Map (java.util.Map)2 MultivaluedHashMap (org.keycloak.common.util.MultivaluedHashMap)2 OAuth2DeviceConfig (org.keycloak.models.OAuth2DeviceConfig)2 UserModel (org.keycloak.models.UserModel)2 WebAuthnCredentialModel (org.keycloak.models.credential.WebAuthnCredentialModel)2 WebAuthnRegistrationManager (com.webauthn4j.WebAuthnRegistrationManager)1 RegistrationData (com.webauthn4j.data.RegistrationData)1 RegistrationParameters (com.webauthn4j.data.RegistrationParameters)1 RegistrationRequest (com.webauthn4j.data.RegistrationRequest)1 Origin (com.webauthn4j.data.client.Origin)1 ServerProperty (com.webauthn4j.server.ServerProperty)1 WebAuthnException (com.webauthn4j.util.exception.WebAuthnException)1 ArrayList (java.util.ArrayList)1