Search in sources :

Example 21 with AuthenticationFlowRepresentation

use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.

the class InitialFlowsTest method expectedFlows.

private LinkedList<FlowExecutions> expectedFlows() {
    LinkedList<FlowExecutions> expected = new LinkedList<>();
    AuthenticationFlowRepresentation flow = newFlow("browser", "browser based authentication", "basic-flow", true, true);
    addExecExport(flow, null, false, "auth-cookie", false, null, ALTERNATIVE, 10);
    addExecExport(flow, null, false, "auth-spnego", false, null, DISABLED, 20);
    addExecExport(flow, null, false, "identity-provider-redirector", false, null, ALTERNATIVE, 25);
    addExecExport(flow, "forms", false, null, true, null, ALTERNATIVE, 30);
    List<AuthenticationExecutionInfoRepresentation> execs = new LinkedList<>();
    addExecInfo(execs, "Cookie", "auth-cookie", false, 0, 0, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Kerberos", "auth-spnego", false, 0, 1, DISABLED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Identity Provider Redirector", "identity-provider-redirector", true, 0, 2, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "forms", null, false, 0, 3, ALTERNATIVE, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Username Password Form", "auth-username-password-form", false, 1, 0, REQUIRED, null, new String[] { REQUIRED });
    addExecInfo(execs, "Browser - Conditional OTP", null, false, 1, 1, CONDITIONAL, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Condition - user configured", "conditional-user-configured", false, 2, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
    addExecInfo(execs, "OTP Form", "auth-otp-form", false, 2, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    expected.add(new FlowExecutions(flow, execs));
    flow = newFlow("clients", "Base authentication for clients", "client-flow", true, true);
    addExecExport(flow, null, false, "client-secret", false, null, ALTERNATIVE, 10);
    addExecExport(flow, null, false, "client-jwt", false, null, ALTERNATIVE, 20);
    addExecExport(flow, null, false, "client-secret-jwt", false, null, ALTERNATIVE, 30);
    addExecExport(flow, null, false, "client-x509", false, null, ALTERNATIVE, 40);
    execs = new LinkedList<>();
    addExecInfo(execs, "Client Id and Secret", "client-secret", false, 0, 0, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Signed Jwt", "client-jwt", false, 0, 1, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Signed Jwt with Client Secret", "client-secret-jwt", false, 0, 2, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "X509 Certificate", "client-x509", false, 0, 3, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    expected.add(new FlowExecutions(flow, execs));
    flow = newFlow("direct grant", "OpenID Connect Resource Owner Grant", "basic-flow", true, true);
    addExecExport(flow, null, false, "direct-grant-validate-username", false, null, REQUIRED, 10);
    addExecExport(flow, null, false, "direct-grant-validate-password", false, null, REQUIRED, 20);
    addExecExport(flow, "Direct Grant - Conditional OTP", false, null, true, null, CONDITIONAL, 30);
    execs = new LinkedList<>();
    addExecInfo(execs, "Username Validation", "direct-grant-validate-username", false, 0, 0, REQUIRED, null, new String[] { REQUIRED });
    addExecInfo(execs, "Password", "direct-grant-validate-password", false, 0, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Direct Grant - Conditional OTP", null, false, 0, 2, CONDITIONAL, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Condition - user configured", "conditional-user-configured", false, 1, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
    addExecInfo(execs, "OTP", "direct-grant-validate-otp", false, 1, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    expected.add(new FlowExecutions(flow, execs));
    flow = newFlow("docker auth", "Used by Docker clients to authenticate against the IDP", "basic-flow", true, true);
    addExecExport(flow, null, false, "docker-http-basic-authenticator", false, null, REQUIRED, 10);
    execs = new LinkedList<>();
    addExecInfo(execs, "Docker Authenticator", "docker-http-basic-authenticator", false, 0, 0, REQUIRED, null, new String[] { REQUIRED });
    expected.add(new FlowExecutions(flow, execs));
    flow = newFlow("first broker login", "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "basic-flow", true, true);
    addExecExport(flow, null, false, "idp-review-profile", false, "review profile config", REQUIRED, 10);
    addExecExport(flow, "User creation or linking", false, null, true, null, REQUIRED, 20);
    execs = new LinkedList<>();
    addExecInfo(execs, "Review Profile", "idp-review-profile", true, 0, 0, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "User creation or linking", null, false, 0, 1, REQUIRED, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Create User If Unique", "idp-create-user-if-unique", true, 1, 0, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Handle Existing Account", null, false, 1, 1, ALTERNATIVE, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Confirm link existing account", "idp-confirm-link", false, 2, 0, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Account verification options", null, false, 2, 1, REQUIRED, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Verify existing account by Email", "idp-email-verification", false, 3, 0, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Verify Existing Account by Re-authentication", null, false, 3, 1, ALTERNATIVE, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Username Password Form for identity provider reauthentication", "idp-username-password-form", false, 4, 0, REQUIRED, null, new String[] { REQUIRED });
    addExecInfo(execs, "First broker login - Conditional OTP", null, false, 4, 1, CONDITIONAL, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Condition - user configured", "conditional-user-configured", false, 5, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
    addExecInfo(execs, "OTP Form", "auth-otp-form", false, 5, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    expected.add(new FlowExecutions(flow, execs));
    flow = newFlow("http challenge", "An authentication flow based on challenge-response HTTP Authentication Schemes", "basic-flow", true, true);
    addExecExport(flow, null, false, "no-cookie-redirect", false, null, REQUIRED, 10);
    addExecExport(flow, "Authentication Options", false, null, true, null, REQUIRED, 20);
    execs = new LinkedList<>();
    addExecInfo(execs, "Browser Redirect for Cookie free authentication", "no-cookie-redirect", false, 0, 0, REQUIRED, null, new String[] { REQUIRED });
    addExecInfo(execs, "Authentication Options", null, false, 0, 1, REQUIRED, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Basic Auth Challenge", "basic-auth", false, 1, 0, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Basic Auth Password+OTP", "basic-auth-otp", false, 1, 1, DISABLED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Kerberos", "auth-spnego", false, 1, 2, DISABLED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    expected.add(new FlowExecutions(flow, execs));
    flow = newFlow("registration", "registration flow", "basic-flow", true, true);
    addExecExport(flow, "registration form", false, "registration-page-form", true, null, REQUIRED, 10);
    execs = new LinkedList<>();
    addExecInfo(execs, "registration form", "registration-page-form", false, 0, 0, REQUIRED, true, new String[] { REQUIRED, DISABLED });
    addExecInfo(execs, "Registration User Creation", "registration-user-creation", false, 1, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
    addExecInfo(execs, "Profile Validation", "registration-profile-action", false, 1, 1, REQUIRED, null, new String[] { REQUIRED, DISABLED });
    addExecInfo(execs, "Password Validation", "registration-password-action", false, 1, 2, REQUIRED, null, new String[] { REQUIRED, DISABLED });
    addExecInfo(execs, "Recaptcha", "registration-recaptcha-action", true, 1, 3, DISABLED, null, new String[] { REQUIRED, DISABLED });
    expected.add(new FlowExecutions(flow, execs));
    flow = newFlow("reset credentials", "Reset credentials for a user if they forgot their password or something", "basic-flow", true, true);
    addExecExport(flow, null, false, "reset-credentials-choose-user", false, null, REQUIRED, 10);
    addExecExport(flow, null, false, "reset-credential-email", false, null, REQUIRED, 20);
    addExecExport(flow, null, false, "reset-password", false, null, REQUIRED, 30);
    addExecExport(flow, "Reset - Conditional OTP", false, null, true, null, CONDITIONAL, 40);
    execs = new LinkedList<>();
    addExecInfo(execs, "Choose User", "reset-credentials-choose-user", false, 0, 0, REQUIRED, null, new String[] { REQUIRED });
    addExecInfo(execs, "Send Reset Email", "reset-credential-email", false, 0, 1, REQUIRED, null, new String[] { REQUIRED });
    addExecInfo(execs, "Reset Password", "reset-password", false, 0, 2, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    addExecInfo(execs, "Reset - Conditional OTP", null, false, 0, 3, CONDITIONAL, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
    addExecInfo(execs, "Condition - user configured", "conditional-user-configured", false, 1, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
    addExecInfo(execs, "Reset OTP", "reset-otp", false, 1, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
    expected.add(new FlowExecutions(flow, execs));
    return expected;
}
Also used : AuthenticationFlowRepresentation(org.keycloak.representations.idm.AuthenticationFlowRepresentation) AuthenticationExecutionInfoRepresentation(org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation) LinkedList(java.util.LinkedList)

Example 22 with AuthenticationFlowRepresentation

use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.

the class BrowserFlowTest method revertFlows.

public static void revertFlows(RealmResource realmResource, String flowToDeleteAlias) {
    List<AuthenticationFlowRepresentation> flows = realmResource.flows().getFlows();
    // Set default browser flow
    RealmRepresentation realm = realmResource.toRepresentation();
    realm.setBrowserFlow(DefaultAuthenticationFlows.BROWSER_FLOW);
    realmResource.update(realm);
    AuthenticationFlowRepresentation flowRepresentation = AbstractAuthenticationTest.findFlowByAlias(flowToDeleteAlias, flows);
    // calling this method
    if (flowRepresentation == null) {
        throw new IllegalArgumentException("The flow with alias " + flowToDeleteAlias + " did not exist");
    }
    realmResource.flows().deleteFlow(flowRepresentation.getId());
}
Also used : RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) AuthenticationFlowRepresentation(org.keycloak.representations.idm.AuthenticationFlowRepresentation)

Example 23 with AuthenticationFlowRepresentation

use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.

the class CustomFlowTest method testRequiredAfterAlternative.

/**
 * KEYCLOAK-3506
 */
@Test
public void testRequiredAfterAlternative() {
    AuthenticationManagementResource authMgmtResource = testRealm().flows();
    Map<String, String> params = new HashMap();
    String flowAlias = "Browser Flow With Extra";
    params.put("newName", flowAlias);
    Response response = authMgmtResource.copy("browser", params);
    String flowId = null;
    try {
        Assert.assertThat("Copy flow", response, statusCodeIs(Response.Status.CREATED));
        AuthenticationFlowRepresentation newFlow = findFlowByAlias(flowAlias);
        flowId = newFlow.getId();
    } finally {
        response.close();
    }
    AuthenticationExecutionRepresentation execution = ExecutionBuilder.create().parentFlow(flowId).requirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString()).authenticator(ClickThroughAuthenticator.PROVIDER_ID).priority(10).authenticatorFlow(false).build();
    RealmRepresentation rep = testRealm().toRepresentation();
    try (Response r = testRealm().flows().addExecution(execution)) {
        rep.setBrowserFlow(flowAlias);
        testRealm().update(rep);
        rep = testRealm().toRepresentation();
        Assert.assertEquals(flowAlias, rep.getBrowserFlow());
    }
    loginPage.open();
    /* In the new flows, any required execution will render any optional flows unused.
        // test to make sure we aren't skipping anything
        loginPage.login("test-user@localhost", "bad-password");
        Assert.assertTrue(loginPage.isCurrent());
        loginPage.login("test-user@localhost", "password");*/
    Assert.assertTrue(termsPage.isCurrent());
    // Revert dummy flow
    rep.setBrowserFlow("dummy");
    testRealm().update(rep);
}
Also used : Response(javax.ws.rs.core.Response) AuthenticationManagementResource(org.keycloak.admin.client.resource.AuthenticationManagementResource) HashMap(java.util.HashMap) AuthenticationExecutionRepresentation(org.keycloak.representations.idm.AuthenticationExecutionRepresentation) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) AuthenticationFlowRepresentation(org.keycloak.representations.idm.AuthenticationFlowRepresentation) Test(org.junit.Test)

Example 24 with AuthenticationFlowRepresentation

use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.

the class CustomFlowTest method configureFlows.

@Before
public void configureFlows() {
    userId = findUser("login-test").getId();
    // Do this just once per class
    if (testContext.isInitialized()) {
        return;
    }
    AuthenticationFlowRepresentation flow = FlowBuilder.create().alias("dummy").description("dummy pass through flow").providerId("basic-flow").topLevel(true).builtIn(false).build();
    testRealm().flows().createFlow(flow);
    RealmRepresentation realm = testRealm().toRepresentation();
    realm.setBrowserFlow(flow.getAlias());
    realm.setDirectGrantFlow(flow.getAlias());
    testRealm().update(realm);
    // refresh flow to find its id
    flow = findFlowByAlias(flow.getAlias());
    AuthenticationExecutionRepresentation execution = ExecutionBuilder.create().parentFlow(flow.getId()).requirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString()).authenticator(PassThroughAuthenticator.PROVIDER_ID).priority(10).authenticatorFlow(false).build();
    testRealm().flows().addExecution(execution);
    flow = FlowBuilder.create().alias("dummy registration").description("dummy pass through registration").providerId("basic-flow").topLevel(true).builtIn(false).build();
    testRealm().flows().createFlow(flow);
    setRegistrationFlow(flow);
    // refresh flow to find its id
    flow = findFlowByAlias(flow.getAlias());
    execution = ExecutionBuilder.create().parentFlow(flow.getId()).requirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString()).authenticator(PassThroughRegistration.PROVIDER_ID).priority(10).authenticatorFlow(false).build();
    testRealm().flows().addExecution(execution);
    AuthenticationFlowRepresentation clientFlow = FlowBuilder.create().alias("client-dummy").description("dummy pass through flow").providerId(AuthenticationFlow.CLIENT_FLOW).topLevel(true).builtIn(false).build();
    testRealm().flows().createFlow(clientFlow);
    realm = testRealm().toRepresentation();
    realm.setClientAuthenticationFlow(clientFlow.getAlias());
    testRealm().update(realm);
    // refresh flow to find its id
    clientFlow = findFlowByAlias(clientFlow.getAlias());
    execution = ExecutionBuilder.create().parentFlow(clientFlow.getId()).requirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString()).authenticator(PassThroughClientAuthenticator.PROVIDER_ID).priority(10).authenticatorFlow(false).build();
    testRealm().flows().addExecution(execution);
    testContext.setInitialized(true);
}
Also used : RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) AuthenticationExecutionRepresentation(org.keycloak.representations.idm.AuthenticationExecutionRepresentation) AuthenticationFlowRepresentation(org.keycloak.representations.idm.AuthenticationFlowRepresentation) Before(org.junit.Before)

Example 25 with AuthenticationFlowRepresentation

use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.

the class CustomFlowTest method validateX509FlowUpdate.

@Test
public void validateX509FlowUpdate() throws Exception {
    String flowAlias = "Browser Flow With Extra 2";
    AuthenticationFlowRepresentation flow = new AuthenticationFlowRepresentation();
    flow.setAlias(flowAlias);
    flow.setDescription("");
    flow.setProviderId("basic-flow");
    flow.setTopLevel(true);
    flow.setBuiltIn(false);
    try (Creator.Flow amr = Creator.create(testRealm(), flow)) {
        AuthenticationManagementResource authMgmtResource = amr.resource();
        // add execution - X509 username
        final AuthenticationExecutionInfoRepresentation execution = amr.addExecution(ValidateX509CertificateUsernameFactory.PROVIDER_ID);
        String executionId = execution.getId();
        Map<String, String> config = new HashMap<>();
        config.put(AbstractX509ClientCertificateAuthenticator.ENABLE_CRL, Boolean.TRUE.toString());
        AuthenticatorConfigRepresentation authConfig = new AuthenticatorConfigRepresentation();
        authConfig.setAlias("Config alias");
        authConfig.setConfig(config);
        String acId;
        try (Response resp = authMgmtResource.newExecutionConfig(executionId, authConfig)) {
            assertThat(resp, statusCodeIs(Status.CREATED));
            acId = ApiUtil.getCreatedId(resp);
        }
        authConfig = authMgmtResource.getAuthenticatorConfig(acId);
        authConfig.getConfig().put(AbstractX509ClientCertificateAuthenticator.ENABLE_CRL, Boolean.FALSE.toString());
        authConfig.getConfig().put(AbstractX509ClientCertificateAuthenticator.CRL_RELATIVE_PATH, "");
        authMgmtResource.updateAuthenticatorConfig(acId, authConfig);
        // Saving the same options for the second time would fail for CRL_RELATIVE_PATH on Oracle due to "" == NULL weirdness
        authMgmtResource.updateAuthenticatorConfig(acId, authConfig);
    }
}
Also used : Response(javax.ws.rs.core.Response) AuthenticationManagementResource(org.keycloak.admin.client.resource.AuthenticationManagementResource) HashMap(java.util.HashMap) AuthenticationFlowRepresentation(org.keycloak.representations.idm.AuthenticationFlowRepresentation) AuthenticationExecutionInfoRepresentation(org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation) Creator(org.keycloak.testsuite.updaters.Creator) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Aggregations

AuthenticationFlowRepresentation (org.keycloak.representations.idm.AuthenticationFlowRepresentation)42 Test (org.junit.Test)17 HashMap (java.util.HashMap)15 Response (javax.ws.rs.core.Response)14 AuthenticationExecutionInfoRepresentation (org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation)10 AuthenticationExecutionRepresentation (org.keycloak.representations.idm.AuthenticationExecutionRepresentation)8 Before (org.junit.Before)7 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)7 BadRequestException (javax.ws.rs.BadRequestException)5 NotFoundException (javax.ws.rs.NotFoundException)5 RealmResource (org.keycloak.admin.client.resource.RealmResource)5 ClientErrorException (javax.ws.rs.ClientErrorException)4 Matchers.containsString (org.hamcrest.Matchers.containsString)4 AuthenticationExecutionExportRepresentation (org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation)4 AuthenticatorConfigRepresentation (org.keycloak.representations.idm.AuthenticatorConfigRepresentation)4 IdentityProviderRepresentation (org.keycloak.representations.idm.IdentityProviderRepresentation)4 LinkedList (java.util.LinkedList)3 InternalServerErrorException (javax.ws.rs.InternalServerErrorException)3 AuthenticationManagementResource (org.keycloak.admin.client.resource.AuthenticationManagementResource)3 IdentityProviderResource (org.keycloak.admin.client.resource.IdentityProviderResource)2