use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.
the class InitialFlowsTest method expectedFlows.
private LinkedList<FlowExecutions> expectedFlows() {
LinkedList<FlowExecutions> expected = new LinkedList<>();
AuthenticationFlowRepresentation flow = newFlow("browser", "browser based authentication", "basic-flow", true, true);
addExecExport(flow, null, false, "auth-cookie", false, null, ALTERNATIVE, 10);
addExecExport(flow, null, false, "auth-spnego", false, null, DISABLED, 20);
addExecExport(flow, null, false, "identity-provider-redirector", false, null, ALTERNATIVE, 25);
addExecExport(flow, "forms", false, null, true, null, ALTERNATIVE, 30);
List<AuthenticationExecutionInfoRepresentation> execs = new LinkedList<>();
addExecInfo(execs, "Cookie", "auth-cookie", false, 0, 0, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Kerberos", "auth-spnego", false, 0, 1, DISABLED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Identity Provider Redirector", "identity-provider-redirector", true, 0, 2, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "forms", null, false, 0, 3, ALTERNATIVE, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Username Password Form", "auth-username-password-form", false, 1, 0, REQUIRED, null, new String[] { REQUIRED });
addExecInfo(execs, "Browser - Conditional OTP", null, false, 1, 1, CONDITIONAL, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Condition - user configured", "conditional-user-configured", false, 2, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
addExecInfo(execs, "OTP Form", "auth-otp-form", false, 2, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
expected.add(new FlowExecutions(flow, execs));
flow = newFlow("clients", "Base authentication for clients", "client-flow", true, true);
addExecExport(flow, null, false, "client-secret", false, null, ALTERNATIVE, 10);
addExecExport(flow, null, false, "client-jwt", false, null, ALTERNATIVE, 20);
addExecExport(flow, null, false, "client-secret-jwt", false, null, ALTERNATIVE, 30);
addExecExport(flow, null, false, "client-x509", false, null, ALTERNATIVE, 40);
execs = new LinkedList<>();
addExecInfo(execs, "Client Id and Secret", "client-secret", false, 0, 0, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Signed Jwt", "client-jwt", false, 0, 1, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Signed Jwt with Client Secret", "client-secret-jwt", false, 0, 2, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "X509 Certificate", "client-x509", false, 0, 3, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
expected.add(new FlowExecutions(flow, execs));
flow = newFlow("direct grant", "OpenID Connect Resource Owner Grant", "basic-flow", true, true);
addExecExport(flow, null, false, "direct-grant-validate-username", false, null, REQUIRED, 10);
addExecExport(flow, null, false, "direct-grant-validate-password", false, null, REQUIRED, 20);
addExecExport(flow, "Direct Grant - Conditional OTP", false, null, true, null, CONDITIONAL, 30);
execs = new LinkedList<>();
addExecInfo(execs, "Username Validation", "direct-grant-validate-username", false, 0, 0, REQUIRED, null, new String[] { REQUIRED });
addExecInfo(execs, "Password", "direct-grant-validate-password", false, 0, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Direct Grant - Conditional OTP", null, false, 0, 2, CONDITIONAL, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Condition - user configured", "conditional-user-configured", false, 1, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
addExecInfo(execs, "OTP", "direct-grant-validate-otp", false, 1, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
expected.add(new FlowExecutions(flow, execs));
flow = newFlow("docker auth", "Used by Docker clients to authenticate against the IDP", "basic-flow", true, true);
addExecExport(flow, null, false, "docker-http-basic-authenticator", false, null, REQUIRED, 10);
execs = new LinkedList<>();
addExecInfo(execs, "Docker Authenticator", "docker-http-basic-authenticator", false, 0, 0, REQUIRED, null, new String[] { REQUIRED });
expected.add(new FlowExecutions(flow, execs));
flow = newFlow("first broker login", "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "basic-flow", true, true);
addExecExport(flow, null, false, "idp-review-profile", false, "review profile config", REQUIRED, 10);
addExecExport(flow, "User creation or linking", false, null, true, null, REQUIRED, 20);
execs = new LinkedList<>();
addExecInfo(execs, "Review Profile", "idp-review-profile", true, 0, 0, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "User creation or linking", null, false, 0, 1, REQUIRED, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Create User If Unique", "idp-create-user-if-unique", true, 1, 0, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Handle Existing Account", null, false, 1, 1, ALTERNATIVE, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Confirm link existing account", "idp-confirm-link", false, 2, 0, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Account verification options", null, false, 2, 1, REQUIRED, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Verify existing account by Email", "idp-email-verification", false, 3, 0, ALTERNATIVE, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Verify Existing Account by Re-authentication", null, false, 3, 1, ALTERNATIVE, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Username Password Form for identity provider reauthentication", "idp-username-password-form", false, 4, 0, REQUIRED, null, new String[] { REQUIRED });
addExecInfo(execs, "First broker login - Conditional OTP", null, false, 4, 1, CONDITIONAL, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Condition - user configured", "conditional-user-configured", false, 5, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
addExecInfo(execs, "OTP Form", "auth-otp-form", false, 5, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
expected.add(new FlowExecutions(flow, execs));
flow = newFlow("http challenge", "An authentication flow based on challenge-response HTTP Authentication Schemes", "basic-flow", true, true);
addExecExport(flow, null, false, "no-cookie-redirect", false, null, REQUIRED, 10);
addExecExport(flow, "Authentication Options", false, null, true, null, REQUIRED, 20);
execs = new LinkedList<>();
addExecInfo(execs, "Browser Redirect for Cookie free authentication", "no-cookie-redirect", false, 0, 0, REQUIRED, null, new String[] { REQUIRED });
addExecInfo(execs, "Authentication Options", null, false, 0, 1, REQUIRED, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Basic Auth Challenge", "basic-auth", false, 1, 0, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Basic Auth Password+OTP", "basic-auth-otp", false, 1, 1, DISABLED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Kerberos", "auth-spnego", false, 1, 2, DISABLED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
expected.add(new FlowExecutions(flow, execs));
flow = newFlow("registration", "registration flow", "basic-flow", true, true);
addExecExport(flow, "registration form", false, "registration-page-form", true, null, REQUIRED, 10);
execs = new LinkedList<>();
addExecInfo(execs, "registration form", "registration-page-form", false, 0, 0, REQUIRED, true, new String[] { REQUIRED, DISABLED });
addExecInfo(execs, "Registration User Creation", "registration-user-creation", false, 1, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
addExecInfo(execs, "Profile Validation", "registration-profile-action", false, 1, 1, REQUIRED, null, new String[] { REQUIRED, DISABLED });
addExecInfo(execs, "Password Validation", "registration-password-action", false, 1, 2, REQUIRED, null, new String[] { REQUIRED, DISABLED });
addExecInfo(execs, "Recaptcha", "registration-recaptcha-action", true, 1, 3, DISABLED, null, new String[] { REQUIRED, DISABLED });
expected.add(new FlowExecutions(flow, execs));
flow = newFlow("reset credentials", "Reset credentials for a user if they forgot their password or something", "basic-flow", true, true);
addExecExport(flow, null, false, "reset-credentials-choose-user", false, null, REQUIRED, 10);
addExecExport(flow, null, false, "reset-credential-email", false, null, REQUIRED, 20);
addExecExport(flow, null, false, "reset-password", false, null, REQUIRED, 30);
addExecExport(flow, "Reset - Conditional OTP", false, null, true, null, CONDITIONAL, 40);
execs = new LinkedList<>();
addExecInfo(execs, "Choose User", "reset-credentials-choose-user", false, 0, 0, REQUIRED, null, new String[] { REQUIRED });
addExecInfo(execs, "Send Reset Email", "reset-credential-email", false, 0, 1, REQUIRED, null, new String[] { REQUIRED });
addExecInfo(execs, "Reset Password", "reset-password", false, 0, 2, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
addExecInfo(execs, "Reset - Conditional OTP", null, false, 0, 3, CONDITIONAL, true, new String[] { REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL });
addExecInfo(execs, "Condition - user configured", "conditional-user-configured", false, 1, 0, REQUIRED, null, new String[] { REQUIRED, DISABLED });
addExecInfo(execs, "Reset OTP", "reset-otp", false, 1, 1, REQUIRED, null, new String[] { REQUIRED, ALTERNATIVE, DISABLED });
expected.add(new FlowExecutions(flow, execs));
return expected;
}
use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.
the class BrowserFlowTest method revertFlows.
public static void revertFlows(RealmResource realmResource, String flowToDeleteAlias) {
List<AuthenticationFlowRepresentation> flows = realmResource.flows().getFlows();
// Set default browser flow
RealmRepresentation realm = realmResource.toRepresentation();
realm.setBrowserFlow(DefaultAuthenticationFlows.BROWSER_FLOW);
realmResource.update(realm);
AuthenticationFlowRepresentation flowRepresentation = AbstractAuthenticationTest.findFlowByAlias(flowToDeleteAlias, flows);
// calling this method
if (flowRepresentation == null) {
throw new IllegalArgumentException("The flow with alias " + flowToDeleteAlias + " did not exist");
}
realmResource.flows().deleteFlow(flowRepresentation.getId());
}
use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.
the class CustomFlowTest method testRequiredAfterAlternative.
/**
* KEYCLOAK-3506
*/
@Test
public void testRequiredAfterAlternative() {
AuthenticationManagementResource authMgmtResource = testRealm().flows();
Map<String, String> params = new HashMap();
String flowAlias = "Browser Flow With Extra";
params.put("newName", flowAlias);
Response response = authMgmtResource.copy("browser", params);
String flowId = null;
try {
Assert.assertThat("Copy flow", response, statusCodeIs(Response.Status.CREATED));
AuthenticationFlowRepresentation newFlow = findFlowByAlias(flowAlias);
flowId = newFlow.getId();
} finally {
response.close();
}
AuthenticationExecutionRepresentation execution = ExecutionBuilder.create().parentFlow(flowId).requirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString()).authenticator(ClickThroughAuthenticator.PROVIDER_ID).priority(10).authenticatorFlow(false).build();
RealmRepresentation rep = testRealm().toRepresentation();
try (Response r = testRealm().flows().addExecution(execution)) {
rep.setBrowserFlow(flowAlias);
testRealm().update(rep);
rep = testRealm().toRepresentation();
Assert.assertEquals(flowAlias, rep.getBrowserFlow());
}
loginPage.open();
/* In the new flows, any required execution will render any optional flows unused.
// test to make sure we aren't skipping anything
loginPage.login("test-user@localhost", "bad-password");
Assert.assertTrue(loginPage.isCurrent());
loginPage.login("test-user@localhost", "password");*/
Assert.assertTrue(termsPage.isCurrent());
// Revert dummy flow
rep.setBrowserFlow("dummy");
testRealm().update(rep);
}
use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.
the class CustomFlowTest method configureFlows.
@Before
public void configureFlows() {
userId = findUser("login-test").getId();
// Do this just once per class
if (testContext.isInitialized()) {
return;
}
AuthenticationFlowRepresentation flow = FlowBuilder.create().alias("dummy").description("dummy pass through flow").providerId("basic-flow").topLevel(true).builtIn(false).build();
testRealm().flows().createFlow(flow);
RealmRepresentation realm = testRealm().toRepresentation();
realm.setBrowserFlow(flow.getAlias());
realm.setDirectGrantFlow(flow.getAlias());
testRealm().update(realm);
// refresh flow to find its id
flow = findFlowByAlias(flow.getAlias());
AuthenticationExecutionRepresentation execution = ExecutionBuilder.create().parentFlow(flow.getId()).requirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString()).authenticator(PassThroughAuthenticator.PROVIDER_ID).priority(10).authenticatorFlow(false).build();
testRealm().flows().addExecution(execution);
flow = FlowBuilder.create().alias("dummy registration").description("dummy pass through registration").providerId("basic-flow").topLevel(true).builtIn(false).build();
testRealm().flows().createFlow(flow);
setRegistrationFlow(flow);
// refresh flow to find its id
flow = findFlowByAlias(flow.getAlias());
execution = ExecutionBuilder.create().parentFlow(flow.getId()).requirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString()).authenticator(PassThroughRegistration.PROVIDER_ID).priority(10).authenticatorFlow(false).build();
testRealm().flows().addExecution(execution);
AuthenticationFlowRepresentation clientFlow = FlowBuilder.create().alias("client-dummy").description("dummy pass through flow").providerId(AuthenticationFlow.CLIENT_FLOW).topLevel(true).builtIn(false).build();
testRealm().flows().createFlow(clientFlow);
realm = testRealm().toRepresentation();
realm.setClientAuthenticationFlow(clientFlow.getAlias());
testRealm().update(realm);
// refresh flow to find its id
clientFlow = findFlowByAlias(clientFlow.getAlias());
execution = ExecutionBuilder.create().parentFlow(clientFlow.getId()).requirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString()).authenticator(PassThroughClientAuthenticator.PROVIDER_ID).priority(10).authenticatorFlow(false).build();
testRealm().flows().addExecution(execution);
testContext.setInitialized(true);
}
use of org.keycloak.representations.idm.AuthenticationFlowRepresentation in project keycloak by keycloak.
the class CustomFlowTest method validateX509FlowUpdate.
@Test
public void validateX509FlowUpdate() throws Exception {
String flowAlias = "Browser Flow With Extra 2";
AuthenticationFlowRepresentation flow = new AuthenticationFlowRepresentation();
flow.setAlias(flowAlias);
flow.setDescription("");
flow.setProviderId("basic-flow");
flow.setTopLevel(true);
flow.setBuiltIn(false);
try (Creator.Flow amr = Creator.create(testRealm(), flow)) {
AuthenticationManagementResource authMgmtResource = amr.resource();
// add execution - X509 username
final AuthenticationExecutionInfoRepresentation execution = amr.addExecution(ValidateX509CertificateUsernameFactory.PROVIDER_ID);
String executionId = execution.getId();
Map<String, String> config = new HashMap<>();
config.put(AbstractX509ClientCertificateAuthenticator.ENABLE_CRL, Boolean.TRUE.toString());
AuthenticatorConfigRepresentation authConfig = new AuthenticatorConfigRepresentation();
authConfig.setAlias("Config alias");
authConfig.setConfig(config);
String acId;
try (Response resp = authMgmtResource.newExecutionConfig(executionId, authConfig)) {
assertThat(resp, statusCodeIs(Status.CREATED));
acId = ApiUtil.getCreatedId(resp);
}
authConfig = authMgmtResource.getAuthenticatorConfig(acId);
authConfig.getConfig().put(AbstractX509ClientCertificateAuthenticator.ENABLE_CRL, Boolean.FALSE.toString());
authConfig.getConfig().put(AbstractX509ClientCertificateAuthenticator.CRL_RELATIVE_PATH, "");
authMgmtResource.updateAuthenticatorConfig(acId, authConfig);
// Saving the same options for the second time would fail for CRL_RELATIVE_PATH on Oracle due to "" == NULL weirdness
authMgmtResource.updateAuthenticatorConfig(acId, authConfig);
}
}
Aggregations