Class ScriptBasedAuthenticator
- java.lang.Object
-
- org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator
-
- All Implemented Interfaces:
Authenticator
,Provider
public class ScriptBasedAuthenticator extends Object implements Authenticator
AnAuthenticator
that can execute a configured script during authentication flow.Scripts must at least provide one of the following functions:
authenticate(..)
which is called fromAuthenticator.authenticate(AuthenticationFlowContext)
action(..)
which is called fromAuthenticator.action(AuthenticationFlowContext)
Custom
Authenticator's
should at least provide theauthenticate(..)
function. The following scriptBindings
are available for convenient use within script code.script
theScriptModel
to access script metadatarealm
theRealmModel
user
the currentUserModel
session
the activeKeycloakSession
authenticationSession
the currentAuthenticationSessionModel
httpRequest
the currentHttpRequest
LOG
aLogger
scoped toScriptBasedAuthenticator
Note that the
user
variable is only defined when the user was identified by a preceeding authentication step, e.g. by theUsernamePasswordForm
authenticator.Additional context information can be extracted from the
context
argument passed to theauthenticate(context)
oraction(context)
function.An example
ScriptBasedAuthenticator
definition could look as follows:AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); function authenticate(context) { var username = user ? user.username : "anonymous"; LOG.info(script.name + " --> trace auth for: " + username); if ( username === "tester" && user.getAttribute("someAttribute") && user.getAttribute("someAttribute").contains("someValue")) { context.failure(AuthenticationFlowError.INVALID_USER); return; } context.success(); }
- Author:
- Thomas Darimont
-
-
Constructor Summary
Constructors Constructor Description ScriptBasedAuthenticator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
action(AuthenticationFlowContext context)
Called from a form action invocation.void
authenticate(AuthenticationFlowContext context)
Initial call for the authenticator.void
close()
boolean
configuredFor(KeycloakSession session, RealmModel realm, UserModel user)
Is this authenticator configured for this user.protected AuthenticatorConfigModel
getAuthenticatorConfig(AuthenticationFlowContext context)
boolean
requiresUser()
Does this authenticator require that the user has already been identified? That AuthenticatorContext.getUser() is not null?void
setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user)
Set actions to configure authenticator-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.keycloak.authentication.Authenticator
areRequiredActionsEnabled, getRequiredActions
-
-
-
-
Method Detail
-
authenticate
public void authenticate(AuthenticationFlowContext context)
Description copied from interface:Authenticator
Initial call for the authenticator. This method should check the current HTTP request to determine if the request satifies the Authenticator's requirements. If it doesn't, it should send back a challenge response by calling the AuthenticationFlowContext.challenge(Response). If this challenge is a authentication, the action URL of the form must point to /realms/{realm}/login-actions/authenticate?code={session-code}&execution={executionId} or /realms/{realm}/login-actions/registration?code={session-code}&execution={executionId} {session-code} pertains to the code generated from AuthenticationFlowContext.generateAccessCode(). The {executionId} pertains to the AuthenticationExecutionModel.getId() value obtained from AuthenticationFlowContext.getExecution(). The action URL will invoke the action() method described below.- Specified by:
authenticate
in interfaceAuthenticator
-
action
public void action(AuthenticationFlowContext context)
Description copied from interface:Authenticator
Called from a form action invocation.- Specified by:
action
in interfaceAuthenticator
-
getAuthenticatorConfig
protected AuthenticatorConfigModel getAuthenticatorConfig(AuthenticationFlowContext context)
-
requiresUser
public boolean requiresUser()
Description copied from interface:Authenticator
Does this authenticator require that the user has already been identified? That AuthenticatorContext.getUser() is not null?- Specified by:
requiresUser
in interfaceAuthenticator
- Returns:
-
configuredFor
public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user)
Description copied from interface:Authenticator
Is this authenticator configured for this user.- Specified by:
configuredFor
in interfaceAuthenticator
- Returns:
-
setRequiredActions
public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user)
Description copied from interface:Authenticator
Set actions to configure authenticator- Specified by:
setRequiredActions
in interfaceAuthenticator
-
-