Class ConditionalOtpFormAuthenticator
- All Implemented Interfaces:
Authenticator
,CredentialValidator<OTPCredentialProvider>
,Provider
OTPFormAuthenticator
that can conditionally require OTP authentication.
The decision for whether or not to require OTP authentication can be made based on multiple conditions which are evaluated in the following order. The first matching condition determines the outcome.
- User Attribute
- Role
- Request Header
- Configured Default
If no condition matches, the ConditionalOtpFormAuthenticator
fallback is to require OTP authentication.
User Attribute
A User Attribute likeotp_auth
can be used to control OTP authentication on individual user level.
The supported values are skip and force. If the value is set to skip then the OTP auth is skipped for the user,
otherwise if the value is force then the OTP auth is enforced. The setting is ignored for any other value.
Role
A role can be used to control the OTP authentication. If the user has the specified skip OTP role then OTP authentication is skipped for the user. If the user has the specified force OTP role, then the OTP authentication is required for the user. If not configured, e.g. if no role is selected, then this setting is ignored.
Request Header
Request Headers are matched via regex Pattern
s and can be specified as a whitelist and blacklist.
No OTP for Header specifies the pattern for which OTP authentication is not required.
This can be used to specify trusted networks, e.g. via: X-Forwarded-Host: (1.2.3.4|1.2.3.5)
where
The IPs 1.2.3.4, 1.2.3.5 denote trusted machines.
Force OTP for Header specifies the pattern for which OTP authentication is required. Whitelist entries take
precedence before blacklist entries.
Configured Default
A default fall-though behaviour can be specified to handle cases where all previous conditions did not lead to a conclusion. An OTP authentication is required in case no default is configured.- Author:
- Thomas Darimont
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
Fields inherited from class org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator
SELECTED_OTP_CREDENTIAL_ID, UNNAMED
Fields inherited from class org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
ATTEMPTED_USERNAME, REGISTRATION_FORM_ACTION, USER_SET_BEFORE_USERNAME_PASSWORD_AUTH
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
authenticate
(AuthenticationFlowContext context) Initial call for the authenticator.void
setRequiredActions
(KeycloakSession session, RealmModel realm, UserModel user) Set actions to configure authenticatorMethods inherited from class org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator
action, close, configuredFor, createLoginForm, disabledByBruteForceError, disabledByBruteForceFieldError, getCredentialProvider, getRequiredActions, requiresUser, validateOTP
Methods inherited from class org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
challenge, challenge, dummyHash, enabledUser, getDefaultChallengeMessage, isDisabledByBruteForce, isUserAlreadySetBeforeUsernamePasswordAuth, runDefaultDummyHash, setDuplicateUserChallenge, testInvalidUser, validatePassword, validateUser, validateUserAndPassword
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.keycloak.authentication.Authenticator
areRequiredActionsEnabled
Methods inherited from interface org.keycloak.authentication.CredentialValidator
getCredentials, getType
-
Field Details
-
SKIP
- See Also:
-
FORCE
- See Also:
-
OTP_CONTROL_USER_ATTRIBUTE
- See Also:
-
SKIP_OTP_ROLE
- See Also:
-
FORCE_OTP_ROLE
- See Also:
-
SKIP_OTP_FOR_HTTP_HEADER
- See Also:
-
FORCE_OTP_FOR_HTTP_HEADER
- See Also:
-
DEFAULT_OTP_OUTCOME
- See Also:
-
-
Constructor Details
-
ConditionalOtpFormAuthenticator
public ConditionalOtpFormAuthenticator()
-
-
Method Details
-
authenticate
Description copied from interface:Authenticator
Initial call for the authenticator. This method should check the current HTTP request to determine if the request satifies the Authenticator's requirements. If it doesn't, it should send back a challenge response by calling the AuthenticationFlowContext.challenge(Response). If this challenge is a authentication, the action URL of the form must point to /realms/{realm}/login-actions/authenticate?code={session-code}&execution={executionId} or /realms/{realm}/login-actions/registration?code={session-code}&execution={executionId} {session-code} pertains to the code generated from AuthenticationFlowContext.generateAccessCode(). The {executionId} pertains to the AuthenticationExecutionModel.getId() value obtained from AuthenticationFlowContext.getExecution(). The action URL will invoke the action() method described below.- Specified by:
authenticate
in interfaceAuthenticator
- Overrides:
authenticate
in classOTPFormAuthenticator
-
setRequiredActions
Description copied from interface:Authenticator
Set actions to configure authenticator- Specified by:
setRequiredActions
in interfaceAuthenticator
- Overrides:
setRequiredActions
in classOTPFormAuthenticator
-