Package org.keycloak.authentication

Interface Authenticator

All Superinterfaces:
Provider
All Known Subinterfaces:
AuthenticationFlowCallback, ConditionalAuthenticator
All Known Implementing Classes:
AbstractDirectGrantAuthenticator, AbstractFormAuthenticator, AbstractIdpAuthenticator, AbstractSetRequiredActionAuthenticator, AbstractUsernameFormAuthenticator, AbstractX509ClientCertificateAuthenticator, AbstractX509ClientCertificateDirectGrantAuthenticator, AllowAccessAuthenticator, AttemptedAuthenticator, ConditionalLoaAuthenticator, ConditionalOtpFormAuthenticator, ConditionalRoleAuthenticator, ConditionalUserAttributeValue, ConditionalUserConfiguredAuthenticator, CookieAuthenticator, DenyAccessAuthenticator, DockerAuthenticator, HttpBasicAuthenticator, IdentityProviderAuthenticator, IdpAddOrganizationMemberAuthenticator, IdpAutoLinkAuthenticator, IdpConfirmLinkAuthenticator, IdpConfirmOverrideLinkAuthenticator, IdpCreateUserIfUniqueAuthenticator, IdpDetectExistingBrokerUserAuthenticator, IdpEmailVerificationAuthenticator, IdpReviewProfileAuthenticator, IdpUsernamePasswordForm, OrganizationAuthenticator, OTPFormAuthenticator, PasskeysConditionalUIAuthenticator, PasswordForm, RecoveryAuthnCodesFormAuthenticator, ResetCredentialChooseUser, ResetCredentialEmail, ResetOTP, ResetPassword, ScriptBasedAuthenticator, SpnegoAuthenticator, UsernameForm, UsernamePasswordForm, UserSessionLimitsAuthenticator, ValidateOTP, ValidatePassword, ValidateUsername, ValidateX509CertificateUsername, WebAuthnAuthenticator, WebAuthnPasswordlessAuthenticator, X509ClientCertificateAuthenticator
public interface Authenticator extends Provider
This interface is for users that want to add custom authenticators to an authentication flow. You must implement this interface as well as an AuthenticatorFactory.
Version:
$Revision: 1 $
Author:
Bill Burke

  • Method Details

    • authenticate

      void authenticate(AuthenticationFlowContext context)
      Initial call for the authenticator. This method should check the current HTTP request to determine if the request satisfies the Authenticator's requirements. If it doesn't, it should send back a challenge response by calling the AuthenticationFlowContext.challenge(Response). If this challenge is a authentication, the action URL of the form must point to /realms/{realm}/login-actions/authenticate?code={session-code}&execution={executionId} or /realms/{realm}/login-actions/registration?code={session-code}&execution={executionId} {session-code} pertains to the code generated from AuthenticationFlowContext.generateAccessCode(). The {executionId} pertains to the AuthenticationExecutionModel.getId() value obtained from AuthenticationFlowContext.getExecution(). The action URL will invoke the action() method described below.
      Parameters:
      context -

    • action

      void action(AuthenticationFlowContext context)
      Called from a form action invocation.
      Parameters:
      context -

    • requiresUser

      boolean requiresUser()
      Does this authenticator require that the user has already been identified? That AuthenticatorContext.getUser() is not null?
      Returns:

    • configuredFor

      boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user)
      Is this authenticator configured for this user.
      Parameters:
      session -
      realm -
      user -
      Returns:

    • setRequiredActions

      void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user)
      Set actions to configure authenticator

    • getRequiredActions

      default List<RequiredActionFactory> getRequiredActions(KeycloakSession session)
      Overwrite this if the authenticator is associated with
      Returns:

    • areRequiredActionsEnabled

      default boolean areRequiredActionsEnabled(KeycloakSession session, RealmModel realm)
      Checks if all required actions are configured in the realm and are enabled
      Returns: