public static UserCredentialModel passwordToken(String passwordToken) { UserCredentialModel model = new UserCredentialModel(); model.setType(PASSWORD_TOKEN); model.setValue(passwordToken); return model; }
public static UserCredentialModel generateSecret(ClientModel client) { UserCredentialModel secret = UserCredentialModel.generateSecret(); client.setSecret(secret.getValue()); return secret; }
public static PasswordUserCredentialModel password(String password) { return password(password, false); }
@Override public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input) { if (user.getUsername().equals("test-user") && input.size() == 1) { UserCredentialModel password = input.get(0); if (password.getType().equals(UserCredentialModel.PASSWORD)) { return "secret".equals(password.getValue()); } } return false; }
public static CredentialRepresentation toRepresentation(UserCredentialModel cred) { CredentialRepresentation rep = new CredentialRepresentation(); rep.setType(CredentialRepresentation.SECRET); rep.setValue(cred.getValue()); return rep; }
private UserCredentialModel passwordAndScope(AuthenticationFlowContext context){ String password = this.retrievePassword(context); UserCredentialModel credentialModel = UserCredentialModel.password(password); Optional<String> scope = AuthenticatorUtil.readScope(context); scope.ifPresent(s -> credentialModel.setNote(Constants.CUSTOM_SCOPE_NOTE_KEY, s)); return credentialModel; } }
@Override public CredentialValidationOutput validCredentials(KeycloakSession session, RealmModel realm, UserCredentialModel... input) { List<UserFederationProviderModel> fedProviderModels = realm.getUserFederationProviders(); List<UserFederationProvider> fedProviders = new ArrayList<UserFederationProvider>(); for (UserFederationProviderModel fedProviderModel : fedProviderModels) { fedProviders.add(getFederationProvider(fedProviderModel)); } CredentialValidationOutput result = null; for (UserCredentialModel cred : input) { UserFederationProvider providerSupportingCreds = null; // Find first provider, which supports required credential type for (UserFederationProvider fedProvider : fedProviders) { if (fedProvider.getSupportedCredentialTypes().contains(cred.getType())) { providerSupportingCreds = fedProvider; break; } } if (providerSupportingCreds == null) { logger.warn("Don't have provider supporting credentials of type " + cred.getType()); return CredentialValidationOutput.failed(); } logger.debug("Found provider [" + providerSupportingCreds + "] supporting credentials of type " + cred.getType()); CredentialValidationOutput currentResult = providerSupportingCreds.validCredentials(realm, cred); result = (result == null) ? currentResult : result.merge(currentResult); } // For now, validCredentials(realm, input) is not supported for local userProviders return (result != null) ? result : CredentialValidationOutput.failed(); }
private static boolean validCredential(KeycloakSession session, RealmModel realm, UserModel user, UserCredentialModel credential) { if (credential.getType().equals(UserCredentialModel.PASSWORD)) { if (!validPassword(session, realm, user, credential.getValue())) { return false; } } else if (credential.getType().equals(UserCredentialModel.PASSWORD_TOKEN)) { if (!validPasswordToken(realm, user, credential.getValue())) { return false; } } else if (credential.getType().equals(UserCredentialModel.TOTP)) { if (!validTOTP(realm, user, credential.getValue())) { return false; } } else if (credential.getType().equals(UserCredentialModel.HOTP)) { if (!validHOTP(realm, user, credential.getValue())) { return false; } } else if (credential.getType().equals(UserCredentialModel.SECRET)) { if (!validSecret(realm, user, credential.getValue())) { return false; } } else { return false; } return true; } }
@Override public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) { String token = ((UserCredentialModel) credentialInput).getValue(); String userName = authenticateToken(token, client, httpClient); boolean authenticated = Objects.equals(userModel.getUsername(), userName); if(userName == null) { LOG.debug("User: " + userModel.getUsername() + " not authenticated for realm " + realmModel.getName()); } else if(!authenticated) { LOG.debug("Attempt to log in for user " + userModel.getUsername() + " in realm " + realmModel.getName() + " with token for " + userName); } return authenticated; }
@Override public boolean validCredentials(KeycloakSession session, RealmModel realm, UserModel user, List<UserCredentialModel> input) { UserFederationProvider link = getFederationLink(realm, user); if (link != null) { validateUser(realm, user); Set<String> supportedCredentialTypes = link.getSupportedCredentialTypes(user); if (supportedCredentialTypes.size() > 0) { List<UserCredentialModel> fedCreds = new ArrayList<UserCredentialModel>(); List<UserCredentialModel> localCreds = new ArrayList<UserCredentialModel>(); for (UserCredentialModel cred : input) { if (supportedCredentialTypes.contains(cred.getType())) { fedCreds.add(cred); } else { localCreds.add(cred); } } if (!link.validCredentials(realm, user, fedCreds)) { return false; } return session.userStorage().validCredentials(session, realm, user, localCreds); } } return session.userStorage().validCredentials(session, realm, user, input); }
public static UserCredentialModel hotp(String key) { UserCredentialModel model = new UserCredentialModel(); model.setType(HOTP); model.setValue(key); return model; }
public void updateCredential(RealmModel realm, UserModel user, UserCredentialModel credential) { if (credential.getType().equals(UserCredentialModel.PASSWORD)) { if (realm.getPasswordPolicy() != null) { PasswordPolicy.Error error = realm.getPasswordPolicy().validate(session, user, credential.getValue()); if (error != null) throw new ModelException(error.getMessage(), error.getParameters()); } } user.updateCredential(credential); }
@GET @Path("/valid-credentials") @Produces(MediaType.APPLICATION_JSON) public boolean validCredentials(@QueryParam("realmName") String realmName, @QueryParam("userName") String userName, @QueryParam("password") String password) { RealmModel realm = session.realms().getRealm(realmName); if (realm == null) return false; UserProvider userProvider = session.getProvider(UserProvider.class); UserModel user = userProvider.getUserByUsername(userName, realm); return userProvider.validCredentials(session, realm, user, UserCredentialModel.password(password)); }
@Override public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) { if (!(input instanceof UserCredentialModel)) return false; if (input.getType().equals(UserCredentialModel.PASSWORD) && !session.userCredentialManager().isConfiguredLocally(realm, user, UserCredentialModel.PASSWORD)) { return validPassword(user.getUsername(), ((UserCredentialModel)input).getValue()); } else { return false; // invalid cred type } }
public static UserCredentialModel hotp(String key) { UserCredentialModel model = new UserCredentialModel(); model.setType(HOTP); model.setValue(key); return model; }
@Override public CredentialValidationOutput authenticate(RealmModel realm, CredentialInput input) { if (!(input instanceof UserCredentialModel)) return null; UserCredentialModel credential = (UserCredentialModel)input; if (credential.getType().equals(UserCredentialModel.KERBEROS)) { String spnegoToken = credential.getValue(); SPNEGOAuthenticator spnegoAuthenticator = factory.createSPNEGOAuthenticator(spnegoToken, kerberosConfig); spnegoAuthenticator.authenticate(); Map<String, String> state = new HashMap<String, String>(); if (spnegoAuthenticator.isAuthenticated()) { String username = spnegoAuthenticator.getAuthenticatedUsername(); UserModel user = findOrCreateAuthenticatedUser(realm, username); if (user == null) { return CredentialValidationOutput.failed(); } else { String delegationCredential = spnegoAuthenticator.getSerializedDelegationCredential(); if (delegationCredential != null) { state.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, delegationCredential); } return new CredentialValidationOutput(user, CredentialValidationOutput.Status.AUTHENTICATED, state); } } else { state.put(KerberosConstants.RESPONSE_TOKEN, spnegoAuthenticator.getResponseToken()); return new CredentialValidationOutput(null, CredentialValidationOutput.Status.CONTINUE, state); } } else { return null; } }
/** * Override the validate password so we transfer password validation result into the authentication flow context. * <p> * TODO: Discuss issue with keycloak development team and send a patch. */ @Override public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) { List<CredentialInput> credentials = new LinkedList<>(); String password = inputData.getFirst(CredentialRepresentation.PASSWORD); // Patched PasswordUserCredentialModel credentialModel = UserCredentialModel.password(password); AuthenticatorUtil.readScope(context) .ifPresent(s -> credentialModel.setNote(Constants.CUSTOM_SCOPE_NOTE_KEY, s)); credentials.add(credentialModel); if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) { AuthenticatorUtil.addMainSecretToUserSession(userSecretAdapter, context, user, credentialModel); return true; } else { context.getEvent().user(user); context.getEvent().error(Errors.INVALID_USER_CREDENTIALS); Response challengeResponse = invalidCredentials(context); context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); context.clearUser(); return false; } } }
public static UserCredentialModel secret(String password) { UserCredentialModel model = new UserCredentialModel(); model.setType(SECRET); model.setValue(password); return model; }