public class ConditionalOtpFormAuthenticator extends OTPFormAuthenticator
OTPFormAuthenticator
that can conditionally require OTP authentication.
The decision for whether or not to require OTP authentication can be made based on multiple conditions which are evaluated in the following order. The first matching condition determines the outcome.
If no condition matches, the ConditionalOtpFormAuthenticator
fallback is to require OTP authentication.
otp_auth
can be used to control OTP authentication on individual user level.
The supported values are skip and force. If the value is set to skip then the OTP auth is skipped for the user,
otherwise if the value is force then the OTP auth is enforced. The setting is ignored for any other value.
Request Headers are matched via regex Pattern
s and can be specified as a whitelist and blacklist.
No OTP for Header specifies the pattern for which OTP authentication is not required.
This can be used to specify trusted networks, e.g. via: X-Forwarded-Host: (1.2.3.4|1.2.3.5)
where
The IPs 1.2.3.4, 1.2.3.5 denote trusted machines.
Force OTP for Header specifies the pattern for which OTP authentication is required. Whitelist entries take
precedence before blacklist entries.
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_OTP_OUTCOME |
static String |
FORCE |
static String |
FORCE_OTP_FOR_HTTP_HEADER |
static String |
FORCE_OTP_ROLE |
static String |
OTP_CONTROL_USER_ATTRIBUTE |
static String |
SKIP |
static String |
SKIP_OTP_FOR_HTTP_HEADER |
static String |
SKIP_OTP_ROLE |
SELECTED_OTP_CREDENTIAL_ID, UNNAMED
ATTEMPTED_USERNAME, REGISTRATION_FORM_ACTION
Constructor and Description |
---|
ConditionalOtpFormAuthenticator() |
Modifier and Type | Method and Description |
---|---|
void |
authenticate(AuthenticationFlowContext context)
Initial call for the authenticator.
|
void |
setRequiredActions(KeycloakSession session,
RealmModel realm,
UserModel user)
Set actions to configure authenticator
|
action, close, configuredFor, createLoginForm, getCredentialProvider, getRequiredActions, requiresUser, tempDisabledError, validateOTP
challenge, dummyHash, enabledUser, getDefaultChallengeMessage, isTemporarilyDisabledByBruteForce, runDefaultDummyHash, setDuplicateUserChallenge, testInvalidUser, validatePassword, validatePassword, validateUser, validateUserAndPassword
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
areRequiredActionsEnabled
getCredentials, getType
public static final String SKIP
public static final String FORCE
public static final String OTP_CONTROL_USER_ATTRIBUTE
public static final String SKIP_OTP_ROLE
public static final String FORCE_OTP_ROLE
public static final String SKIP_OTP_FOR_HTTP_HEADER
public static final String FORCE_OTP_FOR_HTTP_HEADER
public static final String DEFAULT_OTP_OUTCOME
public void authenticate(AuthenticationFlowContext context)
Authenticator
authenticate
in interface Authenticator
authenticate
in class OTPFormAuthenticator
public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user)
Authenticator
setRequiredActions
in interface Authenticator
setRequiredActions
in class OTPFormAuthenticator
Copyright © 2020 JBoss by Red Hat. All rights reserved.