public class ScriptBasedAuthenticator extends Object implements Authenticator
Authenticator
that can execute a configured script during authentication flow.
Scripts must at least provide one of the following functions:
authenticate(..)
which is called from Authenticator.authenticate(AuthenticationFlowContext)
action(..)
which is called from Authenticator.action(AuthenticationFlowContext)
Custom Authenticator's
should at least provide the authenticate(..)
function.
The following script Bindings
are available for convenient use within script code.
script
the ScriptModel
to access script metadatarealm
the RealmModel
user
the current UserModel
session
the active KeycloakSession
authenticationSession
the current AuthenticationSessionModel
httpRequest
the current HttpRequest
LOG
a Logger
scoped to ScriptBasedAuthenticator
/li>
Note that the user
variable is only defined when the user was identified by a preceeding
authentication step, e.g. by the UsernamePasswordForm
authenticator.
Additional context information can be extracted from the context
argument passed to the authenticate(context)
or action(context)
function.
An example ScriptBasedAuthenticator
definition could look as follows:
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
function authenticate(context) {
var username = user ? user.username : "anonymous";
LOG.info(script.name + " --> trace auth for: " + username);
if ( username === "tester"
&& user.getAttribute("someAttribute")
&& user.getAttribute("someAttribute").contains("someValue")) {
context.failure(AuthenticationFlowError.INVALID_USER);
return;
}
context.success();
}
Constructor and Description |
---|
ScriptBasedAuthenticator() |
Modifier and Type | Method and Description |
---|---|
void |
action(AuthenticationFlowContext context)
Called from a form action invocation.
|
void |
authenticate(AuthenticationFlowContext context)
Initial call for the authenticator.
|
void |
close() |
boolean |
configuredFor(KeycloakSession session,
RealmModel realm,
UserModel user)
Is this authenticator configured for this user.
|
protected AuthenticatorConfigModel |
getAuthenticatorConfig(AuthenticationFlowContext context) |
boolean |
requiresUser()
Does this authenticator require that the user has already been identified? That AuthenticatorContext.getUser() is not null?
|
void |
setRequiredActions(KeycloakSession session,
RealmModel realm,
UserModel user)
Set actions to configure authenticator
|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
areRequiredActionsEnabled, getRequiredActions
public void authenticate(AuthenticationFlowContext context)
Authenticator
authenticate
in interface Authenticator
public void action(AuthenticationFlowContext context)
Authenticator
action
in interface Authenticator
protected AuthenticatorConfigModel getAuthenticatorConfig(AuthenticationFlowContext context)
public boolean requiresUser()
Authenticator
requiresUser
in interface Authenticator
public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user)
Authenticator
configuredFor
in interface Authenticator
public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user)
Authenticator
setRequiredActions
in interface Authenticator
Copyright © 2021 JBoss by Red Hat. All rights reserved.