Package org.keycloak.authentication.authenticators.browser

Class WebAuthnAuthenticator

java.lang.Object

org.keycloak.authentication.authenticators.browser.WebAuthnAuthenticator

All Implemented Interfaces:

Authenticator, CredentialValidator<WebAuthnCredentialProvider>, Provider

Direct Known Subclasses:

WebAuthnPasswordlessAuthenticator

public class WebAuthnAuthenticator
extends Object
implements Authenticator, CredentialValidator<WebAuthnCredentialProvider>

Authenticator for WebAuthn authentication, which will be typically used when WebAuthn is used as second factor.

Field Summary

Fields

Modifier and Type	Field	Description
protected final KeycloakSession	session

Constructor Summary

Constructors

Constructor	Description
WebAuthnAuthenticator(KeycloakSession session)

Method Summary

Modifier and Type	Method	Description
void	action(AuthenticationFlowContext context)	Called from a form action invocation.
void	authenticate(AuthenticationFlowContext context)	Initial call for the authenticator.
void	close()
boolean	configuredFor(KeycloakSession session, RealmModel realm, UserModel user)	Is this authenticator configured for this user.
protected jakarta.ws.rs.core.Response	createErrorResponse(AuthenticationFlowContext context, String errorCase)
LoginFormsProvider	fillContextForm(AuthenticationFlowContext context)
WebAuthnCredentialProvider	getCredentialProvider(KeycloakSession session)
protected String	getCredentialType()
List<RequiredActionFactory>	getRequiredActions(KeycloakSession session)	Overwrite this if the authenticator is associated with
protected String	getRpID(AuthenticationFlowContext context)
protected WebAuthnPolicy	getWebAuthnPolicy(AuthenticationFlowContext context)
boolean	requiresUser()	Does this authenticator require that the user has already been identified? That AuthenticatorContext.getUser() is not null?
protected void	setErrorResponse(AuthenticationFlowContext context, String errorCase, String errorMessage)
void	setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user)	Set actions to configure authenticator
protected boolean	shouldDisplayAuthenticators(AuthenticationFlowContext context)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.authentication.Authenticator

areRequiredActionsEnabled

Methods inherited from interface org.keycloak.authentication.CredentialValidator

getCredentials, getType

Field Details

session

protected final KeycloakSession session

Constructor Details

WebAuthnAuthenticator

public WebAuthnAuthenticator(KeycloakSession session)

Method Details

authenticate

public void authenticate(AuthenticationFlowContext context)

Description copied from interface: Authenticator

Initial call for the authenticator. This method should check the current HTTP request to determine if the request satisfies the Authenticator's requirements. If it doesn't, it should send back a challenge response by calling the AuthenticationFlowContext.challenge(Response). If this challenge is a authentication, the action URL of the form must point to /realms/{realm}/login-actions/authenticate?code={session-code}&execution={executionId} or /realms/{realm}/login-actions/registration?code={session-code}&execution={executionId} {session-code} pertains to the code generated from AuthenticationFlowContext.generateAccessCode(). The {executionId} pertains to the AuthenticationExecutionModel.getId() value obtained from AuthenticationFlowContext.getExecution(). The action URL will invoke the action() method described below.

Specified by:

authenticate in interface Authenticator

fillContextForm

public LoginFormsProvider fillContextForm(AuthenticationFlowContext context)

getWebAuthnPolicy

protected WebAuthnPolicy getWebAuthnPolicy(AuthenticationFlowContext context)

getRpID

protected String getRpID(AuthenticationFlowContext context)

getCredentialType

protected String getCredentialType()

shouldDisplayAuthenticators

protected boolean shouldDisplayAuthenticators(AuthenticationFlowContext context)

action

public void action(AuthenticationFlowContext context)

Description copied from interface: Authenticator

Called from a form action invocation.

Specified by:

action in interface Authenticator

requiresUser

public boolean requiresUser()

Description copied from interface: Authenticator

Does this authenticator require that the user has already been identified? That AuthenticatorContext.getUser() is not null?

Specified by:

requiresUser in interface Authenticator

Returns:

configuredFor

public boolean configuredFor(KeycloakSession session,
 RealmModel realm,
 UserModel user)

Description copied from interface: Authenticator

Is this authenticator configured for this user.

Specified by:

configuredFor in interface Authenticator

Returns:

setRequiredActions

public void setRequiredActions(KeycloakSession session,
 RealmModel realm,
 UserModel user)

Description copied from interface: Authenticator

Set actions to configure authenticator

Specified by:

setRequiredActions in interface Authenticator

getRequiredActions

public List<RequiredActionFactory> getRequiredActions(KeycloakSession session)

Description copied from interface: Authenticator

Overwrite this if the authenticator is associated with

Specified by:

getRequiredActions in interface Authenticator

Returns:

close

public void close()

Specified by:

close in interface Provider

getCredentialProvider

public WebAuthnCredentialProvider getCredentialProvider(KeycloakSession session)

Specified by:

getCredentialProvider in interface CredentialValidator<WebAuthnCredentialProvider>

setErrorResponse

protected void setErrorResponse(AuthenticationFlowContext context,
 String errorCase,
 String errorMessage)

createErrorResponse

protected jakarta.ws.rs.core.Response createErrorResponse(AuthenticationFlowContext context,
 String errorCase)