org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator の継承関係図

org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator 連携図

クラス
enum	OtpDecision

公開メンバ関数
void	authenticate (AuthenticationFlowContext context)

void	setRequiredActions (KeycloakSession session, RealmModel realm, UserModel user)

void	action (AuthenticationFlowContext context)

void	validateOTP (AuthenticationFlowContext context)

boolean	requiresUser ()

boolean	configuredFor (KeycloakSession session, RealmModel realm, UserModel user)

void	close ()

boolean	invalidUser (AuthenticationFlowContext context, UserModel user)

boolean	enabledUser (AuthenticationFlowContext context, UserModel user)

boolean	validateUserAndPassword (AuthenticationFlowContext context, MultivaluedMap< String, String > inputData)

boolean	validatePassword (AuthenticationFlowContext context, UserModel user, MultivaluedMap< String, String > inputData)

静的公開変数類
static final String	SKIP = "skip"

static final String	FORCE = "force"

static final String	OTP_CONTROL_USER_ATTRIBUTE = "otpControlAttribute"

static final String	SKIP_OTP_ROLE = "skipOtpRole"

static final String	FORCE_OTP_ROLE = "forceOtpRole"

static final String	SKIP_OTP_FOR_HTTP_HEADER = "noOtpRequiredForHeaderPattern"

static final String	FORCE_OTP_FOR_HTTP_HEADER = "forceOtpForHeaderPattern"

static final String	DEFAULT_OTP_OUTCOME = "defaultOtpOutcome"

static final String	REGISTRATION_FORM_ACTION = "registration_form"

static final String	ATTEMPTED_USERNAME = "ATTEMPTED_USERNAME"

限定公開メンバ関数
Response	challenge (AuthenticationFlowContext context, String error)

Response	invalidUser (AuthenticationFlowContext context)

Response	disabledUser (AuthenticationFlowContext context)

Response	temporarilyDisabledUser (AuthenticationFlowContext context)

Response	invalidCredentials (AuthenticationFlowContext context)

Response	setDuplicateUserChallenge (AuthenticationFlowContext context, String eventError, String loginFormError, AuthenticationFlowError authenticatorError)

void	runDefaultDummyHash (AuthenticationFlowContext context)

void	dummyHash (AuthenticationFlowContext context)

非公開メンバ関数
OtpDecision	voteForDefaultFallback (Map< String, String > config)

boolean	tryConcludeBasedOn (OtpDecision state, AuthenticationFlowContext context)

boolean	tryConcludeBasedOn (OtpDecision state)

void	showOtpForm (AuthenticationFlowContext context)

OtpDecision	voteForUserOtpControlAttribute (UserModel user, Map< String, String > config)

OtpDecision	voteForHttpHeaderMatchesPattern (MultivaluedMap< String, String > requestHeaders, Map< String, String > config)

boolean	containsMatchingRequestHeader (MultivaluedMap< String, String > requestHeaders, String headerPattern)

OtpDecision	voteForUserRole (RealmModel realm, UserModel user, Map< String, String > config)

boolean	userHasRole (RealmModel realm, UserModel user, String roleName)

boolean	isOTPRequired (KeycloakSession session, RealmModel realm, UserModel user)

boolean	containsConditionalOtpConfig (Map config)

詳解

An OTPFormAuthenticator that can conditionally require OTP authentication.

The decision for whether or not to require OTP authentication can be made based on multiple conditions which are evaluated in the following order. The first matching condition determines the outcome.

User Attribute
Role
Request Header
Configured Default

If no condition matches, the ConditionalOtpFormAuthenticator fallback is to require OTP authentication.

User Attribute

A User Attribute like otp_auth can be used to control OTP authentication on individual user level. The supported values are skip and force. If the value is set to skip then the OTP auth is skipped for the user, otherwise if the value is force then the OTP auth is enforced. The setting is ignored for any other value.

Role

A role can be used to control the OTP authentication. If the user has the specified skip OTP role then OTP authentication is skipped for the user. If the user has the specified force OTP role, then the OTP authentication is required for the user. If not configured, e.g. if no role is selected, then this setting is ignored.

Request Header

Request Headers are matched via regex Patterns and can be specified as a whitelist and blacklist. No OTP for Header specifies the pattern for which OTP authentication is not required. This can be used to specify trusted networks, e.g. via: X-Forwarded-Host: (1.2.3.4|1.2.3.5) where The IPs 1.2.3.4, 1.2.3.5 denote trusted machines. Force OTP for Header specifies the pattern for which OTP authentication is required. Whitelist entries take precedence before blacklist entries.

Configured Default

A default fall-though behaviour can be specified to handle cases where all previous conditions did not lead to a conclusion. An OTP authentication is required in case no default is configured.

著者: Thomas Darimont

クラス詳解

◆ org::keycloak::authentication::authenticators::browser::ConditionalOtpFormAuthenticator::OtpDecision

enum org::keycloak::authentication::authenticators::browser::ConditionalOtpFormAuthenticator::OtpDecision

org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.OtpDecision 連携図

列挙値
ABSTAIN
SHOW_OTP
SKIP_OTP

関数詳解

◆ action()

void org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator.action ( AuthenticationFlowContext context )

inlineinherited

org.keycloak.authentication.Authenticatorを実装しています。

                                                           {
         validateOTP(context);
     }

◆ authenticate()

void org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.authenticate ( AuthenticationFlowContext context )

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                                                 {
 
         Map<String, String> config = context.getAuthenticatorConfig().getConfig();
 
         if (tryConcludeBasedOn(voteForUserOtpControlAttribute(context.getUser(), config), context)) {
             return;
         }
 
         if (tryConcludeBasedOn(voteForUserRole(context.getRealm(), context.getUser(), config), context)) {
             return;
         }
 
         if (tryConcludeBasedOn(voteForHttpHeaderMatchesPattern(context.getHttpRequest().getHttpHeaders().getRequestHeaders(), config), context)) {
             return;
         }
 
         if (tryConcludeBasedOn(voteForDefaultFallback(config), context)) {
             return;
         }
 
         showOtpForm(context);
     }

◆ challenge()

Response org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator.challenge	(	AuthenticationFlowContext	context,
		String	error
	)

inlineprotectedinherited

                                                                                   {
         LoginFormsProvider forms = context.form();
         if (error != null) forms.setError(error);
 
         return forms.createLoginTotp();
     }

◆ close()

void org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator.close ( )

inlineinherited

org.keycloak.provider.Providerを実装しています。

                         {
 
     }

◆ configuredFor()

boolean org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator.configuredFor	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inlineinherited

org.keycloak.authentication.Authenticatorを実装しています。

                                                                                             {
         return session.userCredentialManager().isConfiguredFor(realm, user, realm.getOTPPolicy().getType());
     }

◆ containsConditionalOtpConfig()

boolean org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.containsConditionalOtpConfig ( Map config )

inlineprivate

                                                              {
         return config.containsKey(OTP_CONTROL_USER_ATTRIBUTE)
             || config.containsKey(SKIP_OTP_ROLE)
             || config.containsKey(FORCE_OTP_ROLE)
             || config.containsKey(SKIP_OTP_FOR_HTTP_HEADER)
             || config.containsKey(FORCE_OTP_FOR_HTTP_HEADER)
             || config.containsKey(DEFAULT_OTP_OUTCOME);
     }

◆ containsMatchingRequestHeader()

boolean org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.containsMatchingRequestHeader	(	MultivaluedMap< String, String >	requestHeaders,
		String	headerPattern
	)

inlineprivate

                                                                                                                        {
 
         if (headerPattern == null) {
             return false;
         }
 
         //TODO cache RequestHeader Patterns
         //TODO how to deal with pattern syntax exceptions?
         Pattern pattern = Pattern.compile(headerPattern, Pattern.DOTALL);
 
         for (Map.Entry<String, List<String>> entry : requestHeaders.entrySet()) {
 
             String key = entry.getKey();
 
             for (String value : entry.getValue()) {
 
                 String headerEntry = key.trim() + ": " + value.trim();
 
                 if (pattern.matcher(headerEntry).matches()) {
                     return true;
                 }
             }
         }
 
         return false;
     }

◆ disabledUser()

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.disabledUser ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                        {
         return context.form()
                 .setError(Messages.ACCOUNT_DISABLED).createLogin();
     }

◆ dummyHash()

void org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.dummyHash ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                 {
         PasswordPolicy policy = context.getRealm().getPasswordPolicy();
         if (policy == null) {
             runDefaultDummyHash(context);
             return;
         } else {
             PasswordHashProvider hash = context.getSession().getProvider(PasswordHashProvider.class, policy.getHashAlgorithm());
             if (hash == null) {
                 runDefaultDummyHash(context);
                 return;
 
             } else {
                 hash.encode("dummypassword", policy.getHashIterations());
             }
         }
 
     }

◆ enabledUser()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.enabledUser	(	AuthenticationFlowContext	context,
		UserModel	user
	)

inlineinherited

                                                                                   {
         if (!user.isEnabled()) {
             context.getEvent().user(user);
             context.getEvent().error(Errors.USER_DISABLED);
             Response challengeResponse = disabledUser(context);
             // this is not a failure so don't call failureChallenge.
             //context.failureChallenge(AuthenticationFlowError.USER_DISABLED, challengeResponse);
             context.forceChallenge(challengeResponse);
             return false;
         }
         if (isTemporarilyDisabledByBruteForce(context, user)) return false;
         return true;
     }

◆ invalidCredentials()

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.invalidCredentials ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                              {
         return context.form()
                 .setError(Messages.INVALID_USER).createLogin();
     }

◆ invalidUser() [1/2]

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.invalidUser ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                       {
         return context.form()
                 .setError(Messages.INVALID_USER)
                 .createLogin();
     }

◆ invalidUser() [2/2]

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.invalidUser	(	AuthenticationFlowContext	context,
		UserModel	user
	)

inlineinherited

                                                                                   {
         if (user == null) {
             dummyHash(context);
             context.getEvent().error(Errors.USER_NOT_FOUND);
             Response challengeResponse = invalidUser(context);
             context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);
             return true;
         }
         return false;
     }

◆ isOTPRequired()

boolean org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.isOTPRequired	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inlineprivate

                                                                                              {
         MultivaluedMap<String, String> requestHeaders = session.getContext().getRequestHeaders().getRequestHeaders();
         for (AuthenticatorConfigModel configModel : realm.getAuthenticatorConfigs()) {
 
             if (tryConcludeBasedOn(voteForUserOtpControlAttribute(user, configModel.getConfig()))) {
                 return true;
             }
             if (tryConcludeBasedOn(voteForUserRole(realm, user, configModel.getConfig()))) {
                 return true;
             }
             if (tryConcludeBasedOn(voteForHttpHeaderMatchesPattern(requestHeaders, configModel.getConfig()))) {
                 return true;
             }
             if (configModel.getConfig().get(DEFAULT_OTP_OUTCOME) != null
                     && configModel.getConfig().get(DEFAULT_OTP_OUTCOME).equals(FORCE)
                     && configModel.getConfig().size() <= 1) {
                 return true;
             }
             if (containsConditionalOtpConfig(configModel.getConfig())
                 && voteForUserOtpControlAttribute(user, configModel.getConfig()) == ABSTAIN
                 && voteForUserRole(realm, user, configModel.getConfig()) == ABSTAIN
                 && voteForHttpHeaderMatchesPattern(requestHeaders, configModel.getConfig()) == ABSTAIN
                 && (voteForDefaultFallback(configModel.getConfig()) == SHOW_OTP
                     || voteForDefaultFallback(configModel.getConfig()) == ABSTAIN)) {
                 return true;
             }
         }
         return false;
     }

◆ requiresUser()

boolean org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator.requiresUser ( )

inlineinherited

org.keycloak.authentication.Authenticatorを実装しています。

                                   {
         return true;
     }

◆ runDefaultDummyHash()

void org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.runDefaultDummyHash ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                           {
         PasswordHashProvider hash = context.getSession().getProvider(PasswordHashProvider.class, PasswordPolicy.HASH_ALGORITHM_DEFAULT);
         hash.encode("dummypassword", PasswordPolicy.HASH_ITERATIONS_DEFAULT);
     }

◆ setDuplicateUserChallenge()

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.setDuplicateUserChallenge	(	AuthenticationFlowContext	context,
		String	eventError,
		String	loginFormError,
		AuthenticationFlowError	authenticatorError
	)

inlineprotectedinherited

                                                                                                                                                                           {
         context.getEvent().error(eventError);
         Response challengeResponse = context.form()
                 .setError(loginFormError).createLogin();
         context.failureChallenge(authenticatorError, challengeResponse);
         return challengeResponse;
     }

◆ setRequiredActions()

void org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.setRequiredActions	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                                                                               {
         if (!isOTPRequired(session, realm, user)) {
             user.removeRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
         } else if (!user.getRequiredActions().contains(UserModel.RequiredAction.CONFIGURE_TOTP.name())) {
             user.addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP.name());
         }
     }

◆ showOtpForm()

void org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.showOtpForm ( AuthenticationFlowContext context )

inlineprivate

                                                                 {
         super.authenticate(context);
     }

◆ temporarilyDisabledUser()

Response org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.temporarilyDisabledUser ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                                   {
         return context.form()
                 .setError(Messages.INVALID_USER).createLogin();
     }

◆ tryConcludeBasedOn() [1/2]

boolean org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.tryConcludeBasedOn	(	OtpDecision	state,
		AuthenticationFlowContext	context
	)

inlineprivate

                                                                                              {
 
         switch (state) {
 
             case SHOW_OTP:
                 showOtpForm(context);
                 return true;
 
             case SKIP_OTP:
                 context.success();
                 return true;
 
             default:
                 return false;
         }
     }

◆ tryConcludeBasedOn() [2/2]

boolean org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.tryConcludeBasedOn ( OtpDecision state )

inlineprivate

                                                           {
 
         switch (state) {
 
             case SHOW_OTP:
                 return true;
 
             case SKIP_OTP:
                 return false;
 
             default:
                 return false;
         }
     }

◆ userHasRole()

boolean org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.userHasRole	(	RealmModel	realm,
		UserModel	user,
		String	roleName
	)

inlineprivate

                                                                                    {
 
         if (roleName == null) {
             return false;
         }
 
         RoleModel role = getRoleFromString(realm, roleName);
 
         return RoleUtils.hasRole(user.getRoleMappings(), role);
     }

◆ validateOTP()

void org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator.validateOTP ( AuthenticationFlowContext context )

inlineinherited

                                                                {
         MultivaluedMap<String, String> inputData = context.getHttpRequest().getDecodedFormParameters();
         if (inputData.containsKey("cancel")) {
             context.resetFlow();
             return;
         }
         String password = inputData.getFirst(CredentialRepresentation.TOTP);
         if (password == null) {
             Response challengeResponse = challenge(context, null);
             context.challenge(challengeResponse);
             return;
         }
         boolean valid = context.getSession().userCredentialManager().isValid(context.getRealm(), context.getUser(),
                 UserCredentialModel.otp(context.getRealm().getOTPPolicy().getType(), password));
         if (!valid) {
             context.getEvent().user(context.getUser())
                     .error(Errors.INVALID_USER_CREDENTIALS);
             Response challengeResponse = challenge(context, Messages.INVALID_TOTP);
             context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
             return;
         }
         context.success();
     }

◆ validatePassword()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword	(	AuthenticationFlowContext	context,
		UserModel	user,
		MultivaluedMap< String, String >	inputData
	)

inlineinherited

                                                                                                                                  {
         List<CredentialInput> credentials = new LinkedList<>();
         String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
         credentials.add(UserCredentialModel.password(password));
 
         if (isTemporarilyDisabledByBruteForce(context, user)) return false;
 
         if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) {
             return true;
         } else {
             context.getEvent().user(user);
             context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
             Response challengeResponse = invalidCredentials(context);
             context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
             context.clearUser();
             return false;
         }
     }

◆ validateUserAndPassword()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword	(	AuthenticationFlowContext	context,
		MultivaluedMap< String, String >	inputData
	)

inlineinherited

                                                                                                                         {
         String username = inputData.getFirst(AuthenticationManager.FORM_USERNAME);
         if (username == null) {
             context.getEvent().error(Errors.USER_NOT_FOUND);
             Response challengeResponse = invalidUser(context);
             context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);
             return false;
         }
 
         // remove leading and trailing whitespace
         username = username.trim();
 
         context.getEvent().detail(Details.USERNAME, username);
         context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username);
 
         UserModel user = null;
         try {
             user = KeycloakModelUtils.findUserByNameOrEmail(context.getSession(), context.getRealm(), username);
         } catch (ModelDuplicateException mde) {
             ServicesLogger.LOGGER.modelDuplicateException(mde);
 
             // Could happen during federation import
             if (mde.getDuplicateFieldName() != null && mde.getDuplicateFieldName().equals(UserModel.EMAIL)) {
                 setDuplicateUserChallenge(context, Errors.EMAIL_IN_USE, Messages.EMAIL_EXISTS, AuthenticationFlowError.INVALID_USER);
             } else {
                 setDuplicateUserChallenge(context, Errors.USERNAME_IN_USE, Messages.USERNAME_EXISTS, AuthenticationFlowError.INVALID_USER);
             }
 
             return false;
         }
 
         if (invalidUser(context, user)) {
             return false;
         }
 
         if (!validatePassword(context, user, inputData)) {
             return false;
         }
 
         if (!enabledUser(context, user)) {
             return false;
         }
 
         String rememberMe = inputData.getFirst("rememberMe");
         boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("on");
         if (remember) {
             context.getAuthenticationSession().setAuthNote(Details.REMEMBER_ME, "true");
             context.getEvent().detail(Details.REMEMBER_ME, "true");
         } else {
             context.getAuthenticationSession().removeAuthNote(Details.REMEMBER_ME);
         }
         context.setUser(user);
         return true;
     }

◆ voteForDefaultFallback()

OtpDecision org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.voteForDefaultFallback ( Map< String, String > config )

inlineprivate

                                                                            {
 
         if (!config.containsKey(DEFAULT_OTP_OUTCOME)) {
             return ABSTAIN;
         }
 
         switch (config.get(DEFAULT_OTP_OUTCOME)) {
             case SKIP:
                 return SKIP_OTP;
             case FORCE:
                 return SHOW_OTP;
             default:
                 return ABSTAIN;
         }
     }

◆ voteForHttpHeaderMatchesPattern()

OtpDecision org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.voteForHttpHeaderMatchesPattern	(	MultivaluedMap< String, String >	requestHeaders,
		Map< String, String >	config
	)

inlineprivate

                                                                                                                                    {
 
         if (!config.containsKey(FORCE_OTP_FOR_HTTP_HEADER) && !config.containsKey(SKIP_OTP_FOR_HTTP_HEADER)) {
             return ABSTAIN;
         }
 
         //Inverted to allow white-lists, e.g. for specifying trusted remote hosts: X-Forwarded-Host: (1.2.3.4|1.2.3.5)
         if (containsMatchingRequestHeader(requestHeaders, config.get(SKIP_OTP_FOR_HTTP_HEADER))) {
             return SKIP_OTP;
         }
 
         if (containsMatchingRequestHeader(requestHeaders, config.get(FORCE_OTP_FOR_HTTP_HEADER))) {
             return SHOW_OTP;
         }
 
         return ABSTAIN;
     }

◆ voteForUserOtpControlAttribute()

OtpDecision org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.voteForUserOtpControlAttribute	(	UserModel	user,
		Map< String, String >	config
	)

inlineprivate

                                                                                                    {
 
         if (!config.containsKey(OTP_CONTROL_USER_ATTRIBUTE)) {
             return ABSTAIN;
         }
 
         String attributeName = config.get(OTP_CONTROL_USER_ATTRIBUTE);
         if (attributeName == null) {
             return ABSTAIN;
         }
 
         List<String> values = user.getAttribute(attributeName);
 
         if (values.isEmpty()) {
             return ABSTAIN;
         }
 
         String value = values.get(0).trim();
 
         switch (value) {
             case SKIP:
                 return SKIP_OTP;
             case FORCE:
                 return SHOW_OTP;
             default:
                 return ABSTAIN;
         }
     }

◆ voteForUserRole()

OtpDecision org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.voteForUserRole	(	RealmModel	realm,
		UserModel	user,
		Map< String, String >	config
	)

inlineprivate

                                                                                                       {
 
         if (!config.containsKey(SKIP_OTP_ROLE) && !config.containsKey(FORCE_OTP_ROLE)) {
             return ABSTAIN;
         }
 
         if (userHasRole(realm, user, config.get(SKIP_OTP_ROLE))) {
             return SKIP_OTP;
         }
 
         if (userHasRole(realm, user, config.get(FORCE_OTP_ROLE))) {
             return SHOW_OTP;
         }
 
         return ABSTAIN;
     }

メンバ詳解

◆ ATTEMPTED_USERNAME

final String org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME = "ATTEMPTED_USERNAME"

staticinherited

◆ DEFAULT_OTP_OUTCOME

final String org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.DEFAULT_OTP_OUTCOME = "defaultOtpOutcome"

static

◆ FORCE

final String org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.FORCE = "force"

static

◆ FORCE_OTP_FOR_HTTP_HEADER

final String org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.FORCE_OTP_FOR_HTTP_HEADER = "forceOtpForHeaderPattern"

static

◆ FORCE_OTP_ROLE

final String org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.FORCE_OTP_ROLE = "forceOtpRole"

static

◆ OTP_CONTROL_USER_ATTRIBUTE

final String org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.OTP_CONTROL_USER_ATTRIBUTE = "otpControlAttribute"

static

◆ REGISTRATION_FORM_ACTION

final String org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.REGISTRATION_FORM_ACTION = "registration_form"

staticinherited

◆ SKIP

final String org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.SKIP = "skip"

static

◆ SKIP_OTP_FOR_HTTP_HEADER

final String org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.SKIP_OTP_FOR_HTTP_HEADER = "noOtpRequiredForHeaderPattern"

static

◆ SKIP_OTP_ROLE

final String org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.SKIP_OTP_ROLE = "skipOtpRole"

static

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/authentication/authenticators/browser/ConditionalOtpFormAuthenticator.java

クラス

公開メンバ関数

静的公開変数類

限定公開メンバ関数

非公開メンバ関数

詳解

User Attribute

Role

Request Header

Configured Default

クラス詳解

◆ org::keycloak::authentication::authenticators::browser::ConditionalOtpFormAuthenticator::OtpDecision

関数詳解

◆ action()

◆ authenticate()

◆ challenge()

◆ close()

◆ configuredFor()

◆ containsConditionalOtpConfig()

◆ containsMatchingRequestHeader()

◆ disabledUser()

◆ dummyHash()

◆ enabledUser()

◆ invalidCredentials()

◆ invalidUser() [1/2]

◆ invalidUser() [2/2]

◆ isOTPRequired()

◆ requiresUser()

◆ runDefaultDummyHash()

◆ setDuplicateUserChallenge()

◆ setRequiredActions()

◆ showOtpForm()

◆ temporarilyDisabledUser()

◆ tryConcludeBasedOn() [1/2]

◆ tryConcludeBasedOn() [2/2]

◆ userHasRole()

◆ validateOTP()

◆ validatePassword()

◆ validateUserAndPassword()

◆ voteForDefaultFallback()

◆ voteForHttpHeaderMatchesPattern()

◆ voteForUserOtpControlAttribute()

◆ voteForUserRole()

メンバ詳解

◆ ATTEMPTED_USERNAME

◆ DEFAULT_OTP_OUTCOME

◆ FORCE

◆ FORCE_OTP_FOR_HTTP_HEADER

◆ FORCE_OTP_ROLE

◆ OTP_CONTROL_USER_ATTRIBUTE

◆ REGISTRATION_FORM_ACTION

◆ SKIP

◆ SKIP_OTP_FOR_HTTP_HEADER

◆ SKIP_OTP_ROLE