org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator クラス

org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator の継承関係図

org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator 連携図

公開メンバ関数
void	authenticate (AuthenticationFlowContext context)
void	action (AuthenticationFlowContext context)
boolean	requiresUser ()
boolean	configuredFor (KeycloakSession session, RealmModel realm, UserModel user)
void	setRequiredActions (KeycloakSession session, RealmModel realm, UserModel user)
void	close ()

静的変数
static final String	SCRIPT_CODE = "scriptCode"
static final String	SCRIPT_NAME = "scriptName"
static final String	SCRIPT_DESCRIPTION = "scriptDescription"
static final String	ACTION_FUNCTION_NAME = "action"
static final String	AUTHENTICATE_FUNCTION_NAME = "authenticate"

非公開メンバ関数
void	tryInvoke (String functionName, AuthenticationFlowContext context)
boolean	hasAuthenticatorConfig (AuthenticationFlowContext context)
InvocableScriptAdapter	getInvocableScriptAdapter (AuthenticationFlowContext context)

静的非公開変数類
static final Logger	LOGGER = Logger.getLogger(ScriptBasedAuthenticator.class)

詳解

An Authenticator that can execute a configured script during authentication flow.

Scripts must at least provide one of the following functions:

1. authenticate(..) 

   which is called from Authenticator#authenticate(AuthenticationFlowContext)

2. action(..) 

   which is called from Authenticator#action(AuthenticationFlowContext)

Custom Authenticator's should at least provide the

authenticate(..) 

function. The following script javax.script.Bindings are available for convenient use within script code.

1. script 

   the ScriptModel to access script metadata

2. realm 

   the RealmModel

3. user 

   the current UserModel

4. session 

   the active KeycloakSession

5. authenticationSession 

   the current org.keycloak.sessions.AuthenticationSessionModel

6. httpRequest 

   the current org.jboss.resteasy.spi.HttpRequest

7. LOG 

   a org.jboss.logging.Logger scoped to ScriptBasedAuthenticator/li>

Note that the

user 

variable is only defined when the user was identified by a preceeding authentication step, e.g. by the UsernamePasswordForm authenticator.

Additional context information can be extracted from the

context 

argument passed to the

authenticate(context) 

or

action(context) 

function.

An example ScriptBasedAuthenticator definition could look as follows:

AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");

function authenticate(context) {

  var username = user ? user.username : "anonymous";
  LOG.info(script.name + " --> trace auth for: " + username);

  if (   username === "tester"
      && user.getAttribute("someAttribute")
      && user.getAttribute("someAttribute").contains("someValue")) {

      context.failure(AuthenticationFlowError.INVALID_USER);
      return;
  }

  context.success();
}
 

著者

Thomas Darimont

関数詳解

action()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.action ( AuthenticationFlowContext  context )

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                                          {
        tryInvoke(ACTION_FUNCTION_NAME, context);
    }

authenticate()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.authenticate ( AuthenticationFlowContext  context )

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                                                {
        tryInvoke(AUTHENTICATE_FUNCTION_NAME, context);
    }

close()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.close ( )

inline

org.keycloak.provider.Providerを実装しています。

                        {
        //NOOP
    }

configuredFor()

boolean org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.configuredFor ( KeycloakSession  session, RealmModel  realm, UserModel  user  )

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                                                                            {
        return true;
    }

getInvocableScriptAdapter()

InvocableScriptAdapter org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.getInvocableScriptAdapter ( AuthenticationFlowContext  context )

inlineprivate

                                                                                                {

        Map<String, String> config = context.getAuthenticatorConfig().getConfig();

        String scriptName = config.get(SCRIPT_NAME);
        String scriptCode = config.get(SCRIPT_CODE);
        String scriptDescription = config.get(SCRIPT_DESCRIPTION);

        RealmModel realm = context.getRealm();

        ScriptingProvider scripting = context.getSession().getProvider(ScriptingProvider.class);

        //TODO lookup script by scriptId instead of creating it every time
        ScriptModel script = scripting.createScript(realm.getId(), ScriptModel.TEXT_JAVASCRIPT, scriptName, scriptCode, scriptDescription);

        //how to deal with long running scripts -> timeout?
        return scripting.prepareInvocableScript(script, bindings -> {
            bindings.put("script", script);
            bindings.put("realm", context.getRealm());
            bindings.put("user", context.getUser());
            bindings.put("session", context.getSession());
            bindings.put("httpRequest", context.getHttpRequest());
            bindings.put("authenticationSession", context.getAuthenticationSession());
            bindings.put("LOG", LOGGER);
        });
    }

hasAuthenticatorConfig()

boolean org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.hasAuthenticatorConfig ( AuthenticationFlowContext  context )

inlineprivate

                                                                              {
        return context != null
                && context.getAuthenticatorConfig() != null
                && context.getAuthenticatorConfig().getConfig() != null
                && !context.getAuthenticatorConfig().getConfig().isEmpty();
    }

requiresUser()

boolean org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.requiresUser ( )

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                  {
        return false;
    }

setRequiredActions()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.setRequiredActions ( KeycloakSession  session, RealmModel  realm, UserModel  user  )

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                                                                              {
        //TODO make RequiredActions configurable in the script
        //NOOP
    }

tryInvoke()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.tryInvoke ( String  functionName, AuthenticationFlowContext  context  )

inlineprivate

                                                                                   {

        if (!hasAuthenticatorConfig(context)) {
            // this is an empty not yet configured script authenticator
            // we mark this execution as success to not lock out users due to incompletely configured authenticators.
            context.success();
            return;
        }

        InvocableScriptAdapter invocableScriptAdapter = getInvocableScriptAdapter(context);

        if (!invocableScriptAdapter.isDefined(functionName)) {
            return;
        }

        try {
            //should context be wrapped in a read-only wrapper?
            invocableScriptAdapter.invokeFunction(functionName, context);
        } catch (ScriptExecutionException e) {
            LOGGER.error(e);
            context.failure(AuthenticationFlowError.INTERNAL_ERROR);
        }
    }

メンバ詳解

ACTION_FUNCTION_NAME

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.ACTION_FUNCTION_NAME = "action"

staticpackage

AUTHENTICATE_FUNCTION_NAME

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.AUTHENTICATE_FUNCTION_NAME = "authenticate"

staticpackage

LOGGER

final Logger org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.LOGGER = Logger.getLogger(ScriptBasedAuthenticator.class)

staticprivate

SCRIPT_CODE

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.SCRIPT_CODE = "scriptCode"

staticpackage

SCRIPT_DESCRIPTION

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.SCRIPT_DESCRIPTION = "scriptDescription"

staticpackage

SCRIPT_NAME

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.SCRIPT_NAME = "scriptName"

staticpackage

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/oidc-service/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java