org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator の継承関係図

org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator 連携図

公開メンバ関数
void	authenticate (AuthenticationFlowContext context)

void	action (AuthenticationFlowContext context)

boolean	requiresUser ()

boolean	configuredFor (KeycloakSession session, RealmModel realm, UserModel user)

void	setRequiredActions (KeycloakSession session, RealmModel realm, UserModel user)

void	close ()

静的変数
static final String	SCRIPT_CODE = "scriptCode"

static final String	SCRIPT_NAME = "scriptName"

static final String	SCRIPT_DESCRIPTION = "scriptDescription"

static final String	ACTION_FUNCTION_NAME = "action"

static final String	AUTHENTICATE_FUNCTION_NAME = "authenticate"

非公開メンバ関数
void	tryInvoke (String functionName, AuthenticationFlowContext context)

boolean	hasAuthenticatorConfig (AuthenticationFlowContext context)

InvocableScriptAdapter	getInvocableScriptAdapter (AuthenticationFlowContext context)

静的非公開変数類
static final Logger	LOGGER = Logger.getLogger(ScriptBasedAuthenticator.class)

詳解

An Authenticator that can execute a configured script during authentication flow.

Scripts must at least provide one of the following functions:

authenticate(..)
which is called from Authenticator#authenticate(AuthenticationFlowContext)
action(..)
which is called from Authenticator#action(AuthenticationFlowContext)

Custom Authenticator's should at least provide the

authenticate(..)

function. The following script javax.script.Bindings are available for convenient use within script code.

script
the ScriptModel to access script metadata
realm
the RealmModel
user
the current UserModel
session
the active KeycloakSession
authenticationSession
the current org.keycloak.sessions.AuthenticationSessionModel
httpRequest
the current org.jboss.resteasy.spi.HttpRequest
LOG
a org.jboss.logging.Logger scoped to ScriptBasedAuthenticator/li>

Note that the

user

variable is only defined when the user was identified by a preceeding authentication step, e.g. by the UsernamePasswordForm authenticator.

Additional context information can be extracted from the

context

argument passed to the

authenticate(context)

or

action(context)

function.

An example ScriptBasedAuthenticator definition could look as follows:

AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
function authenticate(context) {
  var username = user ? user.username : "anonymous";
  LOG.info(script.name + " --> trace auth for: " + username);
  if (   username === "tester"
      && user.getAttribute("someAttribute")
      && user.getAttribute("someAttribute").contains("someValue")) {
      context.failure(AuthenticationFlowError.INVALID_USER);
      return;
  }
  context.success();
}

著者: Thomas Darimont

関数詳解

◆ action()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.action ( AuthenticationFlowContext context )

inline

                                                           {
         tryInvoke(ACTION_FUNCTION_NAME, context);
     }

◆ authenticate()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.authenticate ( AuthenticationFlowContext context )

inline

                                                                 {
         tryInvoke(AUTHENTICATE_FUNCTION_NAME, context);
     }

◆ close()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.close ( )

inline

                         {
         //NOOP
     }

◆ configuredFor()

boolean org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.configuredFor	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inline

                                                                                             {
         return true;
     }

◆ getInvocableScriptAdapter()

InvocableScriptAdapter org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.getInvocableScriptAdapter ( AuthenticationFlowContext context )

inlineprivate

                                                                                                 {
 
         Map<String, String> config = context.getAuthenticatorConfig().getConfig();
 
         String scriptName = config.get(SCRIPT_NAME);
         String scriptCode = config.get(SCRIPT_CODE);
         String scriptDescription = config.get(SCRIPT_DESCRIPTION);
 
         RealmModel realm = context.getRealm();
 
         ScriptingProvider scripting = context.getSession().getProvider(ScriptingProvider.class);
 
         //TODO lookup script by scriptId instead of creating it every time
         ScriptModel script = scripting.createScript(realm.getId(), ScriptModel.TEXT_JAVASCRIPT, scriptName, scriptCode, scriptDescription);
 
         //how to deal with long running scripts -> timeout?
         return scripting.prepareInvocableScript(script, bindings -> {
             bindings.put("script", script);
             bindings.put("realm", context.getRealm());
             bindings.put("user", context.getUser());
             bindings.put("session", context.getSession());
             bindings.put("httpRequest", context.getHttpRequest());
             bindings.put("authenticationSession", context.getAuthenticationSession());
             bindings.put("LOG", LOGGER);
         });
     }

◆ hasAuthenticatorConfig()

boolean org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.hasAuthenticatorConfig ( AuthenticationFlowContext context )

inlineprivate

                                                                               {
         return context != null
                 && context.getAuthenticatorConfig() != null
                 && context.getAuthenticatorConfig().getConfig() != null
                 && !context.getAuthenticatorConfig().getConfig().isEmpty();
     }

◆ requiresUser()

boolean org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.requiresUser ( )

inline

                                   {
         return false;
     }

◆ setRequiredActions()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.setRequiredActions	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inline

                                                                                               {
         //TODO make RequiredActions configurable in the script
         //NOOP
     }

◆ tryInvoke()

void org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.tryInvoke	(	String	functionName,
		AuthenticationFlowContext	context
	)

inlineprivate

                                                                                    {
 
         if (!hasAuthenticatorConfig(context)) {
             // this is an empty not yet configured script authenticator
             // we mark this execution as success to not lock out users due to incompletely configured authenticators.
             context.success();
             return;
         }
 
         InvocableScriptAdapter invocableScriptAdapter = getInvocableScriptAdapter(context);
 
         if (!invocableScriptAdapter.isDefined(functionName)) {
             return;
         }
 
         try {
             //should context be wrapped in a read-only wrapper?
             invocableScriptAdapter.invokeFunction(functionName, context);
         } catch (ScriptExecutionException e) {
             LOGGER.error(e);
             context.failure(AuthenticationFlowError.INTERNAL_ERROR);
         }
     }

メンバ詳解

◆ ACTION_FUNCTION_NAME

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.ACTION_FUNCTION_NAME = "action"

staticpackage

◆ AUTHENTICATE_FUNCTION_NAME

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.AUTHENTICATE_FUNCTION_NAME = "authenticate"

staticpackage

◆ LOGGER

final Logger org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.LOGGER = Logger.getLogger(ScriptBasedAuthenticator.class)

staticprivate

◆ SCRIPT_CODE

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.SCRIPT_CODE = "scriptCode"

staticpackage

◆ SCRIPT_DESCRIPTION

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.SCRIPT_DESCRIPTION = "scriptDescription"

staticpackage

◆ SCRIPT_NAME

final String org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator.SCRIPT_NAME = "scriptName"

staticpackage

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java

公開メンバ関数

静的変数

非公開メンバ関数

静的非公開変数類

詳解

関数詳解

◆ action()

◆ authenticate()

◆ close()

◆ configuredFor()

◆ getInvocableScriptAdapter()

◆ hasAuthenticatorConfig()

◆ requiresUser()

◆ setRequiredActions()

◆ tryInvoke()

メンバ詳解

◆ ACTION_FUNCTION_NAME

◆ AUTHENTICATE_FUNCTION_NAME

◆ LOGGER

◆ SCRIPT_CODE

◆ SCRIPT_DESCRIPTION

◆ SCRIPT_NAME