An Authenticator that can execute a configured script during authentication flow.
Scripts must at least provide one of the following functions:
-
which is called from Authenticator#authenticate(AuthenticationFlowContext)
-
which is called from Authenticator#action(AuthenticationFlowContext)
Custom Authenticator's should at least provide the
function. The following script javax.script.Bindings are available for convenient use within script code.
-
the ScriptModel to access script metadata
-
the RealmModel
-
the current UserModel
-
the active KeycloakSession
-
the current org.keycloak.sessions.AuthenticationSessionModel
-
the current org.jboss.resteasy.spi.HttpRequest
-
a org.jboss.logging.Logger scoped to ScriptBasedAuthenticator/li>
Note that the
variable is only defined when the user was identified by a preceeding authentication step, e.g. by the UsernamePasswordForm authenticator.
Additional context information can be extracted from the
argument passed to the
or
function.
An example ScriptBasedAuthenticator definition could look as follows:
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
var username = user ? user.username : "anonymous";
LOG.info(script.name + " --> trace auth for: " + username);
if ( username === "tester"
&& user.getAttribute("someAttribute")
&& user.getAttribute("someAttribute").contains("someValue")) {
context.failure(AuthenticationFlowError.INVALID_USER);
return;
}
context.success();
}
- 著者
- Thomas Darimont