org.keycloak.authentication.authenticators.challenge.BasicAuthOTPAuthenticator クラス

org.keycloak.authentication.authenticators.challenge.BasicAuthOTPAuthenticator の継承関係図

org.keycloak.authentication.authenticators.challenge.BasicAuthOTPAuthenticator 連携図

公開メンバ関数
boolean	configuredFor (KeycloakSession session, RealmModel realm, UserModel user)
boolean	requiresUser ()
void	authenticate (AuthenticationFlowContext context)
boolean	invalidUser (AuthenticationFlowContext context, UserModel user)
void	action (AuthenticationFlowContext context)
void	setRequiredActions (KeycloakSession session, RealmModel realm, UserModel user)
void	close ()
boolean	enabledUser (AuthenticationFlowContext context, UserModel user)
boolean	validateUserAndPassword (AuthenticationFlowContext context, MultivaluedMap< String, String > inputData)
boolean	validatePassword (AuthenticationFlowContext context, UserModel user, MultivaluedMap< String, String > inputData)

静的公開変数類
static final String	REGISTRATION_FORM_ACTION = "registration_form"
static final String	ATTEMPTED_USERNAME = "ATTEMPTED_USERNAME"

限定公開メンバ関数
boolean	onAuthenticate (AuthenticationFlowContext context, String[] challenge)
String	getAuthorizationHeader (AuthenticationFlowContext context)
boolean	checkUsernameAndPassword (AuthenticationFlowContext context, String username, String password)
String []	getChallenge (String authorizationHeader)
Response	invalidUser (AuthenticationFlowContext context)
Response	disabledUser (AuthenticationFlowContext context)
Response	temporarilyDisabledUser (AuthenticationFlowContext context)
Response	invalidCredentials (AuthenticationFlowContext context)
Response	setDuplicateUserChallenge (AuthenticationFlowContext context, String eventError, String loginFormError, AuthenticationFlowError authenticatorError)
void	runDefaultDummyHash (AuthenticationFlowContext context)
void	dummyHash (AuthenticationFlowContext context)

非公開メンバ関数
boolean	checkOtp (AuthenticationFlowContext context, String otp)

詳解

著者

Bill Burke

バージョン

Revision

1

関数詳解

action()

void org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.action ( AuthenticationFlowContext  context )

inlineinherited

                                                          {

    }

authenticate()

void org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.authenticate ( AuthenticationFlowContext  context )

inlineinherited

                                                                {
        String authorizationHeader = getAuthorizationHeader(context);

        if (authorizationHeader == null) {
            context.challenge(challengeResponse(context));
            return;
        }

        String[] challenge = getChallenge(authorizationHeader);

        if (challenge == null) {
            context.challenge(challengeResponse(context));
            return;
        }

        if (onAuthenticate(context, challenge)) {
            context.success();
            return;
        }

        context.setUser(null);
        context.challenge(challengeResponse(context));
    }

checkOtp()

boolean org.keycloak.authentication.authenticators.challenge.BasicAuthOTPAuthenticator.checkOtp ( AuthenticationFlowContext  context, String  otp  )

inlineprivate

                                                                            {
        return context.getSession().userCredentialManager().isValid(context.getRealm(), context.getUser(),
                UserCredentialModel.otp(context.getRealm().getOTPPolicy().getType(), otp));
    }

checkUsernameAndPassword()

boolean org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.checkUsernameAndPassword ( AuthenticationFlowContext  context, String  username, String  password  )

inlineprotectedinherited

                                                                                                                    {
        MultivaluedMap<String, String> map = new MultivaluedHashMap<>();

        map.putSingle(AuthenticationManager.FORM_USERNAME, username);
        map.putSingle(CredentialRepresentation.PASSWORD, password);

        if (validateUserAndPassword(context, map)) {
            return true;
        }

        return false;
    }

close()

void org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.close ( )

inlineinherited

                        {

    }

configuredFor()

boolean org.keycloak.authentication.authenticators.challenge.BasicAuthOTPAuthenticator.configuredFor ( KeycloakSession  session, RealmModel  realm, UserModel  user  )

inline

                                                                                            {
        return session.userCredentialManager().isConfiguredFor(realm, user, realm.getOTPPolicy().getType());
    }

disabledUser()

Response org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.disabledUser ( AuthenticationFlowContext  context )

inlineprotectedinherited

                                                                       {
        return challengeResponse(context);
    }

dummyHash()

void org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.dummyHash ( AuthenticationFlowContext  context )

inlineprotectedinherited

                                                                {
        PasswordPolicy policy = context.getRealm().getPasswordPolicy();
        if (policy == null) {
            runDefaultDummyHash(context);
            return;
        } else {
            PasswordHashProvider hash = context.getSession().getProvider(PasswordHashProvider.class, policy.getHashAlgorithm());
            if (hash == null) {
                runDefaultDummyHash(context);
                return;

            } else {
                hash.encode("dummypassword", policy.getHashIterations());
            }
        }

    }

enabledUser()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.enabledUser ( AuthenticationFlowContext  context, UserModel  user  )

inlineinherited

                                                                                  {
        if (!user.isEnabled()) {
            context.getEvent().user(user);
            context.getEvent().error(Errors.USER_DISABLED);
            Response challengeResponse = disabledUser(context);
            // this is not a failure so don't call failureChallenge.
            //context.failureChallenge(AuthenticationFlowError.USER_DISABLED, challengeResponse);
            context.forceChallenge(challengeResponse);
            return false;
        }
        if (isTemporarilyDisabledByBruteForce(context, user)) return false;
        return true;
    }

getAuthorizationHeader()

String org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.getAuthorizationHeader ( AuthenticationFlowContext  context )

inlineprotectedinherited

                                                                               {
        return context.getHttpRequest().getHttpHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
    }

getChallenge()

String [] org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.getChallenge ( String  authorizationHeader )

inlineprotectedinherited

                                                                {
        String[] challenge = BasicAuthHelper.parseHeader(authorizationHeader);

        if (challenge.length < 2) {
            return null;
        }

        return challenge;
    }

invalidCredentials()

Response org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.invalidCredentials ( AuthenticationFlowContext  context )

inlineprotectedinherited

                                                                             {
        return challengeResponse(context);
    }

invalidUser() [1/2]

Response org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.invalidUser ( AuthenticationFlowContext  context )

inlineprotectedinherited

                                                                      {
        return challengeResponse(context);
    }

invalidUser() [2/2]

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.invalidUser ( AuthenticationFlowContext  context, UserModel  user  )

inlineinherited

                                                                                  {
        if (user == null) {
            dummyHash(context);
            context.getEvent().error(Errors.USER_NOT_FOUND);
            Response challengeResponse = invalidUser(context);
            context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);
            return true;
        }
        return false;
    }

onAuthenticate()

boolean org.keycloak.authentication.authenticators.challenge.BasicAuthOTPAuthenticator.onAuthenticate ( AuthenticationFlowContext  context, String []  challenge  )

inlineprotected

                                                                                            {
        String username = challenge[0];
        String password = challenge[1];
        OTPPolicy otpPolicy = context.getRealm().getOTPPolicy();
        int otpLength = otpPolicy.getDigits();

        if (password.length() < otpLength) {
            return false;
        }

        password = password.substring(0, password.length() - otpLength);

        if (checkUsernameAndPassword(context, username, password)) {
            String otp = password.substring(password.length() - otpLength);

            if (checkOtp(context, otp)) {
                return true;
            }
        }

        return false;
    }

requiresUser()

boolean org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.requiresUser ( )

inlineinherited

                                  {
        return false;
    }

runDefaultDummyHash()

void org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.runDefaultDummyHash ( AuthenticationFlowContext  context )

inlineprotectedinherited

                                                                          {
        PasswordHashProvider hash = context.getSession().getProvider(PasswordHashProvider.class, PasswordPolicy.HASH_ALGORITHM_DEFAULT);
        hash.encode("dummypassword", PasswordPolicy.HASH_ITERATIONS_DEFAULT);
    }

setDuplicateUserChallenge()

Response org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.setDuplicateUserChallenge ( AuthenticationFlowContext  context, String  eventError, String  loginFormError, AuthenticationFlowError  authenticatorError  )

inlineprotectedinherited

                                                                                                                                                                          {
        return challengeResponse(context);
    }

setRequiredActions()

void org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.setRequiredActions ( KeycloakSession  session, RealmModel  realm, UserModel  user  )

inlineinherited

                                                                                              {
    }

temporarilyDisabledUser()

Response org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator.temporarilyDisabledUser ( AuthenticationFlowContext  context )

inlineprotectedinherited

                                                                                  {
        return challengeResponse(context);
    }

validatePassword()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword ( AuthenticationFlowContext  context, UserModel  user, MultivaluedMap< String, String >  inputData  )

inlineinherited

                                                                                                                                 {
        List<CredentialInput> credentials = new LinkedList<>();
        String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
        credentials.add(UserCredentialModel.password(password));

        if (isTemporarilyDisabledByBruteForce(context, user)) return false;

        if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) {
            return true;
        } else {
            context.getEvent().user(user);
            context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
            Response challengeResponse = invalidCredentials(context);
            context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
            context.clearUser();
            return false;
        }
    }

validateUserAndPassword()

boolean org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword ( AuthenticationFlowContext  context, MultivaluedMap< String, String >  inputData  )

inlineinherited

                                                                                                                        {
        String username = inputData.getFirst(AuthenticationManager.FORM_USERNAME);
        if (username == null) {
            context.getEvent().error(Errors.USER_NOT_FOUND);
            Response challengeResponse = invalidUser(context);
            context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);
            return false;
        }

        // remove leading and trailing whitespace
        username = username.trim();

        context.getEvent().detail(Details.USERNAME, username);
        context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username);

        UserModel user = null;
        try {
            user = KeycloakModelUtils.findUserByNameOrEmail(context.getSession(), context.getRealm(), username);
        } catch (ModelDuplicateException mde) {
            ServicesLogger.LOGGER.modelDuplicateException(mde);

            // Could happen during federation import
            if (mde.getDuplicateFieldName() != null && mde.getDuplicateFieldName().equals(UserModel.EMAIL)) {
                setDuplicateUserChallenge(context, Errors.EMAIL_IN_USE, Messages.EMAIL_EXISTS, AuthenticationFlowError.INVALID_USER);
            } else {
                setDuplicateUserChallenge(context, Errors.USERNAME_IN_USE, Messages.USERNAME_EXISTS, AuthenticationFlowError.INVALID_USER);
            }

            return false;
        }

        if (invalidUser(context, user)) {
            return false;
        }

        if (!validatePassword(context, user, inputData)) {
            return false;
        }

        if (!enabledUser(context, user)) {
            return false;
        }

        String rememberMe = inputData.getFirst("rememberMe");
        boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("on");
        if (remember) {
            context.getAuthenticationSession().setAuthNote(Details.REMEMBER_ME, "true");
            context.getEvent().detail(Details.REMEMBER_ME, "true");
        } else {
            context.getAuthenticationSession().removeAuthNote(Details.REMEMBER_ME);
        }
        context.setUser(user);
        return true;
    }

メンバ詳解

ATTEMPTED_USERNAME

final String org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME = "ATTEMPTED_USERNAME"

staticinherited

REGISTRATION_FORM_ACTION

final String org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.REGISTRATION_FORM_ACTION = "registration_form"

staticinherited

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/authentication/authenticators/challenge/BasicAuthOTPAuthenticator.java