Package org.keycloak.authentication.authenticators.browser

Class ScriptBasedAuthenticator

java.lang.Object

org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator

All Implemented Interfaces:

Authenticator, Provider

public class ScriptBasedAuthenticator
extends Object
implements Authenticator

An Authenticator that can execute a configured script during authentication flow.

Scripts must at least provide one of the following functions:

1. authenticate(..) which is called from Authenticator.authenticate(AuthenticationFlowContext)
2. action(..) which is called from Authenticator.action(AuthenticationFlowContext)

Custom Authenticator's should at least provide the authenticate(..) function. The following script Bindings are available for convenient use within script code.

1. script the ScriptModel to access script metadata
2. realm the RealmModel
3. user the current UserModel
4. session the active KeycloakSession
5. authenticationSession the current AuthenticationSessionModel
6. httpRequest the current HttpRequest
7. LOG a Logger scoped to ScriptBasedAuthenticator

Note that the user variable is only defined when the user was identified by a preceeding authentication step, e.g. by the UsernamePasswordForm authenticator.

Additional context information can be extracted from the context argument passed to the authenticate(context) or action(context) function.

An example ScriptBasedAuthenticator definition could look as follows:

 

   AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");

   function authenticate(context) {

     var username = user ? user.username : "anonymous";
     LOG.info(script.name + " --> trace auth for: " + username);

     if (   username === "tester"
         && user.getAttribute("someAttribute")
         && user.getAttribute("someAttribute").contains("someValue")) {

         context.failure(AuthenticationFlowError.INVALID_USER);
         return;
     }

     context.success();
   }
 
 

Author:

Thomas Darimont

Constructor Summary

Constructors

Constructor	Description
ScriptBasedAuthenticator()

Method Summary

Modifier and Type	Method	Description
void	action(AuthenticationFlowContext context)
void	authenticate(AuthenticationFlowContext context)
void	close()
boolean	configuredFor(KeycloakSession session, RealmModel realm, UserModel user)
protected AuthenticatorConfigModel	getAuthenticatorConfig(AuthenticationFlowContext context)
boolean	requiresUser()
void	setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.authentication.Authenticator

areRequiredActionsEnabled, getRequiredActions

Constructor Details

ScriptBasedAuthenticator

public ScriptBasedAuthenticator()

Method Details

authenticate

public void authenticate(AuthenticationFlowContext context)

Specified by:

authenticate in interface Authenticator

action

public void action(AuthenticationFlowContext context)

Specified by:

action in interface Authenticator

getAuthenticatorConfig

protected AuthenticatorConfigModel getAuthenticatorConfig(AuthenticationFlowContext context)

requiresUser

public boolean requiresUser()

Specified by:

requiresUser in interface Authenticator

configuredFor

public boolean configuredFor(KeycloakSession session,
 RealmModel realm,
 UserModel user)

Specified by:

configuredFor in interface Authenticator

setRequiredActions

public void setRequiredActions(KeycloakSession session,
 RealmModel realm,
 UserModel user)

Specified by:

setRequiredActions in interface Authenticator

close

public void close()

Specified by:

close in interface Provider