keycloak-scim/services/src/main/java/org/keycloak/authentication/ClientAuthenticationFlow.java

package org.keycloak.authentication;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;

import javax.ws.rs.core.Response;

import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.utils.KeycloakModelUtils;

/**
 * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
 */
public class ClientAuthenticationFlow implements AuthenticationFlow {

    Response alternativeChallenge = null;
    AuthenticationProcessor processor;
    AuthenticationFlowModel flow;

    public ClientAuthenticationFlow(AuthenticationProcessor processor, AuthenticationFlowModel flow) {
        this.processor = processor;
        this.flow = flow;
    }

    @Override
    public Response processAction(String actionExecution) {
        throw new IllegalStateException("Not supposed to be invoked");
    }

    @Override
    public Response processFlow() {
        List<AuthenticationExecutionModel> executions = findExecutionsToRun();

        for (AuthenticationExecutionModel model : executions) {
            ClientAuthenticatorFactory factory = (ClientAuthenticatorFactory) processor.getSession().getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, model.getAuthenticator());
            if (factory == null) {
                throw new AuthenticationFlowException("Could not find ClientAuthenticatorFactory for: " + model.getAuthenticator(), AuthenticationFlowError.INTERNAL_ERROR);
            }
            ClientAuthenticator authenticator = factory.create();
            AuthenticationProcessor.logger.debugv("client authenticator: {0}", factory.getId());

            AuthenticationProcessor.Result context = processor.createClientAuthenticatorContext(model, authenticator, executions);
            authenticator.authenticateClient(context);

            ClientModel client = processor.getClient();
            if (client != null) {
                String expectedClientAuthType = client.getClientAuthenticatorType();

                // Fallback to secret just in case (for backwards compatibility)
                if (expectedClientAuthType == null) {
                    expectedClientAuthType = KeycloakModelUtils.getDefaultClientAuthenticatorType();
                    AuthenticationProcessor.logger.warnv("Client {0} doesn't have have authentication method configured. Fallback to {1}", client.getClientId(), expectedClientAuthType);
                }

                // Check if client authentication matches
                if (factory.getId().equals(expectedClientAuthType)) {
                    Response response = processResult(context);
                    if (response != null) return response;

                    if (!context.getStatus().equals(FlowStatus.SUCCESS)) {
                        throw new AuthenticationFlowException("Expected success, but for an unknown reason the status was " + context.getStatus(), AuthenticationFlowError.INTERNAL_ERROR);
                    }

                    AuthenticationProcessor.logger.debugv("Client {0} authenticated by {1}", client.getClientId(), factory.getId());
                    processor.getEvent().detail(Details.CLIENT_AUTH_METHOD, factory.getId());
                    return null;
                }
            }
        }

        // Check if any alternative challenge was identified
        if (alternativeChallenge != null) {
            processor.getEvent().error(Errors.INVALID_CLIENT);
            return alternativeChallenge;
        }
        throw new AuthenticationFlowException("Client was not identified by any client authenticator", AuthenticationFlowError.UNKNOWN_CLIENT);
    }

    protected List<AuthenticationExecutionModel> findExecutionsToRun() {
        List<AuthenticationExecutionModel> executions = processor.getRealm().getAuthenticationExecutions(flow.getId());
        List<AuthenticationExecutionModel> executionsToRun = new ArrayList<>();

        for (AuthenticationExecutionModel execution : executions) {
            if (execution.isRequired()) {
                executionsToRun = Arrays.asList(execution);
                break;
            }

            if (execution.isAlternative()) {
                executionsToRun.add(execution);
            }
        }

        if (AuthenticationProcessor.logger.isTraceEnabled()) {
            List<String> exIds = new ArrayList<>();
            for (AuthenticationExecutionModel execution : executionsToRun) {
                exIds.add(execution.getId());
            }
            AuthenticationProcessor.logger.tracef("Using executions for client authentication: %s", exIds.toString());
        }

        return executionsToRun;
    }

    protected Response processResult(AuthenticationProcessor.Result result) {
        AuthenticationExecutionModel execution = result.getExecution();
        FlowStatus status = result.getStatus();

        AuthenticationProcessor.logger.debugv("client authenticator {0}: {1}", status.toString(), execution.getAuthenticator());

        if (status == FlowStatus.SUCCESS) {
            return null;
        }

        if (status == FlowStatus.FAILED) {
            if (result.getChallenge() != null) {
                return sendChallenge(result, execution);
            } else {
                throw new AuthenticationFlowException(result.getError());
            }
        } else if (status == FlowStatus.FORCE_CHALLENGE) {
            return sendChallenge(result, execution);
        } else if (status == FlowStatus.CHALLENGE) {

            // Make sure the first priority alternative challenge is used
            if (alternativeChallenge == null) {
                alternativeChallenge = result.getChallenge();
            }
            return sendChallenge(result, execution);
        } else if (status == FlowStatus.FAILURE_CHALLENGE) {
            return sendChallenge(result, execution);
        } else {
            AuthenticationProcessor.logger.error("Unknown result status");
            throw new AuthenticationFlowException(AuthenticationFlowError.INTERNAL_ERROR);
        }
    }

    public Response sendChallenge(AuthenticationProcessor.Result result, AuthenticationExecutionModel execution) {
        AuthenticationProcessor.logger.debugv("client authenticator: sending challenge for authentication execution {0}", execution.getAuthenticator());

        if (result.getError() != null) {
            String errorAsString = result.getError().toString().toLowerCase();
            result.getEvent().error(errorAsString);
        } else {
            if (result.getClient() == null) {
                result.getEvent().error(Errors.INVALID_CLIENT);
            } else {
                result.getEvent().error(Errors.INVALID_CLIENT_CREDENTIALS);
            }
        }

        return result.getChallenge();
    }
}
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`package org.keycloak.authentication;`

KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`import java.util.ArrayList;`
			`import java.util.Arrays;`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`import java.util.Iterator;`
			`import java.util.LinkedList;`
			`import java.util.List;`

			`import javax.ws.rs.core.Response;`

			`import org.keycloak.events.Details;`
			`import org.keycloak.events.Errors;`
			`import org.keycloak.models.AuthenticationExecutionModel;`
			`import org.keycloak.models.AuthenticationFlowModel;`
			`import org.keycloak.models.ClientModel;`
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`import org.keycloak.models.utils.KeycloakModelUtils;`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00
			`/**`
			`* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>`
			`*/`
			`public class ClientAuthenticationFlow implements AuthenticationFlow {`

			`Response alternativeChallenge = null;`
			`AuthenticationProcessor processor;`
			`AuthenticationFlowModel flow;`

			`public ClientAuthenticationFlow(AuthenticationProcessor processor, AuthenticationFlowModel flow) {`
			`this.processor = processor;`
			`this.flow = flow;`
			`}`

			`@Override`
			`public Response processAction(String actionExecution) {`
			`throw new IllegalStateException("Not supposed to be invoked");`
			`}`

			`@Override`
			`public Response processFlow() {`
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`List<AuthenticationExecutionModel> executions = findExecutionsToRun();`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`for (AuthenticationExecutionModel model : executions) {`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`ClientAuthenticatorFactory factory = (ClientAuthenticatorFactory) processor.getSession().getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, model.getAuthenticator());`
			`if (factory == null) {`
			`throw new AuthenticationFlowException("Could not find ClientAuthenticatorFactory for: " + model.getAuthenticator(), AuthenticationFlowError.INTERNAL_ERROR);`
			`}`
			`ClientAuthenticator authenticator = factory.create();`
			`AuthenticationProcessor.logger.debugv("client authenticator: {0}", factory.getId());`

KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`AuthenticationProcessor.Result context = processor.createClientAuthenticatorContext(model, authenticator, executions);`
			`authenticator.authenticateClient(context);`

			`ClientModel client = processor.getClient();`
			`if (client != null) {`
			`String expectedClientAuthType = client.getClientAuthenticatorType();`

			`// Fallback to secret just in case (for backwards compatibility)`
			`if (expectedClientAuthType == null) {`
			`expectedClientAuthType = KeycloakModelUtils.getDefaultClientAuthenticatorType();`
			`AuthenticationProcessor.logger.warnv("Client {0} doesn't have have authentication method configured. Fallback to {1}", client.getClientId(), expectedClientAuthType);`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`}`

KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`// Check if client authentication matches`
			`if (factory.getId().equals(expectedClientAuthType)) {`
KEYCLOAK-1947 Add tests without client secret 2015-10-12 07:38:13 +00:00			`Response response = processResult(context);`
			`if (response != null) return response;`

			`if (!context.getStatus().equals(FlowStatus.SUCCESS)) {`
			`throw new AuthenticationFlowException("Expected success, but for an unknown reason the status was " + context.getStatus(), AuthenticationFlowError.INTERNAL_ERROR);`
			`}`

KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`AuthenticationProcessor.logger.debugv("Client {0} authenticated by {1}", client.getClientId(), factory.getId());`
			`processor.getEvent().detail(Details.CLIENT_AUTH_METHOD, factory.getId());`
			`return null;`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`}`
			`}`
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`}`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`// Check if any alternative challenge was identified`
			`if (alternativeChallenge != null) {`
			`processor.getEvent().error(Errors.INVALID_CLIENT);`
			`return alternativeChallenge;`
			`}`
			`throw new AuthenticationFlowException("Client was not identified by any client authenticator", AuthenticationFlowError.UNKNOWN_CLIENT);`
			`}`

			`protected List<AuthenticationExecutionModel> findExecutionsToRun() {`
			`List<AuthenticationExecutionModel> executions = processor.getRealm().getAuthenticationExecutions(flow.getId());`
			`List<AuthenticationExecutionModel> executionsToRun = new ArrayList<>();`

			`for (AuthenticationExecutionModel execution : executions) {`
			`if (execution.isRequired()) {`
			`executionsToRun = Arrays.asList(execution);`
			`break;`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`}`

KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`if (execution.isAlternative()) {`
			`executionsToRun.add(execution);`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`}`
			`}`

KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`if (AuthenticationProcessor.logger.isTraceEnabled()) {`
			`List<String> exIds = new ArrayList<>();`
			`for (AuthenticationExecutionModel execution : executionsToRun) {`
			`exIds.add(execution.getId());`
			`}`
			`AuthenticationProcessor.logger.tracef("Using executions for client authentication: %s", exIds.toString());`
			`}`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`return executionsToRun;`
			`}`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`protected Response processResult(AuthenticationProcessor.Result result) {`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`AuthenticationExecutionModel execution = result.getExecution();`
			`FlowStatus status = result.getStatus();`
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00
			`AuthenticationProcessor.logger.debugv("client authenticator {0}: {1}", status.toString(), execution.getAuthenticator());`

KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`if (status == FlowStatus.SUCCESS) {`
			`return null;`
KEYCLOAK-1947 Add tests without client secret 2015-10-12 07:38:13 +00:00			`}`

			`if (status == FlowStatus.FAILED) {`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`if (result.getChallenge() != null) {`
			`return sendChallenge(result, execution);`
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`} else {`
			`throw new AuthenticationFlowException(result.getError());`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`}`
			`} else if (status == FlowStatus.FORCE_CHALLENGE) {`
			`return sendChallenge(result, execution);`
			`} else if (status == FlowStatus.CHALLENGE) {`
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`// Make sure the first priority alternative challenge is used`
KEYCLOAK-1795 Add just one clientAuthenticatorType per client 2015-09-03 22:09:54 +00:00			`if (alternativeChallenge == null) {`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`alternativeChallenge = result.getChallenge();`
			`}`
KEYCLOAK-1947 Add tests without client secret 2015-10-12 07:38:13 +00:00			`return sendChallenge(result, execution);`
KEYCLOAK-1295 pluggable client authentication. Support authenticate clients with signed JWT 2015-08-12 16:52:13 +00:00			`} else if (status == FlowStatus.FAILURE_CHALLENGE) {`
			`return sendChallenge(result, execution);`
			`} else {`
			`AuthenticationProcessor.logger.error("Unknown result status");`
			`throw new AuthenticationFlowException(AuthenticationFlowError.INTERNAL_ERROR);`
			`}`
			`}`

			`public Response sendChallenge(AuthenticationProcessor.Result result, AuthenticationExecutionModel execution) {`
			`AuthenticationProcessor.logger.debugv("client authenticator: sending challenge for authentication execution {0}", execution.getAuthenticator());`

			`if (result.getError() != null) {`
			`String errorAsString = result.getError().toString().toLowerCase();`
			`result.getEvent().error(errorAsString);`
			`} else {`
			`if (result.getClient() == null) {`
			`result.getEvent().error(Errors.INVALID_CLIENT);`
			`} else {`
			`result.getEvent().error(Errors.INVALID_CLIENT_CREDENTIALS);`
			`}`
			`}`

			`return result.getChallenge();`
			`}`
			`}`