This commit is contained in:
Bill Burke 2015-08-05 20:39:47 -04:00
parent eff0054b4a
commit 07efba364e
53 changed files with 1113 additions and 231 deletions

View file

@ -10,5 +10,34 @@
<delete tableName="USER_SESSION"/>
<dropColumn tableName="AUTHENTICATION_EXECUTION" columnName="USER_SETUP_ALLOWED"/>
<addColumn tableName="CREDENTIAL">
<column name="COUNTER" type="INT" defaultValueNumeric="0">
<constraints nullable="true"/>
</column>
<column name="DIGITS" type="INT" defaultValueNumeric="6">
<constraints nullable="true"/>
</column>
<column name="ALGORITHM" type="VARCHAR(36)" defaultValue="HmacSHA1">
<constraints nullable="true"/>
</column>
</addColumn>
<addColumn tableName="REALM">
<column name="OTP_POLICY_COUNTER" type="INT" defaultValueNumeric="0">
<constraints nullable="true"/>
</column>
<column name="OTP_POLICY_WINDOW" type="INT" defaultValueNumeric="1">
<constraints nullable="true"/>
</column>
<column name="OTP_POLICY_DIGITS" type="INT" defaultValueNumeric="6">
<constraints nullable="true"/>
</column>
<column name="OTP_POLICY_ALG" type="VARCHAR(36)" defaultValue="HmacSHA1">
<constraints nullable="true"/>
</column>
<column name="OTP_POLICY_TYPE" type="VARCHAR(36)" defaultValue="totp">
<constraints nullable="true"/>
</column>
</addColumn>
</changeSet>
</databaseChangeLog>

View file

@ -9,6 +9,7 @@ public class CredentialRepresentation {
public static final String PASSWORD = "password";
public static final String PASSWORD_TOKEN = "password-token";
public static final String TOTP = "totp";
public static final String HOTP = "hotp";
public static final String CLIENT_CERT = "cert";
public static final String KERBEROS = "kerberos";
@ -22,6 +23,10 @@ public class CredentialRepresentation {
protected String hashedSaltedValue;
protected String salt;
protected Integer hashIterations;
protected Integer counter;
private String algorithm;
private Integer digits;
// only used when updating a credential. Might set required action
protected boolean temporary;
@ -80,4 +85,28 @@ public class CredentialRepresentation {
public void setTemporary(boolean temporary) {
this.temporary = temporary;
}
public Integer getCounter() {
return counter;
}
public void setCounter(Integer counter) {
this.counter = counter;
}
public String getAlgorithm() {
return algorithm;
}
public void setAlgorithm(String algorithm) {
this.algorithm = algorithm;
}
public Integer getDigits() {
return digits;
}
public void setDigits(Integer digits) {
this.digits = digits;
}
}

View file

@ -49,6 +49,12 @@ public class RealmRepresentation {
@Deprecated
protected Set<String> requiredCredentials;
protected String passwordPolicy;
protected String otpPolicyType;
protected String otpPolicyAlgorithm;
protected Integer otpPolicyInitialCounter;
protected Integer otpPolicyDigits;
protected Integer otpPolicyLookAheadWindow;
protected List<UserRepresentation> users;
protected List<ScopeMappingRepresentation> scopeMappings;
protected Map<String, List<ScopeMappingRepresentation>> clientScopeMappings;
@ -653,4 +659,44 @@ public class RealmRepresentation {
public void setRequiredActions(List<RequiredActionProviderRepresentation> requiredActions) {
this.requiredActions = requiredActions;
}
public String getOtpPolicyType() {
return otpPolicyType;
}
public void setOtpPolicyType(String otpPolicyType) {
this.otpPolicyType = otpPolicyType;
}
public String getOtpPolicyAlgorithm() {
return otpPolicyAlgorithm;
}
public void setOtpPolicyAlgorithm(String otpPolicyAlgorithm) {
this.otpPolicyAlgorithm = otpPolicyAlgorithm;
}
public Integer getOtpPolicyInitialCounter() {
return otpPolicyInitialCounter;
}
public void setOtpPolicyInitialCounter(Integer otpPolicyInitialCounter) {
this.otpPolicyInitialCounter = otpPolicyInitialCounter;
}
public Integer getOtpPolicyDigits() {
return otpPolicyDigits;
}
public void setOtpPolicyDigits(Integer otpPolicyDigits) {
this.otpPolicyDigits = otpPolicyDigits;
}
public Integer getOtpPolicyLookAheadWindow() {
return otpPolicyLookAheadWindow;
}
public void setOtpPolicyLookAheadWindow(Integer otpPolicyLookAheadWindow) {
this.otpPolicyLookAheadWindow = otpPolicyLookAheadWindow;
}
}

View file

@ -150,15 +150,6 @@ public class UserRepresentation {
this.credentials = credentials;
}
public UserRepresentation credential(String type, String value) {
if (this.credentials == null) credentials = new ArrayList<CredentialRepresentation>();
CredentialRepresentation cred = new CredentialRepresentation();
cred.setType(type);
cred.setValue(value);
credentials.add(cred);
return this;
}
public List<String> getRequiredActions() {
return requiredActions;
}

View file

@ -313,6 +313,9 @@ public class ExportUtils {
credRep.setHashedSaltedValue(userCred.getValue());
if (userCred.getSalt() != null) credRep.setSalt(Base64.encodeBytes(userCred.getSalt()));
credRep.setHashIterations(userCred.getHashIterations());
credRep.setCounter(userCred.getCounter());
credRep.setAlgorithm(userCred.getAlgorithm());
credRep.setDigits(userCred.getDigits());
return credRep;
}

View file

@ -174,7 +174,7 @@ public class FreeMarkerAccountProvider implements AccountProvider {
switch (page) {
case TOTP:
attributes.put("totp", new TotpBean(realm, user, baseUri));
attributes.put("totp", new TotpBean(session, realm, user, baseUri));
break;
case FEDERATED_IDENTITY:
attributes.put("federatedIdentity", new AccountFederatedIdentityBean(session, realm, user, uriInfo.getBaseUri(), stateChecker));

View file

@ -21,6 +21,7 @@
*/
package org.keycloak.account.freemarker.model;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.Base32;
@ -41,14 +42,16 @@ public class TotpBean {
private final boolean enabled;
private final String contextUrl;
private final String realmName;
private final String keyUri;
public TotpBean(RealmModel realm, UserModel user, URI baseUri) {
public TotpBean(KeycloakSession session, RealmModel realm, UserModel user, URI baseUri) {
this.realmName = realm.getName();
this.enabled = user.isTotp();
this.enabled = session.users().configuredForCredentialType(realm.getOTPPolicy().getType(), realm, user);
this.contextUrl = baseUri.getPath();
this.totpSecret = randomString(20);
this.totpSecretEncoded = Base32.encode(totpSecret.getBytes());
this.keyUri = realm.getOTPPolicy().getKeyURI(realm, this.totpSecret);
}
private static String randomString(int length) {
@ -89,7 +92,7 @@ public class TotpBean {
}
public String getTotpSecretQrCodeUrl() throws UnsupportedEncodingException {
String contents = URLEncoder.encode("otpauth://totp/" + realmName + "?secret=" + totpSecretEncoded, "utf-8");
String contents = URLEncoder.encode(keyUri, "utf-8");
return contextUrl + "qrcode" + "?size=246x246&contents=" + contents;
}

View file

@ -1162,6 +1162,18 @@ module.config([ '$routeProvider', function($routeProvider) {
},
controller : 'RealmPasswordPolicyCtrl'
})
.when('/realms/:realm/authentication/otp-policy', {
templateUrl : resourceUrl + '/partials/otp-policy.html',
resolve : {
realm : function(RealmLoader) {
return RealmLoader();
},
serverInfo : function(ServerInfo) {
return ServerInfo.delay;
}
},
controller : 'RealmOtpPolicyCtrl'
})
.when('/realms/:realm/authentication/config/:provider/:config', {
templateUrl : resourceUrl + '/partials/authenticator-config.html',
resolve : {

View file

@ -372,6 +372,10 @@ module.controller('RealmLoginSettingsCtrl', function($scope, Current, Realm, rea
genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/login-settings");
});
module.controller('RealmOtpPolicyCtrl', function($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications) {
genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/authentication/otp-policy");
});
module.controller('RealmThemeCtrl', function($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications) {
genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/theme-settings");

View file

@ -0,0 +1,73 @@
<div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
<h1>Authentication</h1>
<kc-tabs-authentication></kc-tabs-authentication>
<form class="form-horizontal" name="realmForm" novalidate kc-read-only="!access.manageRealm">
<div class="form-group">
<label for="type" class="col-md-2 control-label">OTP Type</label>
<div class="col-md-2">
<div>
<select id="type" ng-model="realm.otpPolicyType" class="form-control">
<option value="totp">Time Based</option>
<option value="hotp">Counter Based</option>
</select>
</div>
</div>
<kc-tooltip>totp is Time-Based One Time Password. 'hotp' is a counter base one time password in which the server keeps a counter to hash against.</kc-tooltip>
</div>
<div class="form-group">
<label for="alg" class="col-md-2 control-label">OTP Hash Algorithm</label>
<div class="col-md-2">
<div>
<select id="alg" ng-model="realm.otpPolicyAlgorithm" class="form-control">
<option value="HmacSHA1">SHA1</option>
<option value="HmacSHA256">SHA256</option>
<option value="HmacSHA512">SHA512</option>
</select>
</div>
</div>
<kc-tooltip>What hashing algorithm should be used to generate the OTP.</kc-tooltip>
</div>
<div class="form-group">
<label class="col-md-2 control-label" for="digits">Number of Digits</label>
<div class="col-md-2">
<div>
<select id="digits" ng-model="realm.otpPolicyDigits" class="form-control">
<option value="6">6</option>
<option value="8">8</option>
</select>
</div>
</div>
<kc-tooltip>How many digits should the OTP have?</kc-tooltip>
</div>
<div class="form-group">
<label class="col-md-2 control-label" for="lookAhead">Look ahead window</label>
<div class="col-md-6">
<input class="form-control" type="text" id="lookAhead" name="lookAhead" data-ng-model="realm.otpPolicyLookAheadWindow" autofocus>
</div>
<kc-tooltip>How far ahead should the server look just in case the token generator and server are out of time sync or counter sync?</kc-tooltip>
</div>
<div class="form-group" data-ng-show="realm.otpPolicyType == 'hotp'">
<label class="col-md-2 control-label" for="counter">Initial Counter</label>
<div class="col-md-6">
<input class="form-control" type="text" id="counter" name="counter" data-ng-model="realm.otpPolicyInitialCounter" autofocus>
</div>
<kc-tooltip>What should the initial counter value be?</kc-tooltip>
</div>
<div class="form-group" data-ng-show="access.manageRealm">
<div class="col-md-12">
<button kc-save data-ng-disabled="!changed">Save</button>
<button kc-reset data-ng-disabled="!changed">Cancel</button>
</div>
</div>
</form>
</div>
<kc-menu></kc-menu>

View file

@ -2,4 +2,5 @@
<li ng-class="{active: path[3] == 'flows'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/authentication/flows">Flows</a></li>
<li ng-class="{active: path[3] == 'required-actions'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/authentication/required-actions">Required Actions</a></li>
<li ng-class="{active: path[3] == 'password-policy'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/authentication/password-policy">Password Policy</a></li>
<li ng-class="{active: path[3] == 'otp-policy'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/authentication/otp-policy">OTP Policy</a></li>
</ul>

View file

@ -24,11 +24,11 @@ package org.keycloak.login.freemarker.model;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.Base32;
import org.keycloak.models.utils.HmacOTP;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLEncoder;
import java.util.Random;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -40,25 +40,16 @@ public class TotpBean {
private final boolean enabled;
private final String contextUrl;
private final String realmName;
private final String keyUri;
public TotpBean(RealmModel realm, UserModel user, URI baseUri) {
this.realmName = realm.getName();
this.enabled = user.isTotp();
this.enabled = user.isOtpEnabled();
this.contextUrl = baseUri.getPath();
this.totpSecret = randomString(20);
this.totpSecret = HmacOTP.generateSecret(20);
this.totpSecretEncoded = Base32.encode(totpSecret.getBytes());
}
private static String randomString(int length) {
String chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW1234567890";
Random r = new Random();
StringBuilder sb = new StringBuilder();
for (int i = 0; i < length; i++) {
char c = chars.charAt(r.nextInt(chars.length()));
sb.append(c);
}
return sb.toString();
this.keyUri = realm.getOTPPolicy().getKeyURI(realm, this.totpSecret);
}
public boolean isEnabled() {
@ -81,7 +72,7 @@ public class TotpBean {
}
public String getTotpSecretQrCodeUrl() throws UnsupportedEncodingException {
String contents = URLEncoder.encode("otpauth://totp/" + realmName + "?secret=" + totpSecretEncoded, "utf-8");
String contents = URLEncoder.encode(keyUri, "utf-8");
return contextUrl + "qrcode" + "?size=246x246&contents=" + contents;
}

View file

@ -11,7 +11,7 @@ public interface MigrationModel {
/**
* Must have the form of major.minor.micro as the version is parsed and numbers are compared
*/
public static final String LATEST_VERSION = "1.4.0";
public static final String LATEST_VERSION = "1.5.0";
String getStoredVersion();
void setStoredVersion(String version);

View file

@ -3,6 +3,7 @@ package org.keycloak.migration;
import org.jboss.logging.Logger;
import org.keycloak.migration.migrators.MigrateTo1_3_0;
import org.keycloak.migration.migrators.MigrateTo1_4_0;
import org.keycloak.migration.migrators.MigrateTo1_5_0;
import org.keycloak.migration.migrators.MigrationTo1_2_0_CR1;
import org.keycloak.models.KeycloakSession;
@ -40,6 +41,12 @@ public class MigrationModelManager {
}
new MigrateTo1_4_0().migrate(session);
}
if (stored == null || stored.lessThan(MigrateTo1_5_0.VERSION)) {
if (stored != null) {
logger.debug("Migrating older model to 1.5.0 updates");
}
new MigrateTo1_4_0().migrate(session);
}
model.setStoredVersion(MigrationModel.LATEST_VERSION);
}

View file

@ -0,0 +1,31 @@
package org.keycloak.migration.migrators;
import org.keycloak.migration.ModelVersion;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserFederationMapperModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.DefaultAuthenticationFlows;
import org.keycloak.models.utils.DefaultRequiredActions;
import org.keycloak.models.utils.KeycloakModelUtils;
import java.util.Arrays;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class MigrateTo1_5_0 {
public static final ModelVersion VERSION = new ModelVersion("1.5.0");
public void migrate(KeycloakSession session) {
List<RealmModel> realms = session.realms().getRealms();
for (RealmModel realm : realms) {
realm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY);
}
}
}

View file

@ -0,0 +1,92 @@
package org.keycloak.models;
import org.keycloak.models.utils.Base32;
import org.keycloak.models.utils.HmacOTP;
import java.util.HashMap;
import java.util.Map;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class OTPPolicy {
protected String type;
protected String algorithm;
protected int initialCounter;
protected int digits;
protected int lookAheadWindow;
private static final Map<String, String> algToKeyUriAlg = new HashMap<>();
static {
algToKeyUriAlg.put(HmacOTP.HMAC_SHA1, "SHA1");
algToKeyUriAlg.put(HmacOTP.HMAC_SHA256, "SHA256");
algToKeyUriAlg.put(HmacOTP.HMAC_SHA512, "SHA512");
}
public OTPPolicy() {
}
public OTPPolicy(String type, String algorithm, int initialCounter, int digits, int lookAheadWindow) {
this.type = type;
this.algorithm = algorithm;
this.initialCounter = initialCounter;
this.digits = digits;
this.lookAheadWindow = lookAheadWindow;
}
public static OTPPolicy DEFAULT_POLICY = new OTPPolicy(UserCredentialModel.TOTP, HmacOTP.HMAC_SHA1, 0, 6, 1);
public String getType() {
return type;
}
public void setType(String type) {
this.type = type;
}
public String getAlgorithm() {
return algorithm;
}
public void setAlgorithm(String algorithm) {
this.algorithm = algorithm;
}
public int getInitialCounter() {
return initialCounter;
}
public void setInitialCounter(int initialCounter) {
this.initialCounter = initialCounter;
}
public int getDigits() {
return digits;
}
public void setDigits(int digits) {
this.digits = digits;
}
public int getLookAheadWindow() {
return lookAheadWindow;
}
public void setLookAheadWindow(int lookAheadWindow) {
this.lookAheadWindow = lookAheadWindow;
}
public String getKeyURI(RealmModel realm, String secret) {
String uri = "otpauth://" + type + "/" + realm.getName() + "?secret=" + Base32.encode(secret.getBytes()) + "&digits=" + digits + "&algorithm=" + algToKeyUriAlg.get(algorithm);
if (type.equals(UserCredentialModel.HOTP)) {
uri += "&counter=" + initialCounter;
}
return uri;
}
}

View file

@ -148,6 +148,9 @@ public interface RealmModel extends RoleContainerModel {
void setPasswordPolicy(PasswordPolicy policy);
OTPPolicy getOTPPolicy();
void setOTPPolicy(OTPPolicy policy);
RoleModel getRoleById(String id);
List<String> getDefaultRoles();

View file

@ -14,6 +14,7 @@ public class UserCredentialModel {
// Secret is same as password but it is not hashed
public static final String SECRET = "secret";
public static final String TOTP = "totp";
public static final String HOTP = "hotp";
public static final String CLIENT_CERT = "cert";
public static final String KERBEROS = "kerberos";
@ -44,6 +45,12 @@ public class UserCredentialModel {
return model;
}
public static UserCredentialModel otp(String type, String key) {
if (type.equals(HOTP)) return hotp(key);
if (type.equals(TOTP)) return totp(key);
throw new RuntimeException("Unknown OTP type");
}
public static UserCredentialModel totp(String key) {
UserCredentialModel model = new UserCredentialModel();
model.setType(TOTP);
@ -51,6 +58,13 @@ public class UserCredentialModel {
return model;
}
public static UserCredentialModel hotp(String key) {
UserCredentialModel model = new UserCredentialModel();
model.setType(HOTP);
model.setValue(key);
return model;
}
public static UserCredentialModel kerberos(String token) {
UserCredentialModel model = new UserCredentialModel();
model.setType(KERBEROS);
@ -65,6 +79,10 @@ public class UserCredentialModel {
return model;
}
public static boolean isOtp(String type) {
return TOTP.equals(type) || HOTP.equals(type);
}
public String getType() {
return type;

View file

@ -16,6 +16,12 @@ public class UserCredentialValueModel implements Serializable {
private int hashIterations;
private Long createdDate;
// otp stuff
private int counter;
private String algorithm;
private int digits;
public String getType() {
return type;
}
@ -64,4 +70,27 @@ public class UserCredentialValueModel implements Serializable {
this.createdDate = createdDate;
}
public int getCounter() {
return counter;
}
public void setCounter(int counter) {
this.counter = counter;
}
public String getAlgorithm() {
return algorithm;
}
public void setAlgorithm(String algorithm) {
this.algorithm = algorithm;
}
public int getDigits() {
return digits;
}
public void setDigits(int digits) {
this.digits = digits;
}
}

View file

@ -411,9 +411,23 @@ public class UserFederationManager implements UserProvider {
Set<String> supportedCredentialTypes = link.getSupportedCredentialTypes(user);
if (supportedCredentialTypes.contains(type)) return true;
}
if (UserCredentialModel.isOtp(type)) {
if (!user.isOtpEnabled()) return false;
}
List<UserCredentialValueModel> creds = user.getCredentialsDirectly();
for (UserCredentialValueModel cred : creds) {
if (cred.getType().equals(type)) return true;
if (cred.getType().equals(type)) {
if (UserCredentialModel.isOtp(type)) {
OTPPolicy otpPolicy = realm.getOTPPolicy();
if (!cred.getAlgorithm().equals(otpPolicy.getAlgorithm())
|| cred.getDigits() != otpPolicy.getDigits()) {
return false;
}
}
return true;
}
}
return false;
}

View file

@ -30,7 +30,7 @@ public interface UserModel {
boolean isEnabled();
boolean isTotp();
boolean isOtpEnabled();
void setEnabled(boolean enabled);
@ -86,7 +86,7 @@ public interface UserModel {
void setEmailVerified(boolean verified);
void setTotp(boolean totp);
void setOtpEnabled(boolean totp);
void updateCredential(UserCredentialModel cred);

View file

@ -13,6 +13,9 @@ public class CredentialEntity {
private int hashIterations;
private Long createdDate;
private UserEntity user;
private int counter;
private String algorithm;
private int digits;
public String getId() {
@ -79,4 +82,27 @@ public class CredentialEntity {
this.user = user;
}
public int getCounter() {
return counter;
}
public void setCounter(int counter) {
this.counter = counter;
}
public String getAlgorithm() {
return algorithm;
}
public void setAlgorithm(String algorithm) {
this.algorithm = algorithm;
}
public int getDigits() {
return digits;
}
public void setDigits(int digits) {
this.digits = digits;
}
}

View file

@ -19,6 +19,14 @@ public class RealmEntity extends AbstractIdentifiableEntity {
private boolean verifyEmail;
private boolean resetPasswordAllowed;
private String passwordPolicy;
protected String otpPolicyType;
protected String otpPolicyAlgorithm;
protected int otpPolicyInitialCounter;
protected int otpPolicyDigits;
protected int otpPolicyLookAheadWindow;
private boolean editUsernameAllowed;
//--- brute force settings
private boolean bruteForceProtected;
@ -509,6 +517,46 @@ public class RealmEntity extends AbstractIdentifiableEntity {
public void setRequiredActionProviders(List<RequiredActionProviderEntity> requiredActionProviders) {
this.requiredActionProviders = requiredActionProviders;
}
public String getOtpPolicyType() {
return otpPolicyType;
}
public void setOtpPolicyType(String otpPolicyType) {
this.otpPolicyType = otpPolicyType;
}
public String getOtpPolicyAlgorithm() {
return otpPolicyAlgorithm;
}
public void setOtpPolicyAlgorithm(String otpPolicyAlgorithm) {
this.otpPolicyAlgorithm = otpPolicyAlgorithm;
}
public int getOtpPolicyInitialCounter() {
return otpPolicyInitialCounter;
}
public void setOtpPolicyInitialCounter(int otpPolicyInitialCounter) {
this.otpPolicyInitialCounter = otpPolicyInitialCounter;
}
public int getOtpPolicyDigits() {
return otpPolicyDigits;
}
public void setOtpPolicyDigits(int otpPolicyDigits) {
this.otpPolicyDigits = otpPolicyDigits;
}
public int getOtpPolicyLookAheadWindow() {
return otpPolicyLookAheadWindow;
}
public void setOtpPolicyLookAheadWindow(int otpPolicyLookAheadWindow) {
this.otpPolicyLookAheadWindow = otpPolicyLookAheadWindow;
}
}

View file

@ -2,6 +2,7 @@ package org.keycloak.models.utils;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
@ -84,11 +85,43 @@ public class CredentialValidation {
}
}
public static boolean validHOTP(RealmModel realm, UserModel user, String otp) {
UserCredentialValueModel passwordCred = null;
OTPPolicy policy = realm.getOTPPolicy();
HmacOTP validator = new HmacOTP(policy.getDigits(), policy.getAlgorithm(), policy.getLookAheadWindow());
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.HOTP)) {
int counter = validator.validateHOTP(otp, cred.getValue(), cred.getCounter());
if (counter < 0) return false;
cred.setCounter(counter);
user.updateCredentialDirectly(cred);
return true;
}
}
return false;
}
public static boolean validOTP(RealmModel realm, String token, String secret) {
OTPPolicy policy = realm.getOTPPolicy();
if (policy.getType().equals(UserCredentialModel.TOTP)) {
TimeBasedOTP validator = new TimeBasedOTP(policy.getAlgorithm(), policy.getDigits(), 30, policy.getLookAheadWindow());
return validator.validateTOTP(token, secret.getBytes());
} else {
HmacOTP validator = new HmacOTP(policy.getDigits(), policy.getAlgorithm(), policy.getLookAheadWindow());
int c = validator.validateHOTP(token, secret, policy.getInitialCounter());
return c > -1;
}
}
public static boolean validTOTP(RealmModel realm, UserModel user, String otp) {
UserCredentialValueModel passwordCred = null;
OTPPolicy policy = realm.getOTPPolicy();
TimeBasedOTP validator = new TimeBasedOTP(policy.getAlgorithm(), policy.getDigits(), 30, policy.getLookAheadWindow());
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.TOTP)) {
if (new TimeBasedOTP().validate(otp, cred.getValue().getBytes())) {
if (validator.validateTOTP(otp, cred.getValue().getBytes())) {
return true;
}
}
@ -149,6 +182,10 @@ public class CredentialValidation {
if (!validTOTP(realm, user, credential.getValue())) {
return false;
}
} else if (credential.getType().equals(UserCredentialModel.HOTP)) {
if (!validHOTP(realm, user, credential.getValue())) {
return false;
}
} else if (credential.getType().equals(UserCredentialModel.SECRET)) {
if (!validSecret(realm, user, credential.getValue())) {
return false;

View file

@ -0,0 +1,164 @@
package org.keycloak.models.utils;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.math.BigInteger;
import java.util.Random;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class HmacOTP {
public static final String HMAC_SHA1 = "HmacSHA1";
public static final String HMAC_SHA256 = "HmacSHA256";
public static final String HMAC_SHA512 = "HmacSHA512";
public static final String DEFAULT_ALGORITHM = HMAC_SHA1;
public static final int DEFAULT_NUMBER_DIGITS = 6;
// 0 1 2 3 4 5 6 7 8
private static final int[] DIGITS_POWER = {1, 10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000};
protected final String algorithm;
protected final int numberDigits;
protected final int lookAheadWindow;
public HmacOTP(int numberDigits, String algorithm, int delayWindow) {
this.numberDigits = numberDigits;
this.algorithm = algorithm;
this.lookAheadWindow = delayWindow;
}
public static String generateSecret(int length) {
String chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW1234567890";
Random r = new Random();
StringBuilder sb = new StringBuilder();
for (int i = 0; i < length; i++) {
char c = chars.charAt(r.nextInt(chars.length()));
sb.append(c);
}
return sb.toString();
}
public String generateHOTP(String key, int counter) {
String steps = Integer.toHexString(counter).toUpperCase();
// Just get a 16 digit string
while (steps.length() < 16)
steps = "0" + steps;
return generateOTP(key, steps, numberDigits, algorithm);
}
/**
*
* @param token
* @param key
* @param counter
* @return -1 if not a match. A positive number means successful validation. This positive number is also the new value of the counter
*/
public int validateHOTP(String token, String key, int counter) {
int newCounter = counter;
for (newCounter = counter; newCounter < counter + lookAheadWindow; newCounter++) {
String candidate = generateHOTP(key, counter);
if (candidate.equals(token)) {
return newCounter + 1;
}
}
return -1;
}
/**
* This method generates an OTP value for the given set of parameters.
*
* @param key the shared secret, HEX encoded
* @param counter a value that reflects a time
* @param returnDigits number of digits to return
* @param crypto the crypto function to use
* @return A numeric String in base 10 that includes return digits
* @throws java.security.GeneralSecurityException
*
*/
public String generateOTP(String key, String counter, int returnDigits, String crypto) {
String result = null;
byte[] hash;
// Using the counter
// First 8 bytes are for the movingFactor
// Complaint with base RFC 4226 (HOTP)
while (counter.length() < 16)
counter = "0" + counter;
// Get the HEX in a Byte[]
byte[] msg = hexStr2Bytes(counter);
// Adding one byte to get the right conversion
// byte[] k = hexStr2Bytes(key);
byte[] k = key.getBytes();
hash = hmac_sha1(crypto, k, msg);
// put selected bytes into result int
int offset = hash[hash.length - 1] & 0xf;
int binary = ((hash[offset] & 0x7f) << 24) | ((hash[offset + 1] & 0xff) << 16) | ((hash[offset + 2] & 0xff) << 8)
| (hash[offset + 3] & 0xff);
int otp = binary % DIGITS_POWER[returnDigits];
result = Integer.toString(otp);
while (result.length() < returnDigits) {
result = "0" + result;
}
return result;
}
/**
* This method uses the JCE to provide the crypto algorithm. HMAC computes a Hashed Message Authentication Code with the
* crypto hash algorithm as a parameter.
*
* @param crypto the crypto algorithm (HmacSHA1, HmacSHA256, HmacSHA512)
* @param keyBytes the bytes to use for the HMAC key
* @param text the message or text to be authenticated.
* @throws java.security.NoSuchAlgorithmException
*
* @throws java.security.InvalidKeyException
*
*/
private byte[] hmac_sha1(String crypto, byte[] keyBytes, byte[] text) {
byte[] value;
try {
Mac hmac = Mac.getInstance(crypto);
SecretKeySpec macKey = new SecretKeySpec(keyBytes, "RAW");
hmac.init(macKey);
value = hmac.doFinal(text);
} catch (Exception e) {
throw new RuntimeException(e);
}
return value;
}
/**
* This method converts HEX string to Byte[]
*
* @param hex the HEX string
* @return A byte array
*/
private byte[] hexStr2Bytes(String hex) {
// Adding one byte to get the right conversion
// values starting with "0" can be converted
byte[] bArray = new BigInteger("10" + hex, 16).toByteArray();
// Copy all the REAL bytes, not the "first"
byte[] ret = new byte[bArray.length - 1];
for (int i = 0; i < ret.length; i++)
ret[i] = bArray[i + 1];
return ret;
}
}

View file

@ -9,6 +9,7 @@ import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.ModelException;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
@ -64,7 +65,7 @@ public class ModelToRepresentation {
rep.setEmail(user.getEmail());
rep.setEnabled(user.isEnabled());
rep.setEmailVerified(user.isEmailVerified());
rep.setTotp(user.isTotp());
rep.setTotp(user.isOtpEnabled());
rep.setFederationLink(user.getFederationLink());
List<String> reqActions = new ArrayList<String>();
@ -152,6 +153,12 @@ public class ModelToRepresentation {
if (realm.getPasswordPolicy() != null) {
rep.setPasswordPolicy(realm.getPasswordPolicy().toString());
}
OTPPolicy otpPolicy = realm.getOTPPolicy();
rep.setOtpPolicyAlgorithm(otpPolicy.getAlgorithm());
rep.setOtpPolicyDigits(otpPolicy.getDigits());
rep.setOtpPolicyInitialCounter(otpPolicy.getInitialCounter());
rep.setOtpPolicyType(otpPolicy.getType());
rep.setOtpPolicyLookAheadWindow(otpPolicy.getLookAheadWindow());
List<String> defaultRoles = realm.getDefaultRoles();
if (!defaultRoles.isEmpty()) {

View file

@ -15,6 +15,7 @@ import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
@ -63,7 +64,16 @@ import java.util.TreeSet;
public class RepresentationToModel {
private static Logger logger = Logger.getLogger(RepresentationToModel.class);
public static OTPPolicy toPolicy(RealmRepresentation rep) {
OTPPolicy policy = new OTPPolicy();
policy.setType(rep.getOtpPolicyType());
policy.setLookAheadWindow(rep.getOtpPolicyLookAheadWindow());
policy.setInitialCounter(rep.getOtpPolicyInitialCounter());
policy.setAlgorithm(rep.getOtpPolicyAlgorithm());
policy.setDigits(rep.getOtpPolicyDigits());
return policy;
}
public static void importRealm(KeycloakSession session, RealmRepresentation rep, RealmModel newRealm) {
convertDeprecatedSocialProviders(rep);
convertDeprecatedApplications(session, rep);
@ -144,6 +154,8 @@ public class RepresentationToModel {
}
if (rep.getPasswordPolicy() != null) newRealm.setPasswordPolicy(new PasswordPolicy(rep.getPasswordPolicy()));
if (rep.getOtpPolicyType() != null) newRealm.setOTPPolicy(toPolicy(rep));
else newRealm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY);
importIdentityProviders(rep, newRealm);
importIdentityProviderMappers(rep, newRealm);
@ -497,6 +509,7 @@ public class RepresentationToModel {
if (rep.getPasswordPolicy() != null) realm.setPasswordPolicy(new PasswordPolicy(rep.getPasswordPolicy()));
if (rep.getOtpPolicyType() != null) realm.setOTPPolicy(toPolicy(rep));
if (rep.getDefaultRoles() != null) {
realm.updateDefaultRoles(rep.getDefaultRoles().toArray(new String[rep.getDefaultRoles().size()]));
@ -847,7 +860,7 @@ public class RepresentationToModel {
user.setFirstName(userRep.getFirstName());
user.setLastName(userRep.getLastName());
user.setFederationLink(userRep.getFederationLink());
user.setTotp(userRep.isTotp());
user.setOtpEnabled(userRep.isTotp());
if (userRep.getAttributes() != null) {
for (Map.Entry<String, Object> entry : userRep.getAttributes().entrySet()) {
Object value = entry.getValue();
@ -922,13 +935,22 @@ public class RepresentationToModel {
UserCredentialValueModel hashedCred = new UserCredentialValueModel();
hashedCred.setType(cred.getType());
hashedCred.setDevice(cred.getDevice());
hashedCred.setHashIterations(cred.getHashIterations());
if (cred.getHashIterations() != null) hashedCred.setHashIterations(cred.getHashIterations());
try {
if (cred.getSalt() != null) hashedCred.setSalt(Base64.decode(cred.getSalt()));
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
hashedCred.setValue(cred.getHashedSaltedValue());
if (cred.getCounter() != null) hashedCred.setCounter(cred.getCounter());
if (cred.getDigits() != null) hashedCred.setDigits(cred.getDigits());
if (cred.getAlgorithm() != null) hashedCred.setAlgorithm(cred.getAlgorithm());
if (cred.getDigits() == null && UserCredentialModel.isOtp(cred.getType())) {
hashedCred.setDigits(6);
}
if (cred.getAlgorithm() == null && UserCredentialModel.isOtp(cred.getType())) {
hashedCred.setAlgorithm(HmacOTP.HMAC_SHA1);
}
user.updateCredentialDirectly(hashedCred);
}
}

View file

@ -1,8 +1,5 @@
package org.keycloak.models.utils;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.math.BigInteger;
import java.util.Calendar;
import java.util.GregorianCalendar;
import java.util.TimeZone;
@ -13,24 +10,12 @@ import java.util.TimeZone;
* @author anil saldhana
* @since Sep 20, 2010
*/
public class TimeBasedOTP {
public class TimeBasedOTP extends HmacOTP {
public static final String HMAC_SHA1 = "HmacSHA1";
public static final String HMAC_SHA256 = "HmacSHA256";
public static final String HMAC_SHA512 = "HmacSHA512";
public static final String DEFAULT_ALGORITHM = HMAC_SHA1;
public static final int DEFAULT_NUMBER_DIGITS = 6;
public static final int DEFAULT_INTERVAL_SECONDS = 30;
public static final int DEFAULT_DELAY_WINDOW = 1;
// 0 1 2 3 4 5 6 7 8
private static final int[] DIGITS_POWER = {1, 10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000};
private Clock clock;
private final String algorithm;
private final int numberDigits;
private final int delayWindow;
public TimeBasedOTP() {
this(DEFAULT_ALGORITHM, DEFAULT_NUMBER_DIGITS, DEFAULT_INTERVAL_SECONDS, DEFAULT_DELAY_WINDOW);
@ -40,13 +25,11 @@ public class TimeBasedOTP {
* @param algorithm the encryption algorithm
* @param numberDigits the number of digits for tokens
* @param timeIntervalInSeconds the number of seconds a token is valid
* @param delayWindow the number of previous intervals that should be used to validate tokens.
* @param lookAheadWindow the number of previous intervals that should be used to validate tokens.
*/
public TimeBasedOTP(String algorithm, int numberDigits, int timeIntervalInSeconds, int delayWindow) {
this.algorithm = algorithm;
this.numberDigits = numberDigits;
public TimeBasedOTP(String algorithm, int numberDigits, int timeIntervalInSeconds, int lookAheadWindow) {
super(numberDigits, algorithm, lookAheadWindow);
this.clock = new Clock(timeIntervalInSeconds);
this.delayWindow = delayWindow;
}
/**
@ -54,7 +37,7 @@ public class TimeBasedOTP {
*
* @param secretKey the secret key to derive the token from.
*/
public String generate(String secretKey) {
public String generateTOTP(String secretKey) {
long T = this.clock.getCurrentInterval();
String steps = Long.toHexString(T).toUpperCase();
@ -63,53 +46,7 @@ public class TimeBasedOTP {
while (steps.length() < 16)
steps = "0" + steps;
return generateTOTP(secretKey, steps, this.numberDigits, this.algorithm);
}
/**
* This method generates an TOTP value for the given set of parameters.
*
* @param key the shared secret, HEX encoded
* @param time a value that reflects a time
* @param returnDigits number of digits to return
* @param crypto the crypto function to use
* @return A numeric String in base 10 that includes {@link truncationDigits} digits
* @throws java.security.GeneralSecurityException
*
*/
public String generateTOTP(String key, String time, int returnDigits, String crypto) {
String result = null;
byte[] hash;
// Using the counter
// First 8 bytes are for the movingFactor
// Complaint with base RFC 4226 (HOTP)
while (time.length() < 16)
time = "0" + time;
// Get the HEX in a Byte[]
byte[] msg = hexStr2Bytes(time);
// Adding one byte to get the right conversion
// byte[] k = hexStr2Bytes(key);
byte[] k = key.getBytes();
hash = hmac_sha1(crypto, k, msg);
// put selected bytes into result int
int offset = hash[hash.length - 1] & 0xf;
int binary = ((hash[offset] & 0x7f) << 24) | ((hash[offset + 1] & 0xff) << 16) | ((hash[offset + 2] & 0xff) << 8)
| (hash[offset + 3] & 0xff);
int otp = binary % DIGITS_POWER[returnDigits];
result = Integer.toString(otp);
while (result.length() < returnDigits) {
result = "0" + result;
}
return result;
return generateOTP(secretKey, steps, this.numberDigits, this.algorithm);
}
/**
@ -119,17 +56,17 @@ public class TimeBasedOTP {
* @param secret Shared secret
* @return
*/
public boolean validate(String token, byte[] secret) {
public boolean validateTOTP(String token, byte[] secret) {
long currentInterval = this.clock.getCurrentInterval();
for (int i = this.delayWindow; i >= 0; --i) {
for (int i = this.lookAheadWindow; i >= 0; --i) {
String steps = Long.toHexString(currentInterval - i).toUpperCase();
// Just get a 16 digit string
while (steps.length() < 16)
steps = "0" + steps;
String candidate = generateTOTP(new String(secret), steps, this.numberDigits, this.algorithm);
String candidate = generateOTP(new String(secret), steps, this.numberDigits, this.algorithm);
if (candidate.equals(token)) {
return true;
@ -143,53 +80,6 @@ public class TimeBasedOTP {
this.clock.setCalendar(calendar);
}
/**
* This method uses the JCE to provide the crypto algorithm. HMAC computes a Hashed Message Authentication Code with the
* crypto hash algorithm as a parameter.
*
* @param crypto the crypto algorithm (HmacSHA1, HmacSHA256, HmacSHA512)
* @param keyBytes the bytes to use for the HMAC key
* @param text the message or text to be authenticated.
* @throws java.security.NoSuchAlgorithmException
*
* @throws java.security.InvalidKeyException
*
*/
private byte[] hmac_sha1(String crypto, byte[] keyBytes, byte[] text) {
byte[] value;
try {
Mac hmac = Mac.getInstance(crypto);
SecretKeySpec macKey = new SecretKeySpec(keyBytes, "RAW");
hmac.init(macKey);
value = hmac.doFinal(text);
} catch (Exception e) {
throw new RuntimeException(e);
}
return value;
}
/**
* This method converts HEX string to Byte[]
*
* @param hex the HEX string
* @return A byte array
*/
private byte[] hexStr2Bytes(String hex) {
// Adding one byte to get the right conversion
// values starting with "0" can be converted
byte[] bArray = new BigInteger("10" + hex, 16).toByteArray();
// Copy all the REAL bytes, not the "first"
byte[] ret = new byte[bArray.length - 1];
for (int i = 0; i < ret.length; i++)
ret[i] = bArray[i + 1];
return ret;
}
private class Clock {
private final int interval;

View file

@ -43,8 +43,8 @@ public class UserModelDelegate implements UserModel {
}
@Override
public boolean isTotp() {
return delegate.isTotp();
public boolean isOtpEnabled() {
return delegate.isOtpEnabled();
}
@Override
@ -148,8 +148,8 @@ public class UserModelDelegate implements UserModel {
}
@Override
public void setTotp(boolean totp) {
delegate.setTotp(totp);
public void setOtpEnabled(boolean totp) {
delegate.setOtpEnabled(totp);
}
@Override

View file

@ -0,0 +1,32 @@
package org.keycloak.models;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.models.utils.Base32;
import org.keycloak.models.utils.HmacOTP;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.io.BufferedReader;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Scanner;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class HmacTest {
@Test
public void testHmac() throws Exception {
HmacOTP hmacOTP = new HmacOTP(6, HmacOTP.HMAC_SHA1, 10);
String secret = "JNSVMMTEKZCUGSKJIVGHMNSQOZBDA5JT";
String decoded = new String(Base32.decode(secret));
System.out.println(hmacOTP.generateHOTP(decoded, 0));
System.out.println(hmacOTP.validateHOTP("550233", decoded, 0));
Assert.assertEquals(1, hmacOTP.validateHOTP("550233", decoded, 0));
}
}

View file

@ -26,6 +26,7 @@ import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
@ -81,6 +82,7 @@ public class RealmAdapter implements RealmModel {
protected volatile transient Key codeSecretKey;
private volatile transient PasswordPolicy passwordPolicy;
private volatile transient OTPPolicy otpPolicy;
private volatile transient KeycloakSession session;
private final Map<String, ClientModel> allApps = new HashMap<String, ClientModel>();
@ -287,6 +289,29 @@ public class RealmAdapter implements RealmModel {
realm.setPasswordPolicy(policy.toString());
}
@Override
public OTPPolicy getOTPPolicy() {
if (otpPolicy == null) {
otpPolicy = new OTPPolicy();
otpPolicy.setDigits(realm.getOtpPolicyDigits());
otpPolicy.setAlgorithm(realm.getOtpPolicyAlgorithm());
otpPolicy.setInitialCounter(realm.getOtpPolicyInitialCounter());
otpPolicy.setLookAheadWindow(realm.getOtpPolicyLookAheadWindow());
otpPolicy.setType(realm.getOtpPolicyType());
}
return otpPolicy;
}
@Override
public void setOTPPolicy(OTPPolicy policy) {
realm.setOtpPolicyAlgorithm(policy.getAlgorithm());
realm.setOtpPolicyDigits(policy.getDigits());
realm.setOtpPolicyInitialCounter(policy.getInitialCounter());
realm.setOtpPolicyLookAheadWindow(policy.getLookAheadWindow());
realm.setOtpPolicyType(policy.getType());
}
@Override
public int getNotBefore() {
return realm.getNotBefore();

View file

@ -22,6 +22,7 @@ import org.keycloak.models.ClientModel;
import static org.keycloak.models.utils.Pbkdf2PasswordEncoder.getSalt;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
@ -256,12 +257,12 @@ public class UserAdapter implements UserModel, Comparable {
}
@Override
public boolean isTotp() {
public boolean isOtpEnabled() {
return user.isTotp();
}
@Override
public void setTotp(boolean totp) {
public void setOtpEnabled(boolean totp) {
user.setTotp(totp);
}
@ -270,7 +271,10 @@ public class UserAdapter implements UserModel, Comparable {
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
updatePasswordCredential(cred);
} else {
} else if (UserCredentialModel.isOtp(cred.getType())){
updateOtpCredential(cred);
}else {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
if (credentialEntity == null) {
@ -283,6 +287,27 @@ public class UserAdapter implements UserModel, Comparable {
}
}
private void updateOtpCredential(UserCredentialModel cred) {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
if (credentialEntity == null) {
credentialEntity = setCredentials(user, cred);
credentialEntity.setValue(cred.getValue());
OTPPolicy otpPolicy = realm.getOTPPolicy();
credentialEntity.setAlgorithm(otpPolicy.getAlgorithm());
credentialEntity.setDigits(otpPolicy.getDigits());
credentialEntity.setCounter(otpPolicy.getInitialCounter());
user.getCredentials().add(credentialEntity);
} else {
credentialEntity.setValue(cred.getValue());
OTPPolicy policy = realm.getOTPPolicy();
credentialEntity.setDigits(policy.getDigits());
credentialEntity.setCounter(policy.getInitialCounter());
credentialEntity.setAlgorithm(policy.getAlgorithm());
}
}
private void updatePasswordCredential(UserCredentialModel cred) {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
@ -390,6 +415,9 @@ public class UserAdapter implements UserModel, Comparable {
credModel.setValue(credEntity.getValue());
credModel.setSalt(credEntity.getSalt());
credModel.setHashIterations(credEntity.getHashIterations());
credModel.setCounter(credEntity.getCounter());
credModel.setAlgorithm(credEntity.getAlgorithm());
credModel.setDigits(credEntity.getDigits());
result.add(credModel);
}
@ -414,6 +442,9 @@ public class UserAdapter implements UserModel, Comparable {
credentialEntity.setSalt(credModel.getSalt());
credentialEntity.setDevice(credModel.getDevice());
credentialEntity.setHashIterations(credModel.getHashIterations());
credentialEntity.setCounter(credModel.getCounter());
credentialEntity.setAlgorithm(credModel.getAlgorithm());
credentialEntity.setDigits(credModel.getDigits());
}
@Override

View file

@ -8,6 +8,7 @@ import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
@ -452,6 +453,19 @@ public class RealmAdapter implements RealmModel {
updated.setPasswordPolicy(policy);
}
@Override
public OTPPolicy getOTPPolicy() {
if (updated != null) return updated.getOTPPolicy();
return cached.getOtpPolicy();
}
@Override
public void setOTPPolicy(OTPPolicy policy) {
getDelegateForUpdate();
updated.setOTPPolicy(policy);
}
@Override
public RoleModel getRoleById(String id) {
if (updated != null) return updated.getRoleById(id);

View file

@ -80,8 +80,8 @@ public class UserAdapter implements UserModel {
}
@Override
public boolean isTotp() {
if (updated != null) return updated.isTotp();
public boolean isOtpEnabled() {
if (updated != null) return updated.isOtpEnabled();
return cached.isTotp();
}
@ -208,9 +208,9 @@ public class UserAdapter implements UserModel {
}
@Override
public void setTotp(boolean totp) {
public void setOtpEnabled(boolean totp) {
getDelegateForUpdate();
updated.setTotp(totp);
updated.setOtpEnabled(totp);
}
@Override

View file

@ -7,6 +7,7 @@ import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RealmProvider;
@ -63,6 +64,7 @@ public class CachedRealm implements Serializable {
private int accessCodeLifespanLogin;
private int notBefore;
private PasswordPolicy passwordPolicy;
private OTPPolicy otpPolicy;
private String publicKeyPem;
private String privateKeyPem;
@ -137,6 +139,7 @@ public class CachedRealm implements Serializable {
accessCodeLifespanLogin = model.getAccessCodeLifespanLogin();
notBefore = model.getNotBefore();
passwordPolicy = model.getPasswordPolicy();
otpPolicy = model.getOTPPolicy();
publicKeyPem = model.getPublicKeyPem();
privateKeyPem = model.getPrivateKeyPem();
@ -456,4 +459,8 @@ public class CachedRealm implements Serializable {
public Map<String, RequiredActionProviderModel> getRequiredActionProvidersByAlias() {
return requiredActionProvidersByAlias;
}
public OTPPolicy getOtpPolicy() {
return otpPolicy;
}
}

View file

@ -7,11 +7,9 @@ import org.keycloak.models.UserModel;
import org.keycloak.util.MultivaluedHashMap;
import java.io.Serializable;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
@ -48,7 +46,7 @@ public class CachedUser implements Serializable {
this.emailVerified = user.isEmailVerified();
this.credentials.addAll(user.getCredentialsDirectly());
this.enabled = user.isEnabled();
this.totp = user.isTotp();
this.totp = user.isOtpEnabled();
this.federationLink = user.getFederationLink();
this.serviceAccountClientLink = user.getServiceAccountClientLink();
this.requiredActions.addAll(user.getRequiredActions());

View file

@ -9,6 +9,7 @@ import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
@ -65,6 +66,7 @@ public class RealmAdapter implements RealmModel {
protected volatile transient Key codeSecretKey;
protected KeycloakSession session;
private PasswordPolicy passwordPolicy;
private OTPPolicy otpPolicy;
public RealmAdapter(KeycloakSession session, EntityManager em, RealmEntity realm) {
this.session = session;
@ -1017,6 +1019,30 @@ public class RealmAdapter implements RealmModel {
em.flush();
}
@Override
public OTPPolicy getOTPPolicy() {
if (otpPolicy == null) {
otpPolicy = new OTPPolicy();
otpPolicy.setDigits(realm.getOtpPolicyDigits());
otpPolicy.setAlgorithm(realm.getOtpPolicyAlgorithm());
otpPolicy.setInitialCounter(realm.getOtpPolicyInitialCounter());
otpPolicy.setLookAheadWindow(realm.getOtpPolicyLookAheadWindow());
otpPolicy.setType(realm.getOtpPolicyType());
}
return otpPolicy;
}
@Override
public void setOTPPolicy(OTPPolicy policy) {
realm.setOtpPolicyAlgorithm(policy.getAlgorithm());
realm.setOtpPolicyDigits(policy.getDigits());
realm.setOtpPolicyInitialCounter(policy.getInitialCounter());
realm.setOtpPolicyLookAheadWindow(policy.getLookAheadWindow());
realm.setOtpPolicyType(policy.getType());
em.flush();
}
@Override
public boolean equals(Object o) {
if (this == o) return true;

View file

@ -1,6 +1,7 @@
package org.keycloak.models.jpa;
import org.keycloak.models.ClientModel;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.ModelDuplicateException;
@ -94,7 +95,7 @@ public class UserAdapter implements UserModel {
}
@Override
public boolean isTotp() {
public boolean isOtpEnabled() {
return user.isTotp();
}
@ -282,7 +283,7 @@ public class UserAdapter implements UserModel {
}
@Override
public void setTotp(boolean totp) {
public void setOtpEnabled(boolean totp) {
user.setTotp(totp);
}
@ -291,6 +292,9 @@ public class UserAdapter implements UserModel {
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
updatePasswordCredential(cred);
} else if (UserCredentialModel.isOtp(cred.getType())){
updateOtpCredential(cred);
} else {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
@ -306,6 +310,31 @@ public class UserAdapter implements UserModel {
em.flush();
}
private void updateOtpCredential(UserCredentialModel cred) {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
if (credentialEntity == null) {
credentialEntity = setCredentials(user, cred);
credentialEntity.setValue(cred.getValue());
OTPPolicy otpPolicy = realm.getOTPPolicy();
credentialEntity.setAlgorithm(otpPolicy.getAlgorithm());
credentialEntity.setDigits(otpPolicy.getDigits());
credentialEntity.setCounter(otpPolicy.getInitialCounter());
em.persist(credentialEntity);
user.getCredentials().add(credentialEntity);
} else {
OTPPolicy policy = realm.getOTPPolicy();
credentialEntity.setDigits(policy.getDigits());
credentialEntity.setCounter(policy.getInitialCounter());
credentialEntity.setAlgorithm(policy.getAlgorithm());
credentialEntity.setValue(cred.getValue());
}
}
private void updatePasswordCredential(UserCredentialModel cred) {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
@ -418,6 +447,9 @@ public class UserAdapter implements UserModel {
credModel.setCreatedDate(credEntity.getCreatedDate());
credModel.setSalt(credEntity.getSalt());
credModel.setHashIterations(credEntity.getHashIterations());
credModel.setCounter(credEntity.getCounter());
credModel.setAlgorithm(credEntity.getAlgorithm());
credModel.setDigits(credEntity.getDigits());
result.add(credModel);
}
@ -444,6 +476,9 @@ public class UserAdapter implements UserModel {
credentialEntity.setSalt(credModel.getSalt());
credentialEntity.setDevice(credModel.getDevice());
credentialEntity.setHashIterations(credModel.getHashIterations());
credentialEntity.setCounter(credModel.getCounter());
credentialEntity.setAlgorithm(credModel.getAlgorithm());
credentialEntity.setDigits(credModel.getDigits());
em.flush();
}

View file

@ -44,6 +44,15 @@ public class CredentialEntity {
@JoinColumn(name="USER_ID")
protected UserEntity user;
@Column(name="COUNTER")
protected int counter;
@Column(name="ALGORITHM")
protected String algorithm;
@Column(name="DIGITS")
protected int digits;
public String getId() {
return id;
}
@ -108,4 +117,27 @@ public class CredentialEntity {
this.createdDate = createdDate;
}
public int getCounter() {
return counter;
}
public void setCounter(int counter) {
this.counter = counter;
}
public String getAlgorithm() {
return algorithm;
}
public void setAlgorithm(String algorithm) {
this.algorithm = algorithm;
}
public int getDigits() {
return digits;
}
public void setDigits(int digits) {
this.digits = digits;
}
}

View file

@ -55,8 +55,22 @@ public class RealmEntity {
protected boolean resetPasswordAllowed;
@Column(name="REMEMBER_ME")
protected boolean rememberMe;
@Column(name="PASSWORD_POLICY")
protected String passwordPolicy;
@Column(name="OTP_POLICY_TYPE")
protected String otpPolicyType;
@Column(name="OTP_POLICY_ALG")
protected String otpPolicyAlgorithm;
@Column(name="OTP_POLICY_COUNTER")
protected int otpPolicyInitialCounter;
@Column(name="OTP_POLICY_DIGITS")
protected int otpPolicyDigits;
@Column(name="OTP_POLICY_WINDOW")
protected int otpPolicyLookAheadWindow;
@Column(name="EDIT_USERNAME_ALLOWED")
protected boolean editUsernameAllowed;
@ -580,5 +594,44 @@ public class RealmEntity {
this.authenticationFlows = authenticationFlows;
}
public String getOtpPolicyType() {
return otpPolicyType;
}
public void setOtpPolicyType(String otpPolicyType) {
this.otpPolicyType = otpPolicyType;
}
public String getOtpPolicyAlgorithm() {
return otpPolicyAlgorithm;
}
public void setOtpPolicyAlgorithm(String otpPolicyAlgorithm) {
this.otpPolicyAlgorithm = otpPolicyAlgorithm;
}
public int getOtpPolicyInitialCounter() {
return otpPolicyInitialCounter;
}
public void setOtpPolicyInitialCounter(int otpPolicyInitialCounter) {
this.otpPolicyInitialCounter = otpPolicyInitialCounter;
}
public int getOtpPolicyDigits() {
return otpPolicyDigits;
}
public void setOtpPolicyDigits(int otpPolicyDigits) {
this.otpPolicyDigits = otpPolicyDigits;
}
public int getOtpPolicyLookAheadWindow() {
return otpPolicyLookAheadWindow;
}
public void setOtpPolicyLookAheadWindow(int otpPolicyLookAheadWindow) {
this.otpPolicyLookAheadWindow = otpPolicyLookAheadWindow;
}
}

View file

@ -13,6 +13,7 @@ import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RealmProvider;
@ -66,6 +67,7 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
protected volatile transient X509Certificate certificate;
protected volatile transient Key codeSecretKey;
private volatile transient OTPPolicy otpPolicy;
private volatile transient PasswordPolicy passwordPolicy;
private volatile transient KeycloakSession session;
@ -272,6 +274,30 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
updateRealm();
}
@Override
public OTPPolicy getOTPPolicy() {
if (otpPolicy == null) {
otpPolicy = new OTPPolicy();
otpPolicy.setDigits(realm.getOtpPolicyDigits());
otpPolicy.setAlgorithm(realm.getOtpPolicyAlgorithm());
otpPolicy.setInitialCounter(realm.getOtpPolicyInitialCounter());
otpPolicy.setLookAheadWindow(realm.getOtpPolicyLookAheadWindow());
otpPolicy.setType(realm.getOtpPolicyType());
}
return otpPolicy;
}
@Override
public void setOTPPolicy(OTPPolicy policy) {
realm.setOtpPolicyAlgorithm(policy.getAlgorithm());
realm.setOtpPolicyDigits(policy.getDigits());
realm.setOtpPolicyInitialCounter(policy.getInitialCounter());
realm.setOtpPolicyLookAheadWindow(policy.getLookAheadWindow());
realm.setOtpPolicyType(policy.getType());
updateRealm();
}
@Override
public int getNotBefore() {
return realm.getNotBefore();

View file

@ -7,6 +7,7 @@ import com.mongodb.QueryBuilder;
import org.keycloak.connections.mongo.api.context.MongoStoreInvocationContext;
import org.keycloak.models.ClientModel;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.KeycloakSession;
@ -227,12 +228,12 @@ public class UserAdapter extends AbstractMongoAdapter<MongoUserEntity> implement
}
@Override
public boolean isTotp() {
public boolean isOtpEnabled() {
return user.isTotp();
}
@Override
public void setTotp(boolean totp) {
public void setOtpEnabled(boolean totp) {
user.setTotp(totp);
updateUser();
}
@ -242,6 +243,8 @@ public class UserAdapter extends AbstractMongoAdapter<MongoUserEntity> implement
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
updatePasswordCredential(cred);
} else if (UserCredentialModel.isOtp(cred.getType())){
updateOtpCredential(cred);
} else {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
@ -256,6 +259,27 @@ public class UserAdapter extends AbstractMongoAdapter<MongoUserEntity> implement
getMongoStore().updateEntity(user, invocationContext);
}
private void updateOtpCredential(UserCredentialModel cred) {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
if (credentialEntity == null) {
credentialEntity = setCredentials(user, cred);
credentialEntity.setValue(cred.getValue());
OTPPolicy otpPolicy = realm.getOTPPolicy();
credentialEntity.setAlgorithm(otpPolicy.getAlgorithm());
credentialEntity.setDigits(otpPolicy.getDigits());
credentialEntity.setCounter(otpPolicy.getInitialCounter());
user.getCredentials().add(credentialEntity);
} else {
credentialEntity.setValue(cred.getValue());
OTPPolicy policy = realm.getOTPPolicy();
credentialEntity.setDigits(policy.getDigits());
credentialEntity.setCounter(policy.getInitialCounter());
credentialEntity.setAlgorithm(policy.getAlgorithm());
}
}
private void updatePasswordCredential(UserCredentialModel cred) {
CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());
@ -362,6 +386,9 @@ public class UserAdapter extends AbstractMongoAdapter<MongoUserEntity> implement
credModel.setValue(credEntity.getValue());
credModel.setSalt(credEntity.getSalt());
credModel.setHashIterations(credEntity.getHashIterations());
credModel.setCounter(credEntity.getCounter());
credModel.setAlgorithm(credEntity.getAlgorithm());
credModel.setDigits(credEntity.getDigits());
result.add(credModel);
}
@ -384,6 +411,9 @@ public class UserAdapter extends AbstractMongoAdapter<MongoUserEntity> implement
credentialEntity.setSalt(credModel.getSalt());
credentialEntity.setDevice(credModel.getDevice());
credentialEntity.setHashIterations(credModel.getHashIterations());
credentialEntity.setCounter(credModel.getCounter());
credentialEntity.setAlgorithm(credModel.getAlgorithm());
credentialEntity.setDigits(credModel.getDigits());
getMongoStore().updateEntity(user, invocationContext);

View file

@ -45,7 +45,7 @@ public class OTPFormAuthenticator extends AbstractFormAuthenticator implements A
context.challenge(challengeResponse);
return;
}
credentials.add(UserCredentialModel.totp(password));
credentials.add(UserCredentialModel.otp(context.getRealm().getOTPPolicy().getType(), password));
boolean valid = context.getSession().users().validCredentials(context.getRealm(), context.getUser(), credentials);
if (!valid) {
context.getEvent().user(context.getUser())
@ -75,7 +75,7 @@ public class OTPFormAuthenticator extends AbstractFormAuthenticator implements A
@Override
public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
return session.users().configuredForCredentialType(UserCredentialModel.TOTP, realm, user) && user.isTotp();
return session.users().configuredForCredentialType(realm.getOTPPolicy().getType(), realm, user);
}
@Override

View file

@ -50,7 +50,7 @@ public class ValidateOTP extends AbstractDirectGrantAuthenticator {
context.failure(AuthenticationProcessor.Error.INVALID_USER, challengeResponse);
return;
}
credentials.add(UserCredentialModel.totp(otp));
credentials.add(UserCredentialModel.otp(context.getRealm().getOTPPolicy().getType(), otp));
boolean valid = context.getSession().users().validCredentials(context.getRealm(), context.getUser(), credentials);
if (!valid) {
context.getEvent().user(context.getUser());
@ -74,7 +74,7 @@ public class ValidateOTP extends AbstractDirectGrantAuthenticator {
}
private boolean isConfigured(KeycloakSession session, RealmModel realm, UserModel user) {
return session.users().configuredForCredentialType(UserCredentialModel.TOTP, realm, user) && user.isTotp();
return session.users().configuredForCredentialType(realm.getOTPPolicy().getType(), realm, user);
}
@Override

View file

@ -11,6 +11,7 @@ import org.keycloak.models.BrowserSecurityHeaders;
import org.keycloak.models.Constants;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RealmProvider;
import org.keycloak.models.RoleModel;
@ -150,6 +151,7 @@ public class RealmManager {
realm.setMaxDeltaTimeSeconds(60 * 60 * 12); // 12 hours
realm.setFailureFactor(30);
realm.setSslRequired(SslRequired.EXTERNAL);
realm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY);
realm.setEventsListeners(Collections.singleton("jboss-logging"));
}

View file

@ -22,11 +22,6 @@
package org.keycloak.services.resources;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.BadRequestException;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.AbstractOAuthClient;
import org.keycloak.ClientConnection;
import org.keycloak.OAuth2Constants;
import org.keycloak.account.AccountPages;
import org.keycloak.account.AccountProvider;
import org.keycloak.events.Details;
@ -38,10 +33,8 @@ import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.Constants;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.ModelReadOnlyException;
@ -50,11 +43,11 @@ import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
@ -65,7 +58,6 @@ import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.CookieHelper;
import org.keycloak.services.util.ResolveRelative;
import org.keycloak.services.validation.Validation;
import org.keycloak.util.UriUtils;
@ -76,12 +68,8 @@ import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
@ -441,7 +429,7 @@ public class AccountService extends AbstractSecuredLocalService {
csrfCheck(stateChecker);
UserModel user = auth.getUser();
user.setTotp(false);
user.setOtpEnabled(false);
event.event(EventType.REMOVE_TOTP).client(auth.getClient()).user(auth.getUser()).success();
@ -552,17 +540,23 @@ public class AccountService extends AbstractSecuredLocalService {
if (Validation.isBlank(totp)) {
setReferrerOnPage();
return account.setError(Messages.MISSING_TOTP).createResponse(AccountPages.TOTP);
} else if (!new TimeBasedOTP().validate(totp, totpSecret.getBytes())) {
} else if (!CredentialValidation.validOTP(realm, totp, totpSecret)) {
setReferrerOnPage();
return account.setError(Messages.INVALID_TOTP).createResponse(AccountPages.TOTP);
}
UserCredentialModel credentials = new UserCredentialModel();
credentials.setType(CredentialRepresentation.TOTP);
credentials.setType(realm.getOTPPolicy().getType());
credentials.setValue(totpSecret);
session.users().updateCredential(realm, user, credentials);
user.setTotp(true);
user.setOtpEnabled(true);
// to update counter
UserCredentialModel cred = new UserCredentialModel();
cred.setType(realm.getOTPPolicy().getType());
cred.setValue(totp);
session.users().validCredentials(realm, user, cred);
event.event(EventType.UPDATE_TOTP).client(auth.getClient()).user(auth.getUser()).success();

View file

@ -47,6 +47,7 @@ import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserModel.RequiredAction;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.utils.DefaultAuthenticationFlows;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.TimeBasedOTP;
@ -563,18 +564,25 @@ public class LoginActionsService {
return loginForms.setError(Messages.MISSING_TOTP)
.setClientSessionCode(accessCode.getCode())
.createResponse(RequiredAction.CONFIGURE_TOTP);
} else if (!new TimeBasedOTP().validate(totp, totpSecret.getBytes())) {
} else if (!CredentialValidation.validOTP(realm, totp, totpSecret)) {
return loginForms.setError(Messages.INVALID_TOTP)
.setClientSessionCode(accessCode.getCode())
.createResponse(RequiredAction.CONFIGURE_TOTP);
}
UserCredentialModel credentials = new UserCredentialModel();
credentials.setType(CredentialRepresentation.TOTP);
credentials.setType(realm.getOTPPolicy().getType());
credentials.setValue(totpSecret);
session.users().updateCredential(realm, user, credentials);
user.setTotp(true);
// if type is HOTP, to update counter we execute validation based on supplied token
UserCredentialModel cred = new UserCredentialModel();
cred.setType(realm.getOTPPolicy().getType());
cred.setValue(totp);
session.users().validCredentials(realm, user, cred);
user.setOtpEnabled(true);
user.removeRequiredAction(RequiredAction.CONFIGURE_TOTP);

View file

@ -69,7 +69,6 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
@ -213,7 +212,7 @@ public class UsersResource {
user.setLastName(rep.getLastName());
user.setEnabled(rep.isEnabled());
user.setTotp(rep.isTotp());
user.setOtpEnabled(rep.isTotp());
user.setEmailVerified(rep.isEmailVerified());
List<String> reqActions = rep.getRequiredActions();
@ -821,7 +820,7 @@ public class UsersResource {
throw new NotFoundException("User not found");
}
user.setTotp(false);
user.setOtpEnabled(false);
adminEvent.operation(OperationType.ACTION).resourcePath(uriInfo).success();
}

View file

@ -43,7 +43,7 @@ public class TotpGenerator {
public void run() {
String google = new String(Base32.decode(secret));
TimeBasedOTP otp = new TimeBasedOTP();
System.out.println(otp.generate(google));
System.out.println(otp.generateTOTP(google));
}
}

View file

@ -167,7 +167,7 @@ public class AccountTest {
});
}
//@Test
@Test
public void ideTesting() throws Exception {
Thread.sleep(100000000);
}
@ -517,11 +517,11 @@ public class AccountTest {
Assert.assertFalse(driver.getPageSource().contains("Remove Google"));
// Error with false code
totpPage.configure(totp.generate(totpPage.getTotpSecret() + "123"));
totpPage.configure(totp.generateTOTP(totpPage.getTotpSecret() + "123"));
Assert.assertEquals("Invalid authenticator code.", profilePage.getError());
totpPage.configure(totp.generate(totpPage.getTotpSecret()));
totpPage.configure(totp.generateTOTP(totpPage.getTotpSecret()));
Assert.assertEquals("Mobile authenticator configured.", profilePage.getSuccess());

View file

@ -25,7 +25,6 @@ import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.authentication.requiredactions.UpdateTotp;
import org.keycloak.events.Details;
import org.keycloak.events.Event;
import org.keycloak.events.EventType;
@ -113,7 +112,7 @@ public class RequiredActionTotpSetupTest {
totpPage.assertCurrent();
totpPage.configure(totp.generate(totpPage.getTotpSecret()));
totpPage.configure(totp.generateTOTP(totpPage.getTotpSecret()));
String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).user(userId).detail(Details.USERNAME, "setuptotp").assertEvent().getSessionId();
@ -131,7 +130,7 @@ public class RequiredActionTotpSetupTest {
String totpSecret = totpPage.getTotpSecret();
totpPage.configure(totp.generate(totpSecret));
totpPage.configure(totp.generateTOTP(totpSecret));
String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).assertEvent().getSessionId();
@ -146,7 +145,7 @@ public class RequiredActionTotpSetupTest {
loginPage.open();
loginPage.login("test-user@localhost", "password");
String src = driver.getPageSource();
loginTotpPage.login(totp.generate(totpSecret));
loginTotpPage.login(totp.generateTOTP(totpSecret));
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
@ -166,7 +165,7 @@ public class RequiredActionTotpSetupTest {
totpPage.assertCurrent();
String totpCode = totpPage.getTotpSecret();
totpPage.configure(totp.generate(totpCode));
totpPage.configure(totp.generateTOTP(totpCode));
// After totp config, user should be on the app page
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
@ -184,11 +183,13 @@ public class RequiredActionTotpSetupTest {
loginPage.login("setupTotp2", "password2");
// Totp is already configured, thus one-time password is needed, login page should be loaded
String uri = driver.getCurrentUrl();
String src = driver.getPageSource();
Assert.assertTrue(loginPage.isCurrent());
Assert.assertFalse(totpPage.isCurrent());
// Login with one-time password
loginTotpPage.login(totp.generate(totpCode));
loginTotpPage.login(totp.generateTOTP(totpCode));
loginEvent = events.expectLogin().user(userId).detail(Details.USERNAME, "setuptotp2").assertEvent();
@ -211,7 +212,7 @@ public class RequiredActionTotpSetupTest {
// Since the authentificator was removed, it has to be set up again
totpPage.assertCurrent();
totpPage.configure(totp.generate(totpPage.getTotpSecret()));
totpPage.configure(totp.generateTOTP(totpPage.getTotpSecret()));
String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).user(userId).detail(Details.USERNAME, "setuptotp2").assertEvent().getSessionId();

View file

@ -72,7 +72,7 @@ public class BruteForceTest {
credentials.setValue("totpSecret");
user.updateCredential(credentials);
user.setTotp(true);
user.setOtpEnabled(true);
appRealm.setEventsListeners(Collections.singleton("dummy"));
appRealm.setBruteForceProtected(true);
@ -158,14 +158,14 @@ public class BruteForceTest {
@Test
public void testGrantInvalidPassword() throws Exception {
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNotNull(response.getAccessToken());
Assert.assertNull(response.getError());
events.clear();
}
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("invalid", totpSecret);
Assert.assertNull(response.getAccessToken());
Assert.assertEquals(response.getError(), "invalid_grant");
@ -173,7 +173,7 @@ public class BruteForceTest {
events.clear();
}
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("invalid", totpSecret);
Assert.assertNull(response.getAccessToken());
Assert.assertEquals(response.getError(), "invalid_grant");
@ -181,7 +181,7 @@ public class BruteForceTest {
events.clear();
}
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNull(response.getAccessToken());
Assert.assertNotNull(response.getError());
@ -191,7 +191,7 @@ public class BruteForceTest {
}
clearUserFailures();
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNotNull(response.getAccessToken());
Assert.assertNull(response.getError());
@ -203,7 +203,7 @@ public class BruteForceTest {
@Test
public void testGrantInvalidOtp() throws Exception {
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNotNull(response.getAccessToken());
Assert.assertNull(response.getError());
@ -224,7 +224,7 @@ public class BruteForceTest {
events.clear();
}
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNull(response.getAccessToken());
Assert.assertNotNull(response.getError());
@ -234,7 +234,7 @@ public class BruteForceTest {
}
clearUserFailures();
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNotNull(response.getAccessToken());
Assert.assertNull(response.getError());
@ -244,7 +244,7 @@ public class BruteForceTest {
} @Test
public void testGrantMissingOtp() throws Exception {
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNotNull(response.getAccessToken());
Assert.assertNull(response.getError());
@ -265,7 +265,7 @@ public class BruteForceTest {
events.clear();
}
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNull(response.getAccessToken());
Assert.assertNotNull(response.getError());
@ -275,7 +275,7 @@ public class BruteForceTest {
}
clearUserFailures();
{
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
Assert.assertNotNull(response.getAccessToken());
Assert.assertNull(response.getError());
@ -353,7 +353,7 @@ public class BruteForceTest {
loginTotpPage.assertCurrent();
String totpSecret = totp.generate("totpSecret");
String totpSecret = totp.generateTOTP("totpSecret");
loginTotpPage.login(totpSecret);
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());

View file

@ -43,7 +43,6 @@ import org.keycloak.testsuite.rule.KeycloakRule;
import org.keycloak.testsuite.rule.KeycloakRule.KeycloakSetup;
import org.keycloak.testsuite.rule.WebResource;
import org.keycloak.testsuite.rule.WebRule;
import org.keycloak.util.Time;
import org.openqa.selenium.WebDriver;
import java.net.MalformedURLException;
@ -66,7 +65,7 @@ public class LoginTotpTest {
credentials.setValue("totpSecret");
user.updateCredential(credentials);
user.setTotp(true);
user.setOtpEnabled(true);
appRealm.setEventsListeners(Collections.singleton("dummy"));
}
@ -147,7 +146,7 @@ public class LoginTotpTest {
loginTotpPage.assertCurrent();
loginTotpPage.login(totp.generate("totpSecret"));
loginTotpPage.login(totp.generateTOTP("totpSecret"));
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());