From 17c1b853e0d43cff54d301d5da87bca774148b21 Mon Sep 17 00:00:00 2001 From: mposolda Date: Fri, 31 Mar 2023 15:41:11 +0200 Subject: [PATCH] Custom implemention of OIDC Login Protocol doesn't get executed closes #19335 --- .../browser/SpnegoAuthenticatorFactory.java | 22 +++++-- .../SpnegoDisabledAuthenticatorFactory.java | 65 ------------------- ...ycloak.authentication.AuthenticatorFactory | 1 - 3 files changed, 15 insertions(+), 73 deletions(-) delete mode 100644 services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoDisabledAuthenticatorFactory.java diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticatorFactory.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticatorFactory.java index 80d01b7da2..73ffbb533e 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticatorFactory.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticatorFactory.java @@ -18,6 +18,7 @@ package org.keycloak.authentication.authenticators.browser; import org.keycloak.Config; +import org.keycloak.authentication.AuthenticationFlowContext; import org.keycloak.authentication.Authenticator; import org.keycloak.authentication.AuthenticatorFactory; import org.keycloak.common.Profile; @@ -25,7 +26,6 @@ import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.UserCredentialModel; -import org.keycloak.provider.EnvironmentDependentProviderFactory; import org.keycloak.provider.ProviderConfigProperty; import java.util.List; @@ -34,14 +34,21 @@ import java.util.List; * @author Bill Burke * @version $Revision: 1 $ */ -public class SpnegoAuthenticatorFactory implements AuthenticatorFactory, EnvironmentDependentProviderFactory { +public class SpnegoAuthenticatorFactory implements AuthenticatorFactory { public static final String PROVIDER_ID = "auth-spnego"; public static final SpnegoAuthenticator SINGLETON = new SpnegoAuthenticator(); + public static final SpnegoAuthenticator SINGLETON_DISABLED = new SpnegoAuthenticator() { + + @Override + public void authenticate(AuthenticationFlowContext context) { + throw new IllegalStateException("Not possible to authenticate as Kerberos feature is disabled"); + } + }; @Override public Authenticator create(KeycloakSession session) { - return SINGLETON; + return isKerberosFeatureEnabled() ? SINGLETON : SINGLETON_DISABLED; } @Override @@ -71,7 +78,7 @@ public class SpnegoAuthenticatorFactory implements AuthenticatorFactory, Environ @Override public AuthenticationExecutionModel.Requirement[] getRequirementChoices() { - return REQUIREMENT_CHOICES; + return isKerberosFeatureEnabled() ? REQUIREMENT_CHOICES : new AuthenticationExecutionModel.Requirement[]{ AuthenticationExecutionModel.Requirement.DISABLED }; } @@ -87,7 +94,9 @@ public class SpnegoAuthenticatorFactory implements AuthenticatorFactory, Environ @Override public String getHelpText() { - return "Initiates the SPNEGO protocol. Most often used with Kerberos."; + return isKerberosFeatureEnabled() + ? "Initiates the SPNEGO protocol. Most often used with Kerberos." + : "DISABLED. Please enable Kerberos feature and make sure Kerberos available in your platform. Initiates the SPNEGO protocol. Most often used with Kerberos."; } @Override @@ -100,8 +109,7 @@ public class SpnegoAuthenticatorFactory implements AuthenticatorFactory, Environ return false; } - @Override - public boolean isSupported() { + private boolean isKerberosFeatureEnabled() { return Profile.isFeatureEnabled(Profile.Feature.KERBEROS); } } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoDisabledAuthenticatorFactory.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoDisabledAuthenticatorFactory.java deleted file mode 100644 index 2011df910c..0000000000 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoDisabledAuthenticatorFactory.java +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright 2023 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package org.keycloak.authentication.authenticators.browser; - - -import org.keycloak.authentication.AuthenticationFlowContext; -import org.keycloak.authentication.Authenticator; -import org.keycloak.authentication.AuthenticatorFactory; -import org.keycloak.common.Profile; -import org.keycloak.models.AuthenticationExecutionModel; -import org.keycloak.models.KeycloakSession; - -/** - * Factory used only when KERBEROS feature is disabled. This exists due the KERBEROS authenticator is added by default to realm browser flow (even if DISABLED by default) - * - * @author Marek Posolda - */ -public class SpnegoDisabledAuthenticatorFactory extends SpnegoAuthenticatorFactory implements AuthenticatorFactory { - - @Override - public Authenticator create(KeycloakSession session) { - return new SpnegoDisabledAuthenticator(); - } - - @Override - public String getHelpText() { - return "DISABLED. Please enable Kerberos feature and make sure Kerberos available in your platform. Initiates the SPNEGO protocol. Most often used with Kerberos."; - } - - @Override - public AuthenticationExecutionModel.Requirement[] getRequirementChoices() { - return new AuthenticationExecutionModel.Requirement[]{ AuthenticationExecutionModel.Requirement.DISABLED }; - } - - @Override - public boolean isSupported() { - return !Profile.isFeatureEnabled(Profile.Feature.KERBEROS); - } - - public static class SpnegoDisabledAuthenticator extends SpnegoAuthenticator { - - @Override - public void authenticate(AuthenticationFlowContext context) { - throw new IllegalStateException("Not possible to authenticate as Kerberos feature is disabled"); - } - } - -} diff --git a/services/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory b/services/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory index c18d1e01fe..999a7696b6 100755 --- a/services/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory +++ b/services/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory @@ -21,7 +21,6 @@ org.keycloak.authentication.authenticators.browser.UsernameFormFactory org.keycloak.authentication.authenticators.browser.PasswordFormFactory org.keycloak.authentication.authenticators.browser.OTPFormAuthenticatorFactory org.keycloak.authentication.authenticators.browser.SpnegoAuthenticatorFactory -org.keycloak.authentication.authenticators.browser.SpnegoDisabledAuthenticatorFactory org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticatorFactory org.keycloak.authentication.authenticators.conditional.ConditionalRoleAuthenticatorFactory org.keycloak.authentication.authenticators.conditional.ConditionalUserConfiguredAuthenticatorFactory