Custom implemention of OIDC Login Protocol doesn't get executed

closes #19335
This commit is contained in:
mposolda 2023-03-31 15:41:11 +02:00 committed by Pedro Igor
parent c6a1820a47
commit 17c1b853e0
3 changed files with 15 additions and 73 deletions

View file

@ -18,6 +18,7 @@
package org.keycloak.authentication.authenticators.browser; package org.keycloak.authentication.authenticators.browser;
import org.keycloak.Config; import org.keycloak.Config;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.Authenticator; import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory; import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.common.Profile; import org.keycloak.common.Profile;
@ -25,7 +26,6 @@ import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserCredentialModel;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.provider.ProviderConfigProperty;
import java.util.List; import java.util.List;
@ -34,14 +34,21 @@ import java.util.List;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class SpnegoAuthenticatorFactory implements AuthenticatorFactory, EnvironmentDependentProviderFactory { public class SpnegoAuthenticatorFactory implements AuthenticatorFactory {
public static final String PROVIDER_ID = "auth-spnego"; public static final String PROVIDER_ID = "auth-spnego";
public static final SpnegoAuthenticator SINGLETON = new SpnegoAuthenticator(); public static final SpnegoAuthenticator SINGLETON = new SpnegoAuthenticator();
public static final SpnegoAuthenticator SINGLETON_DISABLED = new SpnegoAuthenticator() {
@Override
public void authenticate(AuthenticationFlowContext context) {
throw new IllegalStateException("Not possible to authenticate as Kerberos feature is disabled");
}
};
@Override @Override
public Authenticator create(KeycloakSession session) { public Authenticator create(KeycloakSession session) {
return SINGLETON; return isKerberosFeatureEnabled() ? SINGLETON : SINGLETON_DISABLED;
} }
@Override @Override
@ -71,7 +78,7 @@ public class SpnegoAuthenticatorFactory implements AuthenticatorFactory, Environ
@Override @Override
public AuthenticationExecutionModel.Requirement[] getRequirementChoices() { public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
return REQUIREMENT_CHOICES; return isKerberosFeatureEnabled() ? REQUIREMENT_CHOICES : new AuthenticationExecutionModel.Requirement[]{ AuthenticationExecutionModel.Requirement.DISABLED };
} }
@ -87,7 +94,9 @@ public class SpnegoAuthenticatorFactory implements AuthenticatorFactory, Environ
@Override @Override
public String getHelpText() { public String getHelpText() {
return "Initiates the SPNEGO protocol. Most often used with Kerberos."; return isKerberosFeatureEnabled()
? "Initiates the SPNEGO protocol. Most often used with Kerberos."
: "DISABLED. Please enable Kerberos feature and make sure Kerberos available in your platform. Initiates the SPNEGO protocol. Most often used with Kerberos.";
} }
@Override @Override
@ -100,8 +109,7 @@ public class SpnegoAuthenticatorFactory implements AuthenticatorFactory, Environ
return false; return false;
} }
@Override private boolean isKerberosFeatureEnabled() {
public boolean isSupported() {
return Profile.isFeatureEnabled(Profile.Feature.KERBEROS); return Profile.isFeatureEnabled(Profile.Feature.KERBEROS);
} }
} }

View file

@ -1,65 +0,0 @@
/*
* Copyright 2023 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.keycloak.authentication.authenticators.browser;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.common.Profile;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession;
/**
* Factory used only when KERBEROS feature is disabled. This exists due the KERBEROS authenticator is added by default to realm browser flow (even if DISABLED by default)
*
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class SpnegoDisabledAuthenticatorFactory extends SpnegoAuthenticatorFactory implements AuthenticatorFactory {
@Override
public Authenticator create(KeycloakSession session) {
return new SpnegoDisabledAuthenticator();
}
@Override
public String getHelpText() {
return "DISABLED. Please enable Kerberos feature and make sure Kerberos available in your platform. Initiates the SPNEGO protocol. Most often used with Kerberos.";
}
@Override
public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
return new AuthenticationExecutionModel.Requirement[]{ AuthenticationExecutionModel.Requirement.DISABLED };
}
@Override
public boolean isSupported() {
return !Profile.isFeatureEnabled(Profile.Feature.KERBEROS);
}
public static class SpnegoDisabledAuthenticator extends SpnegoAuthenticator {
@Override
public void authenticate(AuthenticationFlowContext context) {
throw new IllegalStateException("Not possible to authenticate as Kerberos feature is disabled");
}
}
}

View file

@ -21,7 +21,6 @@ org.keycloak.authentication.authenticators.browser.UsernameFormFactory
org.keycloak.authentication.authenticators.browser.PasswordFormFactory org.keycloak.authentication.authenticators.browser.PasswordFormFactory
org.keycloak.authentication.authenticators.browser.OTPFormAuthenticatorFactory org.keycloak.authentication.authenticators.browser.OTPFormAuthenticatorFactory
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticatorFactory org.keycloak.authentication.authenticators.browser.SpnegoAuthenticatorFactory
org.keycloak.authentication.authenticators.browser.SpnegoDisabledAuthenticatorFactory
org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticatorFactory org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticatorFactory
org.keycloak.authentication.authenticators.conditional.ConditionalRoleAuthenticatorFactory org.keycloak.authentication.authenticators.conditional.ConditionalRoleAuthenticatorFactory
org.keycloak.authentication.authenticators.conditional.ConditionalUserConfiguredAuthenticatorFactory org.keycloak.authentication.authenticators.conditional.ConditionalUserConfiguredAuthenticatorFactory