Move organization authenticator into conditional subflows in the default browser and first broker login flows
Closes #29446 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
This commit is contained in:
parent
bb1284704d
commit
37f85937a7
4 changed files with 96 additions and 18 deletions
|
@ -17,6 +17,7 @@
|
|||
|
||||
package org.keycloak.organization.jpa;
|
||||
|
||||
import org.keycloak.Config;
|
||||
import org.keycloak.Config.Scope;
|
||||
import org.keycloak.models.GroupModel;
|
||||
import org.keycloak.models.GroupModel.GroupEvent;
|
||||
|
@ -88,8 +89,8 @@ public class JpaOrganizationProviderFactory implements OrganizationProviderFacto
|
|||
}
|
||||
|
||||
private void addOrganizationFirstBrokerFlowStep(RealmModel realm) {
|
||||
AuthenticationFlowModel firstBrokerLoginFlow = realm.getFirstBrokerLoginFlow();
|
||||
|
||||
AuthenticationFlowModel firstBrokerLoginFlow = realm.getFirstBrokerLoginFlow();
|
||||
if (firstBrokerLoginFlow == null) {
|
||||
return;
|
||||
}
|
||||
|
@ -100,18 +101,44 @@ public class JpaOrganizationProviderFactory implements OrganizationProviderFacto
|
|||
return;
|
||||
}
|
||||
|
||||
if (!Config.getAdminRealm().equals(realm.getName())) {
|
||||
// do not add the org flows to the master realm for now.
|
||||
AuthenticationFlowModel conditionalOrg = new AuthenticationFlowModel();
|
||||
conditionalOrg.setTopLevel(false);
|
||||
conditionalOrg.setBuiltIn(true);
|
||||
conditionalOrg.setAlias("First Broker Login - Conditional Organization");
|
||||
conditionalOrg.setDescription("Flow to determine if the authenticator that adds organization members is to be used");
|
||||
conditionalOrg.setProviderId("basic-flow");
|
||||
conditionalOrg = realm.addAuthenticationFlow(conditionalOrg);
|
||||
AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
|
||||
execution.setParentFlow(firstBrokerLoginFlow.getId());
|
||||
execution.setRequirement(AuthenticationExecutionModel.Requirement.CONDITIONAL);
|
||||
execution.setFlowId(conditionalOrg.getId());
|
||||
execution.setPriority(50);
|
||||
execution.setAuthenticatorFlow(true);
|
||||
realm.addAuthenticatorExecution(execution);
|
||||
|
||||
execution = new AuthenticationExecutionModel();
|
||||
execution.setParentFlow(conditionalOrg.getId());
|
||||
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
|
||||
execution.setAuthenticator("conditional-user-configured");
|
||||
execution.setPriority(10);
|
||||
execution.setAuthenticatorFlow(false);
|
||||
realm.addAuthenticatorExecution(execution);
|
||||
|
||||
execution = new AuthenticationExecutionModel();
|
||||
execution.setParentFlow(conditionalOrg.getId());
|
||||
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
|
||||
execution.setAuthenticator(IdpOrganizationAuthenticatorFactory.ID);
|
||||
execution.setPriority(50);
|
||||
execution.setPriority(20);
|
||||
execution.setAuthenticatorFlow(false);
|
||||
realm.addAuthenticatorExecution(execution);
|
||||
}
|
||||
}
|
||||
|
||||
public void addOrganizationBrowserFlowStep(RealmModel realm) {
|
||||
AuthenticationFlowModel browserFlow = realm.getBrowserFlow();
|
||||
|
||||
AuthenticationFlowModel browserFlow = realm.getBrowserFlow();
|
||||
if (browserFlow == null) {
|
||||
return;
|
||||
}
|
||||
|
@ -122,14 +149,52 @@ public class JpaOrganizationProviderFactory implements OrganizationProviderFacto
|
|||
return;
|
||||
}
|
||||
|
||||
if (!Config.getAdminRealm().equals(realm.getName())) {
|
||||
// do not add the org flows to the master realm for now.
|
||||
AuthenticationFlowModel organizations = new AuthenticationFlowModel();
|
||||
organizations.setTopLevel(false);
|
||||
organizations.setBuiltIn(true);
|
||||
organizations.setAlias("Organization");
|
||||
organizations.setProviderId("basic-flow");
|
||||
organizations = realm.addAuthenticationFlow(organizations);
|
||||
AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
|
||||
|
||||
execution.setParentFlow(browserFlow.getId());
|
||||
execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
|
||||
execution.setAuthenticator(OrganizationAuthenticatorFactory.ID);
|
||||
execution.setFlowId(organizations.getId());
|
||||
execution.setPriority(26);
|
||||
execution.setAuthenticatorFlow(false);
|
||||
execution.setAuthenticatorFlow(true);
|
||||
realm.addAuthenticatorExecution(execution);
|
||||
|
||||
AuthenticationFlowModel conditionalOrg = new AuthenticationFlowModel();
|
||||
conditionalOrg.setTopLevel(false);
|
||||
conditionalOrg.setBuiltIn(true);
|
||||
conditionalOrg.setAlias("Browser - Conditional Organization");
|
||||
conditionalOrg.setDescription("Flow to determine if the organization identity-first login is to be used");
|
||||
conditionalOrg.setProviderId("basic-flow");
|
||||
conditionalOrg = realm.addAuthenticationFlow(conditionalOrg);
|
||||
execution = new AuthenticationExecutionModel();
|
||||
execution.setParentFlow(organizations.getId());
|
||||
execution.setRequirement(AuthenticationExecutionModel.Requirement.CONDITIONAL);
|
||||
execution.setFlowId(conditionalOrg.getId());
|
||||
execution.setPriority(10);
|
||||
execution.setAuthenticatorFlow(true);
|
||||
realm.addAuthenticatorExecution(execution);
|
||||
|
||||
execution = new AuthenticationExecutionModel();
|
||||
execution.setParentFlow(conditionalOrg.getId());
|
||||
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
|
||||
execution.setAuthenticator("conditional-user-configured");
|
||||
execution.setPriority(10);
|
||||
execution.setAuthenticatorFlow(false);
|
||||
realm.addAuthenticatorExecution(execution);
|
||||
|
||||
execution = new AuthenticationExecutionModel();
|
||||
execution.setParentFlow(conditionalOrg.getId());
|
||||
execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
|
||||
execution.setAuthenticator(OrganizationAuthenticatorFactory.ID);
|
||||
execution.setPriority(20);
|
||||
execution.setAuthenticatorFlow(false);
|
||||
realm.addAuthenticatorExecution(execution);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -77,7 +77,7 @@ public class IdpOrganizationAuthenticatorFactory implements AuthenticatorFactory
|
|||
|
||||
@Override
|
||||
public String getDisplayType() {
|
||||
return "Organization";
|
||||
return "Organization Member Onboard";
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -190,4 +190,9 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
|
|||
|
||||
return email.substring(domainSeparator + 1);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
|
||||
return realm.isOrganizationsEnabled();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,6 +17,8 @@
|
|||
|
||||
package org.keycloak.organization.authentication.authenticators.browser;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import org.keycloak.Config.Scope;
|
||||
import org.keycloak.authentication.Authenticator;
|
||||
import org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticatorFactory;
|
||||
|
@ -24,6 +26,7 @@ import org.keycloak.common.Profile;
|
|||
import org.keycloak.common.Profile.Feature;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.provider.EnvironmentDependentProviderFactory;
|
||||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
|
@ -39,7 +42,7 @@ public class OrganizationAuthenticatorFactory extends IdentityProviderAuthentica
|
|||
|
||||
@Override
|
||||
public String getDisplayType() {
|
||||
return "Organization Identity Provider Redirector";
|
||||
return "Organization Identity-First Login";
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -56,4 +59,9 @@ public class OrganizationAuthenticatorFactory extends IdentityProviderAuthentica
|
|||
public boolean isSupported(Scope config) {
|
||||
return Profile.isFeatureEnabled(Feature.ORGANIZATION);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<ProviderConfigProperty> getConfigProperties() { // org identity-first login
|
||||
return List.of();
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue