KEYCLOAK-12900 NullPointerException during WebAuthn Registration (#6732)

This commit is contained in:
Martin Bartoš 2020-02-05 17:01:36 +01:00 committed by GitHub
parent 9b2e7f6e2c
commit 7dec314ed0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 17 additions and 12 deletions

View file

@ -44,6 +44,7 @@ public interface WebAuthnConstants {
final String ALLOWED_AUTHENTICATORS = "authenticators"; final String ALLOWED_AUTHENTICATORS = "authenticators";
final String IS_USER_IDENTIFIED = "isUserIdentified"; final String IS_USER_IDENTIFIED = "isUserIdentified";
final String USER_VERIFICATION = "userVerification"; final String USER_VERIFICATION = "userVerification";
final String IS_SET_RETRY = "isSetRetry";
// Event key for credential id generated by navigator.credentials.create() // Event key for credential id generated by navigator.credentials.create()

View file

@ -61,7 +61,6 @@ public class WebAuthnAuthenticator implements Authenticator, CredentialValidator
private static final Logger logger = Logger.getLogger(WebAuthnAuthenticator.class); private static final Logger logger = Logger.getLogger(WebAuthnAuthenticator.class);
private KeycloakSession session; private KeycloakSession session;
private WebAuthnAuthenticatorsBean authenticators;
public WebAuthnAuthenticator(KeycloakSession session) { public WebAuthnAuthenticator(KeycloakSession session) {
this.session = session; this.session = session;
@ -84,7 +83,7 @@ public class WebAuthnAuthenticator implements Authenticator, CredentialValidator
boolean isUserIdentified = false; boolean isUserIdentified = false;
if (user != null) { if (user != null) {
// in 2 Factor Scenario where the user has already been identified // in 2 Factor Scenario where the user has already been identified
authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, getCredentialType()); WebAuthnAuthenticatorsBean authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, getCredentialType());
if (authenticators.getAuthenticators().isEmpty()) { if (authenticators.getAuthenticators().isEmpty()) {
// require the user to register webauthn authenticator // require the user to register webauthn authenticator
return; return;
@ -287,8 +286,12 @@ public class WebAuthnAuthenticator implements Authenticator, CredentialValidator
private Response createErrorResponse(AuthenticationFlowContext context, final String errorCase) { private Response createErrorResponse(AuthenticationFlowContext context, final String errorCase) {
LoginFormsProvider provider = context.form().setError(errorCase); LoginFormsProvider provider = context.form().setError(errorCase);
if (authenticators != null && authenticators.getAuthenticators() != null) { UserModel user = context.getUser();
provider.setAttribute(WebAuthnConstants.ALLOWED_AUTHENTICATORS, authenticators); if (user != null) {
WebAuthnAuthenticatorsBean authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, getCredentialType());
if (authenticators.getAuthenticators() != null) {
provider.setAttribute(WebAuthnConstants.ALLOWED_AUTHENTICATORS, authenticators);
}
} }
return provider.createWebAuthnErrorPage(); return provider.createWebAuthnErrorPage();
} }

View file

@ -165,6 +165,12 @@ public class WebAuthnRegister implements RequiredActionProvider, CredentialRegis
MultivaluedMap<String, String> params = context.getHttpRequest().getDecodedFormParameters(); MultivaluedMap<String, String> params = context.getHttpRequest().getDecodedFormParameters();
String isSetRetry = params.getFirst(WebAuthnConstants.IS_SET_RETRY);
if (isSetRetry != null && !isSetRetry.isEmpty()) {
requiredActionChallenge(context);
return;
}
context.getEvent().detail(Details.CREDENTIAL_TYPE, getCredentialType()); context.getEvent().detail(Details.CREDENTIAL_TYPE, getCredentialType());
// receive error from navigator.credentials.create() // receive error from navigator.credentials.create()
@ -329,7 +335,6 @@ public class WebAuthnRegister implements RequiredActionProvider, CredentialRegis
private static final String ERR_LABEL = "web_authn_registration_error"; private static final String ERR_LABEL = "web_authn_registration_error";
private static final String ERR_DETAIL_LABEL = "web_authn_registration_error_detail"; private static final String ERR_DETAIL_LABEL = "web_authn_registration_error_detail";
private static final String REGISTRATION_ATTR = "webAuthnRegistration";
private void setErrorResponse(RequiredActionContext context, final String errorCase, final String errorMessage) { private void setErrorResponse(RequiredActionContext context, final String errorCase, final String errorMessage) {
Response errorResponse = null; Response errorResponse = null;
@ -343,7 +348,6 @@ public class WebAuthnRegister implements RequiredActionProvider, CredentialRegis
errorResponse = context.form() errorResponse = context.form()
.setError(errorCase) .setError(errorCase)
.setAttribute(WEB_AUTHN_TITLE_ATTR, WEBAUTHN_REGISTER_TITLE) .setAttribute(WEB_AUTHN_TITLE_ATTR, WEBAUTHN_REGISTER_TITLE)
.setAttribute(REGISTRATION_ATTR,true)
.createWebAuthnErrorPage(); .createWebAuthnErrorPage();
context.challenge(errorResponse); context.challenge(errorResponse);
break; break;
@ -356,7 +360,6 @@ public class WebAuthnRegister implements RequiredActionProvider, CredentialRegis
errorResponse = context.form() errorResponse = context.form()
.setError(errorCase) .setError(errorCase)
.setAttribute(WEB_AUTHN_TITLE_ATTR, WEBAUTHN_REGISTER_TITLE) .setAttribute(WEB_AUTHN_TITLE_ATTR, WEBAUTHN_REGISTER_TITLE)
.setAttribute(REGISTRATION_ATTR,true)
.createWebAuthnErrorPage(); .createWebAuthnErrorPage();
context.challenge(errorResponse); context.challenge(errorResponse);
break; break;

View file

@ -6,10 +6,7 @@
<script type="text/javascript"> <script type="text/javascript">
refreshPage = () => { refreshPage = () => {
if ('${execution}' === "webauthn-register") { document.getElementById('isSetRetry').value = 'retry';
location.reload();
return false;
}
document.getElementById('executionValue').value = '${execution}'; document.getElementById('executionValue').value = '${execution}';
document.getElementById('kc-error-credential-form').submit(); document.getElementById('kc-error-credential-form').submit();
} }
@ -18,13 +15,14 @@
<form id="kc-error-credential-form" class="${properties.kcFormClass!}" action="${url.loginAction}" <form id="kc-error-credential-form" class="${properties.kcFormClass!}" action="${url.loginAction}"
method="post"> method="post">
<input type="hidden" id="executionValue" name="authenticationExecution"/> <input type="hidden" id="executionValue" name="authenticationExecution"/>
<input type="hidden" id="isSetRetry" name="isSetRetry"/>
</form> </form>
<#if authenticators??> <#if authenticators??>
<table class="table"> <table class="table">
<thead> <thead>
<tr> <tr>
<th>${kcSanitize(msg("webauthn-available-authenticators")?no_esc)}</th> <th>${kcSanitize(msg("webauthn-available-authenticators"))?no_esc}</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>