libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

reset password refactor/flow

Browse source
This commit is contained in:
Bill Burke 2015-08-16 12:23:15 -04:00
parent d6983e829a
commit c0f3d851db
46 changed files with 906 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.5.0.xml
View file

@ -52,6 +52,9 @@
<column name="DIRECT_GRANT_FLOW" type="VARCHAR(36)">
<constraints nullable="true"/>
</column>
<column name="RESET_CREDENTIALS_FLOW" type="VARCHAR(36)">
<constraints nullable="true"/>
</column>
</addColumn>
</changeSet>

5
core/src/test/java/org/keycloak/jose/HmacTest.java
View file

@ -19,9 +19,12 @@ public class HmacTest {
@Test
public void testHmacSignatures() throws Exception {
SecretKey secret = new SecretKeySpec(UUID.randomUUID().toString().getBytes(), "HmacSHA256");
String encoded = new JWSBuilder().content("hello world".getBytes())
String encoded = new JWSBuilder().content("12345678901234567890".getBytes())
.hmac256(secret);
System.out.println("length: " + encoded.length());
JWSInput input = new JWSInput(encoded);
Assert.assertTrue(HMACProvider.verify(input, secret));
}
}

2
forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js
View file

@ -363,7 +363,7 @@ module.controller('UserDetailCtrl', function($scope, realm, user, BruteForceUser
}
}
// ID - Name map for required actions. IDs are enum names.
RequiredActions.query({id: realm.realm}, function(data) {
RequiredActions.query({realm: realm.realm}, function(data) {
$scope.userReqActionList = [];
for (var i = 0; i < data.length; i++) {
console.log("listed required action: " + data[i].name);

11
forms/common-themes/src/main/resources/theme/base/admin/resources/partials/authentication-flow-bindings.html
View file

@ -35,6 +35,17 @@
<kc-tooltip>Select the flow you want to use for direct grant authentication.</kc-tooltip>
</div>
<div class="form-group">
<label for="resetCredentials" class="col-md-2 control-label">Reset Credentials</label>
<div class="col-md-2">
<div>
<select id="resetCredentials" ng-model="realm.resetCredentialsFlow" class="form-control" ng-options="flow.alias as flow.alias for flow in flows">
</select>
</div>
</div>
<kc-tooltip>Select the flow you want to use when the user has forgotten their credentials.</kc-tooltip>
</div>
<div class="form-group" data-ng-show="access.manageRealm">
<div class="col-md-12">
<button kc-save data-ng-disabled="!changed">Save</button>

2
forms/common-themes/src/main/resources/theme/base/login/login-reset-password.ftl
View file

@ -5,7 +5,7 @@
<#elseif section = "header">
${msg("emailForgotTitle")}
<#elseif section = "form">
<form id="kc-reset-password-form" class="${properties.kcFormClass!}" action="${url.loginPasswordResetUrl}" method="post">
<form id="kc-reset-password-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
<div class="${properties.kcFormGroupClass!}">
<div class="${properties.kcLabelWrapperClass!}">
<label for="username" class="${properties.kcLabelClass!}">${msg("usernameOrEmail")}</label>

2
forms/common-themes/src/main/resources/theme/base/login/login.ftl
View file

@ -42,7 +42,7 @@
</#if>
<div class="${properties.kcFormOptionsWrapperClass!}">
<#if realm.resetPasswordAllowed>
<span><a href="${url.loginPasswordResetUrl}">${msg("doForgotPassword")}</a></span>
<span><a href="${url.loginResetCredentialsUrl}">${msg("doForgotPassword")}</a></span>
</#if>
</div>
</div>

2
forms/common-themes/src/main/resources/theme/base/login/messages/messages_de.properties
View file

@ -80,7 +80,9 @@ emailVerifyInstruction3=um ein neues E-Mail zu verschicken.
backToLogin=&laquo; Zur\u00FCck zur Anmeldung
backToApplication=&laquo; Zur\u00FCck zur Applikation
temporaryEmailCode=Temporary Email Code
emailInstruction=Geben Sie ihren Benutzernamen oder E-Mail Adresse ein und klicken Sie auf Absenden. Danach werden wir ihnen ein E-Mail mit weiteren Instruktionen zusenden.
validateResetEmailInstruction=You have just been sent an email. Clicking on the URL in the email will allow you to reset credentials and log in. Alternatively, you can manually enter in the temporary code provided in the email in the textbox to the left and hit submit.
copyCodeInstruction=Bitte kopieren sie den folgenden Code und f\u00FCgen ihn in die Applikation ein\:

2
forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties
View file

@ -81,7 +81,9 @@ emailVerifyInstruction3=to re-send the email.
backToLogin=&laquo; Back to Login
temporaryEmailCode=Temporary Email Code
emailInstruction=Enter your username or email address and we will send you instructions on how to create a new password.
validateResetEmailInstruction=You have just been sent an email. Clicking on the URL in the email will allow you to reset credentials and log in. Alternatively, you can manually enter in the temporary code provided in the email in the textbox to the left and hit submit.
copyCodeInstruction=Please copy this code and paste it into your application:

2
forms/common-themes/src/main/resources/theme/base/login/messages/messages_it.properties
View file

@ -77,7 +77,9 @@ emailVerifyInstruction3=per reinviare la mail.
backToLogin=&laquo; Torna al Login
temporaryEmailCode=Temporary Email Code
emailInstruction=Scrivi il tuo username o indirizzo email e noi ti invieremo le istruzioni per creare una nuova password.
validateResetEmailInstruction=You have just been sent an email. Clicking on the URL in the email will allow you to reset credentials and log in. Alternatively, you can manually enter in the temporary code provided in the email in the textbox to the left and hit submit.
copyCodeInstruction=Copiaquesto codice e incollalo nella tua applicazione:

2
forms/common-themes/src/main/resources/theme/base/login/messages/messages_pt_BR.properties
View file

@ -77,7 +77,9 @@ emailVerifyInstruction3=para reenviar o e-mail.
backToLogin=&laquo; Voltar
temporaryEmailCode=Temporary Email Code
emailInstruction=Digite seu nome de usu\u00E1rio ou endere\u00E7o de email e n\u00F3s lhe enviaremos instru\u00E7\u00F5es sobre como criar uma nova senha.
validateResetEmailInstruction=You have just been sent an email. Clicking on the URL in the email will allow you to reset credentials and log in. Alternatively, you can manually enter in the temporary code provided in the email in the textbox to the left and hit submit.
copyCodeInstruction=Por favor, copie o c\u00F3digo e cole-o em sua aplica\u00E7\u00E3o:

33
forms/common-themes/src/main/resources/theme/base/login/validate-reset-email.ftl Executable file
View file

@ -0,0 +1,33 @@
<#import "template.ftl" as layout>
<@layout.registrationLayout displayInfo=true; section>
<#if section = "title">
${msg("emailForgotTitle")}
<#elseif section = "header">
${msg("emailForgotTitle")}
<#elseif section = "form">
<form id="kc-reset-password-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
<div class="${properties.kcFormGroupClass!}">
<div class="${properties.kcLabelWrapperClass!}">
<label for="otp" class="${properties.kcLabelClass!}">${msg("temporaryEmailCode")}</label>
</div>
<div class="${properties.kcInputWrapperClass!}">
<input type="text" id="key" name="key" class="${properties.kcInputClass!}" />
</div>
</div>
<div class="${properties.kcFormGroupClass!}">
<div id="kc-form-options" class="${properties.kcFormOptionsClass!}">
<div class="${properties.kcFormOptionsWrapperClass!}">
<span><a href="${url.loginUrl}">${msg("backToLogin")}</a></span>
</div>
</div>
<div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
<input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonLargeClass!}" type="submit" value="${msg("doSubmit")}"/>
</div>
</div>
</form>
<#elseif section = "info" >
${msg("validateResetEmailInstruction")}
</#if>
</@layout.registrationLayout>

5
forms/common-themes/src/main/resources/theme/keycloak/email/html/changePassword.ftl Executable file
View file

@ -0,0 +1,5 @@
<html>
<body>
${msg("changePasswordBodyHtml",link, linkExpiration, realmName)}
</body>
</html>

2
forms/common-themes/src/main/resources/theme/keycloak/email/html/password-reset.ftl Normal file → Executable file
View file

@ -1,5 +1,5 @@
<html>
<body>
${msg("passwordResetBodyHtml",link, linkExpiration, realmName)}
${msg("passwordResetBodyHtml",link, linkExpiration, realmName, code)}
</body>
</html>

7
forms/common-themes/src/main/resources/theme/keycloak/email/messages/messages_de.properties Normal file → Executable file
View file

@ -1,7 +1,10 @@
emailVerificationSubject=E-Mail verifizieren
passwordResetSubject=Passwort zur\u00FCckzusetzen
passwordResetBody=Jemand hat angefordert Ihr {2} Passwort zur\u00FCckzusetzen. Falls das Sie waren, dann klicken Sie auf den folgenden Link um das Passwort zur\u00FCckzusetzen.\n\n{0}\n\nDieser Link wird in {1} Minuten ablaufen.\n\nFalls Sie das Passwort nicht zur\u00FCcksetzen m\u00F6chten, dann k\u00F6nnen Sie diese E-Mail ignorieren.
passwordResetBodyHtml=<p>Jemand hat angefordert Ihr {2} Passwort zur\u00FCckzusetzen. Falls das Sie waren, dann klicken Sie auf den folgenden Link um das Passwort zur\u00FCckzusetzen.</p><p><a href="{0}">{0}</a></p><p>Dieser Link wird in {1} Minuten ablaufen.</p><p>Falls Sie das Passwort nicht zur\u00FCcksetzen m\u00F6chten, dann k\u00F6nnen Sie diese E-Mail ignorieren.</p>
passwordResetBody=Someone just requested to change your {2} account''s password. If this was you, click on the link below to set a new password or cut and paste the temporary code to the forgot password form.\n\n{0}\n\nTemporary Code: {3}\n\nThis link and code will expire within {1} minutes.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed.
passwordResetBodyHtml=<p>Someone just requested to change your {2} account''s password. If this was you, click on the link below to set a new password or cut and paste the temporary code to the forgot password form</p><p><a href="{0}">{0}</a></p><p>Temporary code: {3}<p>This link will expire within {1} minutes.</p><p>If you don''t want to reset your password, just ignore this message and nothing will be changed.</p>
changePasswordSubject=Change password
changePasswordBody=Your adminstrator has just requested that you change your {2} account''s password. Click on the link below to set a new password\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed.
changePasswordBodyHtml=<p>Your adminstrator has just requested that you change your {2} account''s password. Click on the link below to set a new password</p><p><a href="{0}">{0}</a></p><p>This link will expire within {1} minutes.</p><p>If you don''t want to reset your password, just ignore this message and nothing will be changed.</p>
emailVerificationBody=Jemand hat ein {2} Konto mit dieser E-Mail Adresse erstellt. Fall das Sie waren, dann klicken Sie auf den Link um die E-Mail Adresse zu verifizieren.\n\n{0}\n\nDieser Link wird in {1} Minuten ablaufen.\n\nFalls Sie dieses Konto nicht erstellt haben, dann k\u00F6nnen sie diese Nachricht ignorieren.
emailVerificationBodyHtml=<p>Jemand hat ein {2} Konto mit dieser E-Mail Adresse erstellt. Fall das Sie waren, dann klicken Sie auf den Link um die E-Mail Adresse zu verifizieren.</p><p><a href="{0}">{0}</a></p><p>Dieser Link wird in {1} Minuten ablaufen.</p><p>Falls Sie dieses Konto nicht erstellt haben, dann k\u00F6nnen sie diese Nachricht ignorieren.</p>
eventLoginErrorSubject=Fehlgeschlagene Anmeldung

7
forms/common-themes/src/main/resources/theme/keycloak/email/messages/messages_en.properties
View file

@ -2,8 +2,11 @@ emailVerificationSubject=Verify email
emailVerificationBody=Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you didn''t create this account, just ignore this message.
emailVerificationBodyHtml=<p>Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address</p><p><a href="{0}">{0}</a></p><p>This link will expire within {1} minutes.</p><p>If you didn''t create this account, just ignore this message.</p>
passwordResetSubject=Reset password
passwordResetBody=Someone just requested to change your {2} account''s password. If this was you, click on the link below to set a new password\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed.
passwordResetBodyHtml=<p>Someone just requested to change your {2} account''s password. If this was you, click on the link below to set a new password</p><p><a href="{0}">{0}</a></p><p>This link will expire within {1} minutes.</p><p>If you don''t want to reset your password, just ignore this message and nothing will be changed.</p>
passwordResetBody=Someone just requested to change your {2} account''s password. If this was you, click on the link below to set a new password or cut and paste the temporary code to the forgot password form.\n\n{0}\n\nTemporary Code: {3}\n\nThis link and code will expire within {1} minutes.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed.
passwordResetBodyHtml=<p>Someone just requested to change your {2} account''s password. If this was you, click on the link below to set a new password or cut and paste the temporary code to the forgot password form</p><p><a href="{0}">{0}</a></p><p>Temporary code: {3}<p>This link will expire within {1} minutes.</p><p>If you don''t want to reset your password, just ignore this message and nothing will be changed.</p>
changePasswordSubject=Change password
changePasswordBody=Your adminstrator has just requested that you change your {2} account''s password. Click on the link below to set a new password\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed.
changePasswordBodyHtml=<p>Your adminstrator has just requested that you change your {2} account''s password. Click on the link below to set a new password</p><p><a href="{0}">{0}</a></p><p>This link will expire within {1} minutes.</p><p>If you don''t want to reset your password, just ignore this message and nothing will be changed.</p>
eventLoginErrorSubject=Login error
eventLoginErrorBody=A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an admin.
eventLoginErrorBodyHtml=<p>A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an admin.</p>

7
forms/common-themes/src/main/resources/theme/keycloak/email/messages/messages_pt_BR.properties Normal file → Executable file
View file

@ -2,8 +2,11 @@ emailVerificationSubject=Verifica\u00E7\u00E3o de e-mail
emailVerificationBody=Algu\u00E9m criou uma conta {2} com este endere\u00E7o de e-mail. Se foi voc\u00EA, clique no link abaixo para verificar o seu endere\u00E7o de email\n\n{0}\n\nEste link ir\u00E1 expirar dentro de {1} minutos.\n\nSe n\u00E3o foi voc\u00EA que criou esta conta, basta ignorar esta mensagem.
emailVerificationBodyHtml=<p>Algu\u00E9m criou uma conta {2} com este endere\u00E7o de e-mail. Se foi voc\u00EA, clique no link abaixo para verificar o seu endere\u00E7o de email</p><p><a href="{0}">{0}</a></p><p>Este link ir\u00E1 expirar dentro de {1} minutos.</p><p>Se n\u00E3o foi voc\u00EA que criou esta conta, basta ignorar esta mensagem.</p>
passwordResetSubject=Redefini\u00E7\u00E3o de senha
passwordResetBody=Algu\u00E9m pediu para mudar a senha de sua conta {2}. Se foi voc\u00EA, clique no link abaixo para definir uma nova senha\n\n{0}\n\nEste link ir\u00E1 expirar dentro de {1} minutos.\n\nSe voc\u00EA n\u00E3o deseja redefinir sua senha, basta ignorar esta mensagem e nada ser\u00E1 mudado.
passwordResetBodyHtml=<p>Algu\u00E9m pediu para mudar a senha de sua conta {2}. Se foi voc\u00EA, clique no link abaixo para definir uma nova senha</p><p><a href="{0}">{0}</a></p><p>Este link ir\u00E1 expirar dentro de {1} minutos.</p><p>Se voc\u00EA n\u00E3o deseja redefinir sua senha, basta ignorar esta mensagem e nada ser\u00E1 mudado.</p>
passwordResetBody=Someone just requested to change your {2} account''s password. If this was you, click on the link below to set a new password or cut and paste the temporary code to the forgot password form.\n\n{0}\n\nTemporary Code: {3}\n\nThis link and code will expire within {1} minutes.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed.
passwordResetBodyHtml=<p>Someone just requested to change your {2} account''s password. If this was you, click on the link below to set a new password or cut and paste the temporary code to the forgot password form</p><p><a href="{0}">{0}</a></p><p>Temporary code: {3}<p>This link will expire within {1} minutes.</p><p>If you don''t want to reset your password, just ignore this message and nothing will be changed.</p>
changePasswordSubject=Change password
changePasswordBody=Your adminstrator has just requested that you change your {2} account''s password. Click on the link below to set a new password\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed.
changePasswordBodyHtml=<p>Your adminstrator has just requested that you change your {2} account''s password. Click on the link below to set a new password</p><p><a href="{0}">{0}</a></p><p>This link will expire within {1} minutes.</p><p>If you don''t want to reset your password, just ignore this message and nothing will be changed.</p>
eventLoginErrorSubject=Erro de login
eventLoginErrorBody=Uma tentativa de login mal sucedida para a sua conta foi detectada em {0} de {1}. Se n\u00E3o foi voc\u00EA, por favor, entre em contato com um administrador.
eventLoginErrorBodyHtml=<p>Uma tentativa de login mal sucedida para a sua conta foi detectada em {0} de {1}. Se n\u00E3o foi voc\u00EA, por favor, entre em contato com um administrador.</p>

1
forms/common-themes/src/main/resources/theme/keycloak/email/text/changePassword.ftl Executable file
View file

@ -0,0 +1 @@
${msg("changePasswordBody",link, linkExpiration, realmName)}

2
forms/common-themes/src/main/resources/theme/keycloak/email/text/password-reset.ftl Normal file → Executable file
View file

@ -1 +1 @@
${msg("passwordResetBody",link, linkExpiration, realmName)}
${msg("passwordResetBody",link, linkExpiration, realmName, code)}

19
forms/email-api/src/main/java/org/keycloak/email/EmailProvider.java Normal file → Executable file
View file

@ -16,7 +16,24 @@ public interface EmailProvider extends Provider {
public void sendEvent(Event event) throws EmailException;
public void sendPasswordReset(String link, long expirationInMinutes) throws EmailException;
/**
* Reset password sent from forgot password link on login
*
* @param code
* @param link
* @param expirationInMinutes
* @throws EmailException
*/
public void sendPasswordReset(String code, String link, long expirationInMinutes) throws EmailException;
/**
* Change password email requested by admin
*
* @param link
* @param expirationInMinutes
* @throws EmailException
*/
public void sendChangePassword(String link, long expirationInMinutes) throws EmailException;
public void sendVerifyEmail(String link, long expirationInMinutes) throws EmailException;

18
forms/email-freemarker/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailProvider.java
View file

@ -70,7 +70,20 @@ public class FreeMarkerEmailProvider implements EmailProvider {
}
@Override
public void sendPasswordReset(String link, long expirationInMinutes) throws EmailException {
public void sendPasswordReset(String code, String link, long expirationInMinutes) throws EmailException {
Map<String, Object> attributes = new HashMap<String, Object>();
attributes.put("link", link);
attributes.put("linkExpiration", expirationInMinutes);
attributes.put("code", code);
String realmName = realm.getName().substring(0, 1).toUpperCase() + realm.getName().substring(1);
attributes.put("realmName", realmName);
send("passwordResetSubject", "password-reset.ftl", attributes);
}
@Override
public void sendChangePassword(String link, long expirationInMinutes) throws EmailException {
Map<String, Object> attributes = new HashMap<String, Object>();
attributes.put("link", link);
attributes.put("linkExpiration", expirationInMinutes);
@ -78,7 +91,8 @@ public class FreeMarkerEmailProvider implements EmailProvider {
String realmName = realm.getName().substring(0, 1).toUpperCase() + realm.getName().substring(1);
attributes.put("realmName", realmName);
send("passwordResetSubject", "password-reset.ftl", attributes);
send("changePasswordSubject", "changePassword.ftl", attributes);
}
@Override

4
forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/UrlBean.java
View file

@ -78,8 +78,8 @@ public class UrlBean {
return Urls.loginActionUpdateProfile(baseURI, realm).toString();
}
public String getLoginPasswordResetUrl() {
return Urls.loginPasswordReset(baseURI, realm).toString();
public String getLoginResetCredentialsUrl() {
return Urls.loginResetCredentials(baseURI, realm).toString();
}
public String getLoginUsernameReminderUrl() {

2
model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java
View file

@ -45,7 +45,7 @@ public class MigrationModelManager {
if (stored != null) {
logger.debug("Migrating older model to 1.5.0 updates");
}
new MigrateTo1_4_0().migrate(session);
new MigrateTo1_5_0().migrate(session);
}
model.setStoredVersion(MigrationModel.LATEST_VERSION);

2
model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_5_0.java
View file

@ -24,10 +24,12 @@ public class MigrateTo1_5_0 {
public void migrate(KeycloakSession session) {
List<RealmModel> realms = session.realms().getRealms();
for (RealmModel realm : realms) {
DefaultAuthenticationFlows.migrateFlows(realm); // add reset credentials flo
realm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY);
realm.setBrowserFlow(realm.getFlowByAlias(DefaultAuthenticationFlows.BROWSER_FLOW));
realm.setRegistrationFlow(realm.getFlowByAlias(DefaultAuthenticationFlows.REGISTRATION_FLOW));
realm.setDirectGrantFlow(realm.getFlowByAlias(DefaultAuthenticationFlows.DIRECT_GRANT_FLOW));
realm.setResetCredentialsFlow(realm.getFlowByAlias(DefaultAuthenticationFlows.RESET_CREDENTIALS_FLOW));
}
}

3
model/api/src/main/java/org/keycloak/models/RealmModel.java
View file

@ -191,6 +191,9 @@ public interface RealmModel extends RoleContainerModel {
AuthenticationFlowModel getDirectGrantFlow();
void setDirectGrantFlow(AuthenticationFlowModel flow);
AuthenticationFlowModel getResetCredentialsFlow();
void setResetCredentialsFlow(AuthenticationFlowModel flow);
List<AuthenticationFlowModel> getAuthenticationFlows();
AuthenticationFlowModel getFlowByAlias(String alias);
AuthenticationFlowModel addAuthenticationFlow(AuthenticationFlowModel model);

9
model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java
View file

@ -89,6 +89,7 @@ public class RealmEntity extends AbstractIdentifiableEntity {
private String browserFlow;
private String registrationFlow;
private String directGrantFlow;
private String resetCredentialsFlow;
public String getName() {
@ -593,6 +594,14 @@ public class RealmEntity extends AbstractIdentifiableEntity {
public void setDirectGrantFlow(String directGrantFlow) {
this.directGrantFlow = directGrantFlow;
}
public String getResetCredentialsFlow() {
return resetCredentialsFlow;
}
public void setResetCredentialsFlow(String resetCredentialsFlow) {
this.resetCredentialsFlow = resetCredentialsFlow;
}
}

60
model/api/src/main/java/org/keycloak/models/utils/DefaultAuthenticationFlows.java
View file

@ -15,22 +15,22 @@ public class DefaultAuthenticationFlows {
public static final String REGISTRATION_FORM_FLOW = "registration form";
public static final String BROWSER_FLOW = "browser";
public static final String DIRECT_GRANT_FLOW = "direct grant";
public static final String RESET_CREDENTIALS_FLOW = "reset credentials";
public static final String LOGIN_FORMS_FLOW = "forms";
public static void addFlows(RealmModel realm) {
if (realm.getFlowByAlias(BROWSER_FLOW) == null) browserFlow(realm);
if (realm.getFlowByAlias(DIRECT_GRANT_FLOW) == null) directGrantFlow(realm, false);
if (realm.getFlowByAlias(REGISTRATION_FLOW) == null) registrationFlow(realm);
if (realm.getFlowByAlias(RESET_CREDENTIALS_FLOW) == null) resetCredentialsFlow(realm);
}
public static void migrateFlows(RealmModel realm) {
browserFlow(realm, true);
directGrantFlow(realm, true);
if (realm.getFlowByAlias(BROWSER_FLOW) == null) browserFlow(realm, true);
if (realm.getFlowByAlias(DIRECT_GRANT_FLOW) == null) directGrantFlow(realm, true);
if (realm.getFlowByAlias(REGISTRATION_FLOW) == null) registrationFlow(realm);
if (realm.getFlowByAlias(RESET_CREDENTIALS_FLOW) == null) resetCredentialsFlow(realm);
}
public static void registrationFlow(RealmModel realm) {
AuthenticationFlowModel registrationFlow = new AuthenticationFlowModel();
registrationFlow.setAlias(REGISTRATION_FLOW);
@ -118,6 +118,53 @@ public class DefaultAuthenticationFlows {
return false;
}
public static void resetCredentialsFlow(RealmModel realm) {
AuthenticationFlowModel grant = new AuthenticationFlowModel();
grant.setAlias(RESET_CREDENTIALS_FLOW);
grant.setDescription("Reset credentials for a user if they forgot their password or something");
grant.setProviderId("basic-flow");
grant.setTopLevel(true);
grant.setBuiltIn(true);
grant = realm.addAuthenticationFlow(grant);
realm.setResetCredentialsFlow(grant);
// username
AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
execution.setParentFlow(grant.getId());
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
execution.setAuthenticator("reset-credentials-choose-user");
execution.setPriority(10);
execution.setAuthenticatorFlow(false);
realm.addAuthenticatorExecution(execution);
// send email
execution = new AuthenticationExecutionModel();
execution.setParentFlow(grant.getId());
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
execution.setAuthenticator("reset-credential-email");
execution.setPriority(20);
execution.setAuthenticatorFlow(false);
realm.addAuthenticatorExecution(execution);
// password
execution = new AuthenticationExecutionModel();
execution.setParentFlow(grant.getId());
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
execution.setAuthenticator("reset-password");
execution.setPriority(30);
execution.setAuthenticatorFlow(false);
realm.addAuthenticatorExecution(execution);
// otp
execution = new AuthenticationExecutionModel();
execution.setParentFlow(grant.getId());
execution.setRequirement(AuthenticationExecutionModel.Requirement.OPTIONAL);
execution.setAuthenticator("reset-otp");
execution.setPriority(40);
execution.setAuthenticatorFlow(false);
realm.addAuthenticatorExecution(execution);
}
public static void directGrantFlow(RealmModel realm, boolean migrate) {
AuthenticationFlowModel grant = new AuthenticationFlowModel();
grant.setAlias(DIRECT_GRANT_FLOW);
@ -160,9 +207,6 @@ public class DefaultAuthenticationFlows {
execution.setPriority(30);
execution.setAuthenticatorFlow(false);
realm.addAuthenticatorExecution(execution);
}
public static void browserFlow(RealmModel realm, boolean migrate) {

13
model/file/src/main/java/org/keycloak/models/file/adapter/RealmAdapter.java
View file

@ -1269,6 +1269,19 @@ public class RealmAdapter implements RealmModel {
}
@Override
public AuthenticationFlowModel getResetCredentialsFlow() {
String flowId = realm.getResetCredentialsFlow();
if (flowId == null) return null;
return getAuthenticationFlowById(flowId);
}
@Override
public void setResetCredentialsFlow(AuthenticationFlowModel flow) {
realm.setResetCredentialsFlow(flow.getId());
}
@Override
public List<AuthenticationFlowModel> getAuthenticationFlows() {

12
model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java vendored
View file

@ -1051,6 +1051,18 @@ public class RealmAdapter implements RealmModel {
getDelegateForUpdate();
updated.setDirectGrantFlow(flow);
}
@Override
public AuthenticationFlowModel getResetCredentialsFlow() {
if (updated != null) return updated.getResetCredentialsFlow();
return cached.getResetCredentialsFlow();
}
@Override
public void setResetCredentialsFlow(AuthenticationFlowModel flow) {
getDelegateForUpdate();
updated.setResetCredentialsFlow(flow);
}
@Override

6
model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java vendored
View file

@ -94,6 +94,7 @@ public class CachedRealm implements Serializable {
private AuthenticationFlowModel browserFlow;
private AuthenticationFlowModel registrationFlow;
private AuthenticationFlowModel directGrantFlow;
private AuthenticationFlowModel resetCredentialsFlow;
private boolean eventsEnabled;
private long eventsExpiration;
@ -221,6 +222,7 @@ public class CachedRealm implements Serializable {
browserFlow = model.getBrowserFlow();
registrationFlow = model.getRegistrationFlow();
directGrantFlow = model.getDirectGrantFlow();
resetCredentialsFlow = model.getResetCredentialsFlow();
}
@ -483,4 +485,8 @@ public class CachedRealm implements Serializable {
public AuthenticationFlowModel getDirectGrantFlow() {
return directGrantFlow;
}
public AuthenticationFlowModel getResetCredentialsFlow() {
return resetCredentialsFlow;
}
}

12
model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
View file

@ -1580,6 +1580,18 @@ public class RealmAdapter implements RealmModel {
}
@Override
public AuthenticationFlowModel getResetCredentialsFlow() {
String flowId = realm.getResetCredentialsFlow();
if (flowId == null) return null;
return getAuthenticationFlowById(flowId);
}
@Override
public void setResetCredentialsFlow(AuthenticationFlowModel flow) {
realm.setResetCredentialsFlow(flow.getId());
}
@Override
public List<AuthenticationFlowModel> getAuthenticationFlows() {
TypedQuery<AuthenticationFlowEntity> query = em.createNamedQuery("getAuthenticationFlowsByRealm", AuthenticationFlowEntity.class);

10
model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
View file

@ -188,6 +188,8 @@ public class RealmEntity {
@Column(name="DIRECT_GRANT_FLOW")
protected String directGrantFlow;
@Column(name="RESET_CREDENTIALS_FLOW")
protected String resetCredentialsFlow;
@ -678,5 +680,13 @@ public class RealmEntity {
public void setDirectGrantFlow(String directGrantFlow) {
this.directGrantFlow = directGrantFlow;
}
public String getResetCredentialsFlow() {
return resetCredentialsFlow;
}
public void setResetCredentialsFlow(String resetCredentialsFlow) {
this.resetCredentialsFlow = resetCredentialsFlow;
}
}

14
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
View file

@ -1351,6 +1351,20 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
}
@Override
public AuthenticationFlowModel getResetCredentialsFlow() {
String flowId = realm.getResetCredentialsFlow();
if (flowId == null) return null;
return getAuthenticationFlowById(flowId);
}
@Override
public void setResetCredentialsFlow(AuthenticationFlowModel flow) {
realm.setResetCredentialsFlow(flow.getId());
updateRealm();
}
@Override
public List<AuthenticationFlowModel> getAuthenticationFlows() {

2
saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java
View file

@ -36,6 +36,7 @@ import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.util.StreamUtil;
@ -505,6 +506,7 @@ public class SamlService {
String flowId = flow.getId();
AuthenticationProcessor processor = new AuthenticationProcessor();
processor.setClientSession(clientSession)
.setFlowPath(LoginActionsService.AUTHENTICATE_PATH)
.setFlowId(flowId)
.setConnection(clientConnection)
.setEventBuilder(event)

16
services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java
View file

@ -49,6 +49,7 @@ public class AuthenticationProcessor {
protected EventBuilder event;
protected HttpRequest request;
protected String flowId;
protected String flowPath;
/**
* This could be an error message forwarded from brokering when the broker failed authentication
* and we want to continue authentication locally. forwardedErrorMessage can then be displayed by
@ -131,6 +132,16 @@ public class AuthenticationProcessor {
return this;
}
/**
* This is the path segment to append when generating an action URL.
*
* @param flowPath
*/
public AuthenticationProcessor setFlowPath(String flowPath) {
this.flowPath = flowPath;
return this;
}
public AuthenticationProcessor setForwardedErrorMessage(String forwardedErrorMessage) {
this.forwardedErrorMessage = forwardedErrorMessage;
return this;
@ -358,7 +369,8 @@ public class AuthenticationProcessor {
@Override
public URI getActionUrl(String code) {
return LoginActionsService.authenticationFormProcessor(getUriInfo())
return LoginActionsService.loginActionsBaseUrl(getUriInfo())
.path(AuthenticationProcessor.this.flowPath)
.queryParam(OAuth2Constants.CODE, code)
.queryParam("execution", getExecution().getId())
.build(getRealm().getName());
@ -490,6 +502,8 @@ public class AuthenticationProcessor {
resetFlow(clientSession);
return authenticate();
}
UserModel authUser = clientSession.getAuthenticatedUser();
validateUser(authUser);
AuthenticationExecutionModel model = realm.getAuthenticationExecutionById(execution);
if (model == null) {
logger.debug("Cannot find execution, reseting flow");

92
services/src/main/java/org/keycloak/authentication/authenticators/resetcred/AbstractSetRequiredActionAuthenticator.java Executable file
View file

@ -0,0 +1,92 @@
package org.keycloak.authentication.authenticators.resetcred;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.provider.ProviderConfigProperty;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public abstract class AbstractSetRequiredActionAuthenticator implements Authenticator, AuthenticatorFactory {
public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
AuthenticationExecutionModel.Requirement.REQUIRED,
AuthenticationExecutionModel.Requirement.OPTIONAL,
AuthenticationExecutionModel.Requirement.DISABLED
};
@Override
public void action(AuthenticationFlowContext context) {
}
@Override
public boolean requiresUser() {
return true;
}
@Override
public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
}
@Override
public String getReferenceCategory() {
return null;
}
@Override
public boolean isConfigurable() {
return false;
}
@Override
public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
return REQUIREMENT_CHOICES;
}
@Override
public boolean isUserSetupAllowed() {
return false;
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return null;
}
@Override
public void close() {
}
@Override
public Authenticator create(KeycloakSession session) {
return this;
}
@Override
public void init(Config.Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
return true;
}
}

174
services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java Executable file
View file

@ -0,0 +1,174 @@
package org.keycloak.authentication.authenticators.resetcred;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailProvider;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.services.Urls;
import org.keycloak.services.messages.Messages;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import java.util.List;
import java.util.concurrent.TimeUnit;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class ResetCredentialChooseUser implements Authenticator, AuthenticatorFactory {
public static final String PROVIDER_ID = "reset-credentials-choose-user";
@Override
public void authenticate(AuthenticationFlowContext context) {
Response challenge = context.form().createPasswordReset();
context.challenge(challenge);
}
@Override
public void action(AuthenticationFlowContext context) {
EventBuilder event = context.getEvent();
MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
String username = formData.getFirst("username");
if (username == null || username.isEmpty()) {
event.error(Errors.USERNAME_MISSING);
Response challenge = context.form()
.setError(Messages.MISSING_USERNAME)
.createPasswordReset();
context.failureChallenge(AuthenticationFlowError.INVALID_USER, challenge);
return;
}
UserModel user = context.getSession().users().getUserByUsername(username, context.getRealm());
if (user == null && username.contains("@")) {
user = context.getSession().users().getUserByEmail(username, context.getRealm());
}
if (user == null) {
event.error(Errors.INVALID_USER_CREDENTIALS);
Response challenge = context.form()
.setError(Messages.INVALID_USER)
.createPasswordReset();
context.failureChallenge(AuthenticationFlowError.INVALID_USER, challenge);
return;
}
if (!user.isEnabled()) {
event.user(user).error(Errors.USER_DISABLED);
Response challenge = context.form()
.setError(Messages.ACCOUNT_DISABLED)
.createPasswordReset();
context.failureChallenge(AuthenticationFlowError.INVALID_USER, challenge);
return;
}
if (user.getEmail() == null || user.getEmail().trim().length() == 0) {
event.user(user).error(Errors.INVALID_EMAIL);
Response challenge = context.form()
.setError(Messages.INVALID_EMAIL)
.createPasswordReset();
context.failureChallenge(AuthenticationFlowError.INVALID_USER, challenge);
return;
}
context.setUser(user);
context.success();
}
@Override
public boolean requiresUser() {
return false;
}
@Override
public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
return true;
}
@Override
public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
}
@Override
public String getDisplayType() {
return "Choose User";
}
@Override
public String getReferenceCategory() {
return null;
}
@Override
public boolean isConfigurable() {
return false;
}
public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
AuthenticationExecutionModel.Requirement.REQUIRED
};
@Override
public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
return REQUIREMENT_CHOICES;
}
@Override
public boolean isUserSetupAllowed() {
return false;
}
@Override
public String getHelpText() {
return "Choose a user to reset credentials for";
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return null;
}
@Override
public void close() {
}
@Override
public Authenticator create(KeycloakSession session) {
return this;
}
@Override
public void init(Config.Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public String getId() {
return PROVIDER_ID;
}
}

189
services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java Executable file
View file

@ -0,0 +1,189 @@
package org.keycloak.authentication.authenticators.resetcred;
import org.jboss.logging.Logger;
import org.keycloak.ClientConnection;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailProvider;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.HmacOTP;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.services.Urls;
import org.keycloak.services.messages.Messages;
import javax.crypto.SecretKey;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import java.util.List;
import java.util.concurrent.TimeUnit;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory {
public static final String RESET_CREDENTIAL_SECRET = "RESET_CREDENTIAL_SECRET";
public static final String KEY = "key";
protected static Logger logger = Logger.getLogger(ResetCredentialEmail.class);
public static final String PROVIDER_ID = "reset-credential-email";
@Override
public void authenticate(AuthenticationFlowContext context) {
UserModel user = context.getUser();
EventBuilder event = context.getEvent();
if (user.getEmail() == null || user.getEmail().trim().length() == 0) {
event.user(user).error(Errors.INVALID_EMAIL);
Response challenge = context.form()
.setError(Messages.INVALID_EMAIL)
.createPasswordReset();
context.failureChallenge(AuthenticationFlowError.INVALID_USER, challenge);
return;
}
// We send the secret in the email in a link as a query param. We don't need to sign it or anything because
// it can only be guessed once, and it must match watch is stored in the client session.
String secret = HmacOTP.generateSecret(10);
context.getClientSession().setNote(RESET_CREDENTIAL_SECRET, secret);
String link = UriBuilder.fromUri(context.getActionUrl()).queryParam(KEY, secret).build().toString();
long expiration = TimeUnit.SECONDS.toMinutes(context.getRealm().getAccessCodeLifespanUserAction());
try {
context.getSession().getProvider(EmailProvider.class).setRealm(context.getRealm()).setUser(user).sendPasswordReset(secret, link, expiration);
event.detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, context.getClientSession().getId()).success();
Response challenge = context.form()
.setSuccess(Messages.EMAIL_SENT)
.createForm("validate-reset-email.ftl");
context.challenge(challenge);
} catch (EmailException e) {
event.error(Errors.EMAIL_SEND_FAILED);
logger.error("Failed to send password reset email", e);
Response challenge = context.form()
.setError(Messages.EMAIL_SENT_ERROR)
.createErrorPage();
context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge);
}
}
@Override
public void action(AuthenticationFlowContext context) {
String secret = context.getClientSession().getNote(RESET_CREDENTIAL_SECRET);
String key = null;
if (context.getHttpRequest().getHttpMethod().equalsIgnoreCase("GET")) {
key =context.getUriInfo().getQueryParameters().getFirst(KEY);
} else if (context.getHttpRequest().getHttpMethod().equalsIgnoreCase("POST")) {
key = context.getHttpRequest().getDecodedFormParameters().getFirst(KEY);
}
// Can only guess once! We remove the note so another guess can't happen
context.getClientSession().removeNote(RESET_CREDENTIAL_SECRET);
if (secret == null || key == null || !secret.equals(key)) {
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
Response challenge = context.form()
.setError(Messages.INVALID_ACCESS_CODE)
.createErrorPage();
context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge);
return;
}
context.success();
}
@Override
public boolean requiresUser() {
return true;
}
@Override
public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
return true;
}
@Override
public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
}
@Override
public String getDisplayType() {
return "Reset Via Email";
}
@Override
public String getReferenceCategory() {
return null;
}
@Override
public boolean isConfigurable() {
return false;
}
public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
AuthenticationExecutionModel.Requirement.REQUIRED
};
@Override
public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
return REQUIREMENT_CHOICES;
}
@Override
public boolean isUserSetupAllowed() {
return false;
}
@Override
public String getHelpText() {
return "Send email to user and wait for response.";
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return null;
}
@Override
public void close() {
}
@Override
public Authenticator create(KeycloakSession session) {
return this;
}
@Override
public void init(Config.Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public String getId() {
return PROVIDER_ID;
}
}

45
services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java Executable file
View file

@ -0,0 +1,45 @@
package org.keycloak.authentication.authenticators.resetcred;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class ResetOTP extends AbstractSetRequiredActionAuthenticator {
public static final String PROVIDER_ID = "reset-otp";
@Override
public void authenticate(AuthenticationFlowContext context) {
if (context.getExecution().isRequired() ||
(context.getExecution().isOptional() &&
configuredFor(context))) {
context.getUser().addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
}
context.success();
}
protected boolean configuredFor(AuthenticationFlowContext context) {
return context.getSession().users().configuredForCredentialType(context.getRealm().getOTPPolicy().getType(), context.getRealm(), context.getUser());
}
@Override
public String getDisplayType() {
return "Reset OTP";
}
@Override
public String getHelpText() {
return "Sets the Configure OTP required action if execution is REQUIRED. Will also set it if execution is OPTIONAL and the OTP is currently configured for it.";
}
@Override
public String getId() {
return PROVIDER_ID;
}
}

53
services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java Executable file
View file

@ -0,0 +1,53 @@
package org.keycloak.authentication.authenticators.resetcred;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.provider.ProviderConfigProperty;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class ResetPassword extends AbstractSetRequiredActionAuthenticator {
public static final String PROVIDER_ID = "reset-password";
@Override
public void authenticate(AuthenticationFlowContext context) {
if (context.getExecution().isRequired() ||
(context.getExecution().isOptional() &&
configuredFor(context))) {
context.getUser().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
}
context.success();
}
protected boolean configuredFor(AuthenticationFlowContext context) {
return context.getSession().users().configuredForCredentialType(UserCredentialModel.PASSWORD, context.getRealm(), context.getUser());
}
@Override
public String getDisplayType() {
return "Reset Password";
}
@Override
public String getHelpText() {
return "Sets the Update Password required action if execution is REQUIRED. Will also set it if execution is OPTIONAL and the password is currently configured for it.";
}
@Override
public String getId() {
return PROVIDER_ID;
}
}

2
services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java
View file

@ -27,6 +27,7 @@ import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.Urls;
import org.keycloak.services.resources.LoginActionsService;
import javax.ws.rs.GET;
import javax.ws.rs.core.Context;
@ -267,6 +268,7 @@ public class AuthorizationEndpoint {
String flowId = flow.getId();
AuthenticationProcessor processor = new AuthenticationProcessor();
processor.setClientSession(clientSession)
.setFlowPath(LoginActionsService.AUTHENTICATE_PATH)
.setFlowId(flowId)
.setConnection(clientConnection)
.setEventBuilder(event)

12
services/src/main/java/org/keycloak/services/Urls.java
View file

@ -152,12 +152,16 @@ public class Urls {
return loginActionsBase(baseUri).path(LoginActionsService.class, "emailVerification");
}
public static URI loginPasswordReset(URI baseUri, String realmId) {
return loginPasswordResetBuilder(baseUri).build(realmId);
public static URI loginResetCredentials(URI baseUri, String realmId) {
return loginResetCredentialsBuilder(baseUri).build(realmId);
}
public static UriBuilder loginPasswordResetBuilder(URI baseUri) {
return loginActionsBase(baseUri).path(LoginActionsService.class, "passwordReset");
public static UriBuilder recoverPasswordBuilder(URI baseUri) {
return loginActionsBase(baseUri).path(LoginActionsService.class, "recoverPassword");
}
public static UriBuilder loginResetCredentialsBuilder(URI baseUri) {
return loginActionsBase(baseUri).path(LoginActionsService.RESET_CREDENTIALS_PATH);
}
public static URI loginUsernameReminder(URI baseUri, String realmId) {

1
services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
View file

@ -473,6 +473,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
String flowId = flow.getId();
AuthenticationProcessor processor = new AuthenticationProcessor();
processor.setClientSession(clientSession)
.setFlowPath(LoginActionsService.AUTHENTICATE_PATH)
.setFlowId(flowId)
.setConnection(clientConnection)
.setEventBuilder(event)

101
services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
View file

@ -50,13 +50,10 @@ import org.keycloak.models.UserModel;
import org.keycloak.models.UserModel.RequiredAction;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.utils.DefaultAuthenticationFlows;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.RestartLoginCookie;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
@ -70,7 +67,6 @@ import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
@ -93,6 +89,9 @@ public class LoginActionsService {
protected static final Logger logger = Logger.getLogger(LoginActionsService.class);
public static final String ACTION_COOKIE = "KEYCLOAK_ACTION";
public static final String AUTHENTICATE_PATH = "authenticate";
public static final String REGISTRATION_PATH = "registration";
public static final String RESET_CREDENTIALS_PATH = "reset-credentials";
private RealmModel realm;
@ -226,7 +225,7 @@ public class LoginActionsService {
ClientSessionModel clientSession = RestartLoginCookie.restartSession(session, realm, code);
if (clientSession != null) {
event.clone().detail(Details.RESTART_AFTER_TIMEOUT, "true").error(Errors.EXPIRED_CODE);
response = processFlow(null, clientSession, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT);
response = processFlow(null, clientSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT);
return false;
}
} catch (Exception e) {
@ -268,7 +267,7 @@ public class LoginActionsService {
* @param code
* @return
*/
@Path("authenticate")
@Path(AUTHENTICATE_PATH)
@GET
public Response authenticate(@QueryParam("code") String code,
@QueryParam("execution") String execution) {
@ -290,12 +289,13 @@ public class LoginActionsService {
}
protected Response processAuthentication(String execution, ClientSessionModel clientSession, String errorMessage) {
return processFlow(execution, clientSession, realm.getBrowserFlow(), errorMessage);
return processFlow(execution, clientSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), errorMessage);
}
protected Response processFlow(String execution, ClientSessionModel clientSession, AuthenticationFlowModel flow, String errorMessage) {
protected Response processFlow(String execution, ClientSessionModel clientSession, String flowPath, AuthenticationFlowModel flow, String errorMessage) {
AuthenticationProcessor processor = new AuthenticationProcessor();
processor.setClientSession(clientSession)
.setFlowPath(flowPath)
.setFlowId(flow.getId())
.setConnection(clientConnection)
.setEventBuilder(event)
@ -323,7 +323,7 @@ public class LoginActionsService {
* @param code
* @return
*/
@Path("authenticate")
@Path(AUTHENTICATE_PATH)
@POST
public Response authenticateForm(@QueryParam("code") String code,
@QueryParam("execution") String execution) {
@ -338,8 +338,39 @@ public class LoginActionsService {
return processAuthentication(execution, clientSession, null);
}
@Path(RESET_CREDENTIALS_PATH)
@POST
public Response resetCredentialsPOST(@QueryParam("code") String code,
@QueryParam("execution") String execution) {
return resetCredentials(code, execution);
}
@Path(RESET_CREDENTIALS_PATH)
@GET
public Response resetCredentialsGET(@QueryParam("code") String code,
@QueryParam("execution") String execution) {
return resetCredentials(code, execution);
}
protected Response resetCredentials(String code, String execution) {
event.event(EventType.RESET_PASSWORD);
Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) {
return checks.response;
}
final ClientSessionCode clientCode = checks.clientCode;
final ClientSessionModel clientSession = clientCode.getClientSession();
return processResetCredentials(execution, clientSession, null);
}
protected Response processResetCredentials(String execution, ClientSessionModel clientSession, String errorMessage) {
return processFlow(execution, clientSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), errorMessage);
}
protected Response processRegistration(String execution, ClientSessionModel clientSession, String errorMessage) {
return processFlow(execution, clientSession, realm.getRegistrationFlow(), errorMessage);
return processFlow(execution, clientSession, REGISTRATION_PATH, realm.getRegistrationFlow(), errorMessage);
}
@ -349,7 +380,7 @@ public class LoginActionsService {
* @param code
* @return
*/
@Path("registration")
@Path(REGISTRATION_PATH)
@GET
public Response registerPage(@QueryParam("code") String code,
@QueryParam("execution") String execution) {
@ -380,7 +411,7 @@ public class LoginActionsService {
* @param code
* @return
*/
@Path("registration")
@Path(REGISTRATION_PATH)
@POST
public Response processRegister(@QueryParam("code") String code,
@QueryParam("execution") String execution) {
@ -393,10 +424,6 @@ public class LoginActionsService {
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) {
return checks.response;
}
if (!realm.isRegistrationAllowed()) {
event.error(Errors.REGISTRATION_DISABLED);
return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED);
}
ClientSessionCode clientCode = checks.clientCode;
ClientSessionModel clientSession = clientCode.getClientSession();
@ -647,13 +674,10 @@ public class LoginActionsService {
event.event(EventType.UPDATE_PASSWORD).success();
if (clientSession.getAction().equals(ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
String actionCookieValue = getActionCookie();
if (actionCookieValue == null || !actionCookieValue.equals(userSession.getId())) {
session.sessions().removeClientSession(realm, clientSession);
return session.getProvider(LoginFormsProvider.class)
.setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED)
.createInfoPage();
}
session.sessions().removeClientSession(realm, clientSession);
return session.getProvider(LoginFormsProvider.class)
.setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED)
.createInfoPage();
}
event = event.clone().event(EventType.LOGIN);
@ -712,34 +736,33 @@ public class LoginActionsService {
}
}
@Path("password-reset")
/**
* Initiated by admin, not the user on login
*
* @param key
* @return
*/
@Path("recover-password")
@GET
public Response passwordReset(@QueryParam("code") String code, @QueryParam("key") String key) {
public Response recoverPassword(@QueryParam("key") String key) {
event.event(EventType.RESET_PASSWORD);
if (!realm.isResetPasswordAllowed()) {
event.error(Errors.RESET_CREDENTIAL_DISABLED);
return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
}
if (key != null) {
Checks checks = new Checks();
if (!checks.verifyCode(key, ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
return checks.response;
event.error(Errors.RESET_CREDENTIAL_DISABLED);
return ErrorPage.error(session, Messages.INVALID_CODE);
}
ClientSessionCode accessCode = checks.clientCode;
return session.getProvider(LoginFormsProvider.class)
.setClientSessionCode(accessCode.getCode())
.createResponse(RequiredAction.UPDATE_PASSWORD);
} else {
return session.getProvider(LoginFormsProvider.class)
.setClientSessionCode(code)
.createPasswordReset();
event.error(Errors.RESET_CREDENTIAL_DISABLED);
return ErrorPage.error(session, Messages.INVALID_CODE);
}
}
@Path("password-reset")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response sendPasswordReset(@QueryParam("code") String code,
private Response sendPasswordReset(@QueryParam("code") String code,
final MultivaluedMap<String, String> formData) {
event.event(EventType.SEND_RESET_PASSWORD);
if (!realm.isResetPasswordAllowed()) {
@ -791,13 +814,13 @@ public class LoginActionsService {
accessCode.setAction(ClientSessionModel.Action.RECOVER_PASSWORD.name());
try {
UriBuilder builder = Urls.loginPasswordResetBuilder(uriInfo.getBaseUri());
UriBuilder builder = Urls.loginResetCredentialsBuilder(uriInfo.getBaseUri());
builder.queryParam("key", accessCode.getCode());
String link = builder.build(realm.getName()).toString();
long expiration = TimeUnit.SECONDS.toMinutes(realm.getAccessCodeLifespanUserAction());
this.session.getProvider(EmailProvider.class).setRealm(realm).setUser(user).sendPasswordReset(link, expiration);
this.session.getProvider(EmailProvider.class).setRealm(realm).setUser(user).sendChangePassword(link, expiration);
event.detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, clientSession.getId()).success();
} catch (EmailException e) {

4
services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
View file

@ -854,13 +854,13 @@ public class UsersResource {
accessCode.setAction(ClientSessionModel.Action.RECOVER_PASSWORD.name());
try {
UriBuilder builder = Urls.loginPasswordResetBuilder(uriInfo.getBaseUri());
UriBuilder builder = Urls.recoverPasswordBuilder(uriInfo.getBaseUri());
builder.queryParam("key", accessCode.getCode());
String link = builder.build(realm.getName()).toString();
long expiration = TimeUnit.SECONDS.toMinutes(realm.getAccessCodeLifespanUserAction());
this.session.getProvider(EmailProvider.class).setRealm(realm).setUser(user).sendPasswordReset(link, expiration);
this.session.getProvider(EmailProvider.class).setRealm(realm).setUser(user).sendChangePassword(link, expiration);
//audit.user(user).detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, accessCode.getCodeId()).success();

6
services/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory
View file

@ -4,4 +4,8 @@ org.keycloak.authentication.authenticators.browser.OTPFormAuthenticatorFactory
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticatorFactory
org.keycloak.authentication.authenticators.directgrant.ValidateOTP
org.keycloak.authentication.authenticators.directgrant.ValidatePassword
org.keycloak.authentication.authenticators.directgrant.ValidateUsername
org.keycloak.authentication.authenticators.directgrant.ValidateUsername
org.keycloak.authentication.authenticators.resetcred.ResetCredentialChooseUser
org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail
org.keycloak.authentication.authenticators.resetcred.ResetOTP
org.keycloak.authentication.authenticators.resetcred.ResetPassword

2
testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java
View file

@ -167,7 +167,7 @@ public class AccountTest {
});
}
//@Test
@Test
public void ideTesting() throws Exception {
Thread.sleep(100000000);
}