KEYCLOAK-9711 REQUIRED authentictor in ALTERNATIVE subflow throws AuthenticationFlowException when the authentictor returns ATTEMPTED.
This commit is contained in:
parent
9af4276310
commit
d593ac3e6f
2 changed files with 225 additions and 1 deletions
|
@ -94,7 +94,18 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow {
|
||||||
}
|
}
|
||||||
if (model.isAuthenticatorFlow()) {
|
if (model.isAuthenticatorFlow()) {
|
||||||
AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model);
|
AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model);
|
||||||
Response flowChallenge = authenticationFlow.processAction(actionExecution);
|
Response flowChallenge = null;
|
||||||
|
try {
|
||||||
|
flowChallenge = authenticationFlow.processAction(actionExecution);
|
||||||
|
} catch (AuthenticationFlowException afe) {
|
||||||
|
if (model.isAlternative()) {
|
||||||
|
logger.debug("Thrown exception in alternative Subflow. Ignoring Subflow");
|
||||||
|
processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.ATTEMPTED);
|
||||||
|
return processFlow();
|
||||||
|
} else {
|
||||||
|
throw afe;
|
||||||
|
}
|
||||||
|
}
|
||||||
if (flowChallenge == null) {
|
if (flowChallenge == null) {
|
||||||
processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SUCCESS);
|
processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SUCCESS);
|
||||||
if (model.isAlternative()) alternativeSuccessful = true;
|
if (model.isAlternative()) alternativeSuccessful = true;
|
||||||
|
|
|
@ -0,0 +1,213 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2019 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.testsuite.forms;
|
||||||
|
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import org.jboss.arquillian.container.test.api.Deployment;
|
||||||
|
import org.jboss.arquillian.graphene.page.Page;
|
||||||
|
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||||
|
import org.junit.Assert;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.Rule;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.keycloak.admin.client.resource.UserResource;
|
||||||
|
import org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory;
|
||||||
|
import org.keycloak.events.Details;
|
||||||
|
import org.keycloak.models.AuthenticationExecutionModel;
|
||||||
|
import org.keycloak.models.AuthenticationFlowModel;
|
||||||
|
import org.keycloak.models.AuthenticatorConfigModel;
|
||||||
|
import org.keycloak.models.RealmModel;
|
||||||
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
|
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
|
||||||
|
import org.keycloak.testsuite.AssertEvents;
|
||||||
|
import org.keycloak.testsuite.authentication.ExpectedParamAuthenticator;
|
||||||
|
import org.keycloak.testsuite.authentication.ExpectedParamAuthenticatorFactory;
|
||||||
|
import org.keycloak.testsuite.authentication.PushButtonAuthenticatorFactory;
|
||||||
|
import org.keycloak.testsuite.pages.AppPage;
|
||||||
|
import org.keycloak.testsuite.pages.ErrorPage;
|
||||||
|
import org.keycloak.testsuite.pages.LoginPage;
|
||||||
|
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
|
||||||
|
import org.openqa.selenium.By;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:n1330@me.com">Tomohiro Nagai</a>
|
||||||
|
*/
|
||||||
|
public class AuthenticatorSubflowsTest2 extends AbstractTestRealmKeycloakTest {
|
||||||
|
|
||||||
|
@Rule
|
||||||
|
public AssertEvents events = new AssertEvents(this);
|
||||||
|
|
||||||
|
@Page
|
||||||
|
protected AppPage appPage;
|
||||||
|
|
||||||
|
@Page
|
||||||
|
protected LoginPage loginPage;
|
||||||
|
|
||||||
|
@Page
|
||||||
|
protected ErrorPage errorPage;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void configureTestRealm(RealmRepresentation testRealm) {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Deployment
|
||||||
|
public static WebArchive deploy() {
|
||||||
|
return RunOnServerDeployment.create(UserResource.class)
|
||||||
|
.addPackages(true, "org.keycloak.testsuite");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Before
|
||||||
|
public void setupFlows() {
|
||||||
|
testingClient.server().run(session -> {
|
||||||
|
RealmModel realm = session.realms().getRealmByName("test");
|
||||||
|
|
||||||
|
if (realm.getBrowserFlow().getAlias().equals("parent-flow")) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parent flow
|
||||||
|
AuthenticationFlowModel browser = new AuthenticationFlowModel();
|
||||||
|
browser.setAlias("parent-flow");
|
||||||
|
browser.setDescription("browser based authentication");
|
||||||
|
browser.setProviderId("basic-flow");
|
||||||
|
browser.setTopLevel(true);
|
||||||
|
browser.setBuiltIn(true);
|
||||||
|
browser = realm.addAuthenticationFlow(browser);
|
||||||
|
realm.setBrowserFlow(browser);
|
||||||
|
|
||||||
|
|
||||||
|
// Subflow1
|
||||||
|
AuthenticationFlowModel subflow1 = new AuthenticationFlowModel();
|
||||||
|
subflow1.setTopLevel(false);
|
||||||
|
subflow1.setBuiltIn(true);
|
||||||
|
subflow1.setAlias("subflow-1");
|
||||||
|
subflow1.setDescription("Parameter 'foo=bar1' AND username+password");
|
||||||
|
subflow1.setProviderId("basic-flow");
|
||||||
|
subflow1 = realm.addAuthenticationFlow(subflow1);
|
||||||
|
|
||||||
|
AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
|
||||||
|
execution.setParentFlow(browser.getId());
|
||||||
|
execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
|
||||||
|
execution.setFlowId(subflow1.getId());
|
||||||
|
execution.setPriority(10);
|
||||||
|
execution.setAuthenticatorFlow(true);
|
||||||
|
realm.addAuthenticatorExecution(execution);
|
||||||
|
|
||||||
|
// Subflow1 - username password
|
||||||
|
execution = new AuthenticationExecutionModel();
|
||||||
|
execution.setParentFlow(subflow1.getId());
|
||||||
|
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
|
||||||
|
execution.setAuthenticator(UsernamePasswordFormFactory.PROVIDER_ID);
|
||||||
|
execution.setPriority(10);
|
||||||
|
execution.setAuthenticatorFlow(false);
|
||||||
|
|
||||||
|
realm.addAuthenticatorExecution(execution);
|
||||||
|
|
||||||
|
// Subflow1 - foo=bar1
|
||||||
|
execution = new AuthenticationExecutionModel();
|
||||||
|
execution.setParentFlow(subflow1.getId());
|
||||||
|
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
|
||||||
|
execution.setAuthenticator(ExpectedParamAuthenticatorFactory.PROVIDER_ID);
|
||||||
|
execution.setPriority(20);
|
||||||
|
execution.setAuthenticatorFlow(false);
|
||||||
|
|
||||||
|
AuthenticatorConfigModel configModel = new AuthenticatorConfigModel();
|
||||||
|
configModel.setAlias("bar1");
|
||||||
|
Map<String, String> config = new HashMap<>();
|
||||||
|
config.put(ExpectedParamAuthenticator.EXPECTED_VALUE, "bar1");
|
||||||
|
configModel.setConfig(config);
|
||||||
|
configModel = realm.addAuthenticatorConfig(configModel);
|
||||||
|
execution.setAuthenticatorConfig(configModel.getId());
|
||||||
|
|
||||||
|
realm.addAuthenticatorExecution(execution);
|
||||||
|
|
||||||
|
|
||||||
|
// Subflow2
|
||||||
|
AuthenticationFlowModel subflow2 = new AuthenticationFlowModel();
|
||||||
|
subflow2.setTopLevel(false);
|
||||||
|
subflow2.setBuiltIn(true);
|
||||||
|
subflow2.setAlias("subflow-2");
|
||||||
|
subflow2.setDescription("username+password AND pushButton");
|
||||||
|
subflow2.setProviderId("basic-flow");
|
||||||
|
subflow2 = realm.addAuthenticationFlow(subflow2);
|
||||||
|
|
||||||
|
execution = new AuthenticationExecutionModel();
|
||||||
|
execution.setParentFlow(browser.getId());
|
||||||
|
execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
|
||||||
|
execution.setFlowId(subflow2.getId());
|
||||||
|
execution.setPriority(20);
|
||||||
|
execution.setAuthenticatorFlow(true);
|
||||||
|
realm.addAuthenticatorExecution(execution);
|
||||||
|
|
||||||
|
// Subflow2 - push the button
|
||||||
|
execution = new AuthenticationExecutionModel();
|
||||||
|
execution.setParentFlow(subflow2.getId());
|
||||||
|
execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
|
||||||
|
execution.setAuthenticator(PushButtonAuthenticatorFactory.PROVIDER_ID);
|
||||||
|
execution.setPriority(10);
|
||||||
|
execution.setAuthenticatorFlow(false);
|
||||||
|
|
||||||
|
realm.addAuthenticatorExecution(execution);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSubflow1() throws Exception {
|
||||||
|
// Add foo=bar1. I am redirected to subflow1 - username+password form.
|
||||||
|
String loginFormUrl = oauth.getLoginFormUrl();
|
||||||
|
loginFormUrl = loginFormUrl + "&foo=bar1";
|
||||||
|
log.info("loginFormUrl: " + loginFormUrl);
|
||||||
|
|
||||||
|
driver.navigate().to(loginFormUrl);
|
||||||
|
|
||||||
|
loginPage.assertCurrent();
|
||||||
|
|
||||||
|
// Fill username+password. I am successfully authenticated.
|
||||||
|
oauth.fillLoginForm("test-user@localhost", "password");
|
||||||
|
appPage.assertCurrent();
|
||||||
|
|
||||||
|
events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSubflow2() throws Exception {
|
||||||
|
// Don't add 'foo' parameter. I am redirected to subflow1 - username+password form, then move to subflow2.
|
||||||
|
String loginFormUrl = oauth.getLoginFormUrl();
|
||||||
|
log.info("loginFormUrl: " + loginFormUrl);
|
||||||
|
|
||||||
|
driver.navigate().to(loginFormUrl);
|
||||||
|
|
||||||
|
loginPage.assertCurrent();
|
||||||
|
|
||||||
|
// Fill username+password. I am redirected push the button.
|
||||||
|
oauth.fillLoginForm("test-user@localhost", "password");
|
||||||
|
Assert.assertEquals("PushTheButton", driver.getTitle());
|
||||||
|
|
||||||
|
// Push the button. I am successfully authenticated.
|
||||||
|
driver.findElement(By.name("submit1")).click();
|
||||||
|
appPage.assertCurrent();
|
||||||
|
|
||||||
|
events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in a new issue