From 8610a02d72e5cb84c0ecd142716ff9a5288fe469 Mon Sep 17 00:00:00 2001
From: Thomas Darimont <thomas.darimont@gmail.com>
Date: Sun, 4 Dec 2016 23:15:53 +0100
Subject: [PATCH] KEYCLOAK-3969 Allow use of ScriptAuthenticator without user

Previously ScriptAuthenticator required a user to be authenticated
before it could be used as an additional authentication step which
limited the scenarios the authenticator could be used.

We now allow ScriptAuthenticators to be used without requiring an
user to be authenticated before.
Adapted the authenticator-template.js with a null safe username check.

Note that existing custom ScriptAuthenticators might need some additional
null checks since the user can now be undefined.
---
 .../browser/ScriptBasedAuthenticator.java             | 11 ++++++++---
 .../main/resources/scripts/authenticator-template.js  |  3 ++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java
index 9bff3f9998..6ab290791b 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java
@@ -52,6 +52,10 @@ import java.util.Map;
  * </ol>
  * </p>
  * <p>
+ * Note that the {@code user} variable is only defined when the user was identified by a preceeding
+ * authentication step, e.g. by the {@link UsernamePasswordForm} authenticator.
+ * </p>
+ * <p>
  * Additional context information can be extracted from the {@code context} argument passed to the {@code authenticate(context)}
  * or {@code action(context)} function.
  * <p>
@@ -63,9 +67,10 @@ import java.util.Map;
  *
  *   function authenticate(context) {
  *
- *     LOG.info(script.name + " --> trace auth for: " + user.username);
+ *     var username = user ? user.username : "anonymous";
+ *     LOG.info(script.name + " --> trace auth for: " + username);
  *
- *     if (   user.username === "tester"
+ *     if (   username === "tester"
  *         && user.getAttribute("someAttribute")
  *         && user.getAttribute("someAttribute").contains("someValue")) {
  *
@@ -160,7 +165,7 @@ public class ScriptBasedAuthenticator implements Authenticator {
 
     @Override
     public boolean requiresUser() {
-        return true;
+        return false;
     }
 
     @Override
diff --git a/services/src/main/resources/scripts/authenticator-template.js b/services/src/main/resources/scripts/authenticator-template.js
index 73bb12475f..20de702721 100644
--- a/services/src/main/resources/scripts/authenticator-template.js
+++ b/services/src/main/resources/scripts/authenticator-template.js
@@ -24,7 +24,8 @@ AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationF
  */
 function authenticate(context) {
 
-    LOG.info(script.name + " trace auth for: " + user.username);
+    var username = user ? user.username : "anonymous";
+    LOG.info(script.name + " trace auth for: " + username);
 
     var authShouldFail = false;
     if (authShouldFail) {