/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authentication;
import org.jboss.logging.Logger;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.services.ServicesLogger;
import jakarta.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
/**
* @author Marek Posolda
*/
public class ClientAuthenticationFlow implements AuthenticationFlow {
private static final Logger logger = Logger.getLogger(ClientAuthenticationFlow.class);
Response alternativeChallenge = null;
AuthenticationProcessor processor;
AuthenticationFlowModel flow;
private boolean success;
public ClientAuthenticationFlow(AuthenticationProcessor processor, AuthenticationFlowModel flow) {
this.processor = processor;
this.flow = flow;
}
@Override
public Response processAction(String actionExecution) {
throw new IllegalStateException("Not supposed to be invoked");
}
@Override
public Response processFlow() {
List executions = findExecutionsToRun();
for (AuthenticationExecutionModel model : executions) {
ClientAuthenticatorFactory factory = (ClientAuthenticatorFactory) processor.getSession().getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, model.getAuthenticator());
if (factory == null) {
throw new AuthenticationFlowException("Could not find ClientAuthenticatorFactory for: " + model.getAuthenticator(), AuthenticationFlowError.INTERNAL_ERROR);
}
ClientAuthenticator authenticator = factory.create();
logger.debugv("client authenticator: {0}", factory.getId());
AuthenticationProcessor.Result context = processor.createClientAuthenticatorContext(model, authenticator, executions);
authenticator.authenticateClient(context);
ClientModel client = processor.getClient();
if (client != null) {
String expectedClientAuthType = client.getClientAuthenticatorType();
// Fallback to secret just in case (for backwards compatibility). Also for public clients, ignore the "clientAuthenticatorType", which is set to them and stick to the
// default, which set the client just based on "client_id" parameter
if (expectedClientAuthType == null || client.isPublicClient()) {
if (expectedClientAuthType == null) {
ServicesLogger.LOGGER.authMethodFallback(client.getClientId(), expectedClientAuthType);
}
expectedClientAuthType = KeycloakModelUtils.getDefaultClientAuthenticatorType();
}
// Check if client authentication matches
if (factory.getId().equals(expectedClientAuthType)) {
Response response = processResult(context);
if (response != null) return response;
if (!context.getStatus().equals(FlowStatus.SUCCESS)) {
throw new AuthenticationFlowException("Expected success, but for an unknown reason the status was " + context.getStatus(), AuthenticationFlowError.INTERNAL_ERROR);
} else {
success = true;
}
logger.debugv("Client {0} authenticated by {1}", client.getClientId(), factory.getId());
processor.getEvent().detail(Details.CLIENT_AUTH_METHOD, factory.getId());
return null;
}
}
}
// Check if any alternative challenge was identified
if (alternativeChallenge != null) {
processor.getEvent().error(Errors.INVALID_CLIENT);
return alternativeChallenge;
}
throw new AuthenticationFlowException("Invalid client or Invalid client credentials", AuthenticationFlowError.CLIENT_NOT_FOUND);
}
protected List findExecutionsToRun() {
List executionsToRun = new LinkedList<>();
List finalExecutionsToRun = executionsToRun;
Optional first = processor.getRealm().getAuthenticationExecutionsStream(flow.getId())
.filter(e -> {
if (e.isRequired()) {
return true;
} else if (e.isAlternative()){
finalExecutionsToRun.add(e);
return false;
}
return false;
}).findFirst();
if (first.isPresent())
executionsToRun = Arrays.asList(first.get());
else
executionsToRun.addAll(finalExecutionsToRun);
if (logger.isTraceEnabled()) {
List exIds = new ArrayList<>();
for (AuthenticationExecutionModel execution : executionsToRun) {
exIds.add(execution.getId());
}
logger.tracef("Using executions for client authentication: %s", exIds.toString());
}
return executionsToRun;
}
protected Response processResult(AuthenticationProcessor.Result result) {
AuthenticationExecutionModel execution = result.getExecution();
FlowStatus status = result.getStatus();
logger.debugv("client authenticator {0}: {1}", status.toString(), execution.getAuthenticator());
if (status == FlowStatus.SUCCESS) {
return null;
}
if (status == FlowStatus.FAILED) {
if (result.getChallenge() != null) {
return sendChallenge(result, execution);
} else {
throw new AuthenticationFlowException(result.getError());
}
} else if (status == FlowStatus.FORCE_CHALLENGE) {
return sendChallenge(result, execution);
} else if (status == FlowStatus.CHALLENGE) {
// Make sure the first priority alternative challenge is used
if (alternativeChallenge == null) {
alternativeChallenge = result.getChallenge();
}
return sendChallenge(result, execution);
} else if (status == FlowStatus.FAILURE_CHALLENGE) {
return sendChallenge(result, execution);
} else {
ServicesLogger.LOGGER.unknownResultStatus();
throw new AuthenticationFlowException(AuthenticationFlowError.INTERNAL_ERROR);
}
}
public Response sendChallenge(AuthenticationProcessor.Result result, AuthenticationExecutionModel execution) {
logger.debugv("client authenticator: sending challenge for authentication execution {0}", execution.getAuthenticator());
if (result.getError() != null) {
String errorAsString = result.getError().toString().toLowerCase();
result.getEvent().error(errorAsString);
} else {
if (result.getClient() == null) {
result.getEvent().error(Errors.INVALID_CLIENT);
} else {
result.getEvent().error(Errors.INVALID_CLIENT_CREDENTIALS);
}
}
return result.getChallenge();
}
@Override
public boolean isSuccessful() {
return success;
}
}