Package org.keycloak.authentication.authenticators.browser

Class ScriptBasedAuthenticator

  • All Implemented Interfaces:
    org.keycloak.authentication.Authenticator, org.keycloak.provider.Provider
    public class ScriptBasedAuthenticator
extends Object
implements org.keycloak.authentication.Authenticator
    An Authenticator that can execute a configured script during authentication flow.

    Scripts must at least provide one of the following functions:

    1. authenticate(..) which is called from Authenticator.authenticate(AuthenticationFlowContext)
    2. action(..) which is called from Authenticator.action(AuthenticationFlowContext)

    Custom Authenticator's should at least provide the authenticate(..) function. The following script Bindings are available for convenient use within script code.

    1. script the ScriptModel to access script metadata
    2. realm the RealmModel
    3. user the current UserModel
    4. session the active KeycloakSession
    5. authenticationSession the current AuthenticationSessionModel
    6. httpRequest the current HttpRequest
    7. LOG a Logger scoped to ScriptBasedAuthenticator

    Note that the user variable is only defined when the user was identified by a preceeding authentication step, e.g. by the UsernamePasswordForm authenticator.

    Additional context information can be extracted from the context argument passed to the authenticate(context) or action(context) function.

    An example ScriptBasedAuthenticator definition could look as follows: 

     

   AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");

   function authenticate(context) {

     var username = user ? user.username : "anonymous";
     LOG.info(script.name + " --> trace auth for: " + username);

     if (   username === "tester"
         && user.getAttribute("someAttribute")
         && user.getAttribute("someAttribute").contains("someValue")) {

         context.failure(AuthenticationFlowError.INVALID_USER);
         return;
     }

     context.success();
   }
    Author:
    Thomas Darimont

    • Constructor Detail

      • ScriptBasedAuthenticator

        public ScriptBasedAuthenticator()

    • Method Detail

      • authenticate

        public void authenticate​(org.keycloak.authentication.AuthenticationFlowContext context)
        Specified by:
        authenticate in interface org.keycloak.authentication.Authenticator

      • action

        public void action​(org.keycloak.authentication.AuthenticationFlowContext context)
        Specified by:
        action in interface org.keycloak.authentication.Authenticator

      • getAuthenticatorConfig

        protected org.keycloak.models.AuthenticatorConfigModel getAuthenticatorConfig​(org.keycloak.authentication.AuthenticationFlowContext context)

      • requiresUser

        public boolean requiresUser()
        Specified by:
        requiresUser in interface org.keycloak.authentication.Authenticator

      • configuredFor

        public boolean configuredFor​(org.keycloak.models.KeycloakSession session,
                             org.keycloak.models.RealmModel realm,
                             org.keycloak.models.UserModel user)
        Specified by:
        configuredFor in interface org.keycloak.authentication.Authenticator

      • setRequiredActions

        public void setRequiredActions​(org.keycloak.models.KeycloakSession session,
                               org.keycloak.models.RealmModel realm,
                               org.keycloak.models.UserModel user)
        Specified by:
        setRequiredActions in interface org.keycloak.authentication.Authenticator

      • close

        public void close()
        Specified by:
        close in interface org.keycloak.provider.Provider