Class ConditionalOtpFormAuthenticator
- java.lang.Object
-
- org.keycloak.authentication.AbstractFormAuthenticator
-
- org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
-
- org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator
-
- org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator
-
- All Implemented Interfaces:
org.keycloak.authentication.Authenticator,org.keycloak.authentication.CredentialValidator<OTPCredentialProvider>,org.keycloak.provider.Provider
public class ConditionalOtpFormAuthenticator extends OTPFormAuthenticator
AnOTPFormAuthenticatorthat can conditionally require OTP authentication.The decision for whether or not to require OTP authentication can be made based on multiple conditions which are evaluated in the following order. The first matching condition determines the outcome.
- User Attribute
- Role
- Request Header
- Configured Default
If no condition matches, the
ConditionalOtpFormAuthenticatorfallback is to require OTP authentication.User Attribute
A User Attribute likeotp_authcan be used to control OTP authentication on individual user level. The supported values are skip and force. If the value is set to skip then the OTP auth is skipped for the user, otherwise if the value is force then the OTP auth is enforced. The setting is ignored for any other value.Role
A role can be used to control the OTP authentication. If the user has the specified skip OTP role then OTP authentication is skipped for the user. If the user has the specified force OTP role, then the OTP authentication is required for the user. If not configured, e.g. if no role is selected, then this setting is ignored.Request Header
Request Headers are matched via regex
Patterns and can be specified as a whitelist and blacklist. No OTP for Header specifies the pattern for which OTP authentication is not required. This can be used to specify trusted networks, e.g. via:X-Forwarded-Host: (1.2.3.4|1.2.3.5)where The IPs 1.2.3.4, 1.2.3.5 denote trusted machines. Force OTP for Header specifies the pattern for which OTP authentication is required. Whitelist entries take precedence before blacklist entries.Configured Default
A default fall-though behaviour can be specified to handle cases where all previous conditions did not lead to a conclusion. An OTP authentication is required in case no default is configured.- Author:
- Thomas Darimont
-
-
Field Summary
Fields Modifier and Type Field Description static StringDEFAULT_OTP_OUTCOMEstatic StringFORCEstatic StringFORCE_OTP_FOR_HTTP_HEADERstatic StringFORCE_OTP_ROLEstatic StringOTP_CONTROL_USER_ATTRIBUTEstatic StringSKIPstatic StringSKIP_OTP_FOR_HTTP_HEADERstatic StringSKIP_OTP_ROLE-
Fields inherited from class org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator
SELECTED_OTP_CREDENTIAL_ID, UNNAMED
-
Fields inherited from class org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
ATTEMPTED_USERNAME, REGISTRATION_FORM_ACTION, USER_SET_BEFORE_USERNAME_PASSWORD_AUTH
-
-
Constructor Summary
Constructors Constructor Description ConditionalOtpFormAuthenticator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidauthenticate(org.keycloak.authentication.AuthenticationFlowContext context)voidsetRequiredActions(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.UserModel user)-
Methods inherited from class org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator
action, close, configuredFor, createLoginForm, disabledByBruteForceError, disabledByBruteForceFieldError, getCredentialProvider, getRequiredActions, requiresUser, validateOTP
-
Methods inherited from class org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
challenge, challenge, dummyHash, enabledUser, getDefaultChallengeMessage, isDisabledByBruteForce, isUserAlreadySetBeforeUsernamePasswordAuth, runDefaultDummyHash, setDuplicateUserChallenge, testInvalidUser, validatePassword, validateUser, validateUserAndPassword
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
-
-
-
Field Detail
-
SKIP
public static final String SKIP
- See Also:
- Constant Field Values
-
FORCE
public static final String FORCE
- See Also:
- Constant Field Values
-
OTP_CONTROL_USER_ATTRIBUTE
public static final String OTP_CONTROL_USER_ATTRIBUTE
- See Also:
- Constant Field Values
-
SKIP_OTP_ROLE
public static final String SKIP_OTP_ROLE
- See Also:
- Constant Field Values
-
FORCE_OTP_ROLE
public static final String FORCE_OTP_ROLE
- See Also:
- Constant Field Values
-
SKIP_OTP_FOR_HTTP_HEADER
public static final String SKIP_OTP_FOR_HTTP_HEADER
- See Also:
- Constant Field Values
-
FORCE_OTP_FOR_HTTP_HEADER
public static final String FORCE_OTP_FOR_HTTP_HEADER
- See Also:
- Constant Field Values
-
DEFAULT_OTP_OUTCOME
public static final String DEFAULT_OTP_OUTCOME
- See Also:
- Constant Field Values
-
-
Method Detail
-
authenticate
public void authenticate(org.keycloak.authentication.AuthenticationFlowContext context)
- Specified by:
authenticatein interfaceorg.keycloak.authentication.Authenticator- Overrides:
authenticatein classOTPFormAuthenticator
-
setRequiredActions
public void setRequiredActions(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.models.UserModel user)- Specified by:
setRequiredActionsin interfaceorg.keycloak.authentication.Authenticator- Overrides:
setRequiredActionsin classOTPFormAuthenticator
-
-