Hi All,
The GuardianKey extension for KeyCloak is almost complete! Thank you for
the given directions.
We have to get the user client IP and the status of the authentication
attempt (failed/success). For this, we implemented the code below. However,
we are facing Null Pointer exceptions.
public class GuardianKeyAuthenticator implements Authenticator { // ...
public void authenticate(AuthenticationFlowContext context) { // ...
// *Trying to get the Client IP address*
clientIP =
context.getSession().sessions().getUserSession(context.getAuthenticationSession().getClient().getRealm(),
context.getAuthenticationSession().getClient().getId())
.getIpAddress(); /*
getting null pointer exception */
// *Trying to get the status for the auth attempt
(failed/success), this Authenticator should be the last in the flow*
failed = context.getStatus().equals(FlowStatus.SUCCESS); /*
getting null pointer exception */
// ...
} }
Any clue about how we can do this?
Thank you in advance.
Paulo Angelo
On Sun, Feb 3, 2019 at 10:21 PM Paulo Angelo <pa(a)pauloangelo.com> wrote:
Dmitry and Aléxis,
Thank you very much for the directions. We are going to work on it.
regards,
Paulo Angelo
On Sun, Feb 3, 2019 at 8:06 PM Dmitry Telegin <dt(a)acutus.pro> wrote:
> Hello Paulo,
>
> To add to Alexis's reply, you can use Script authenticator [1]. It's
> especially good for prototyping since you don't have to create and deploy
> the whole provider module.
>
> Also, you'll need an HttpClient instance to be able to perform external
> HTTP requests, see [2] for that.
>
> [1]
https://www.keycloak.org/docs/latest/server_admin/#executions
> [2]
>
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016456.html
>
> Good luck,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Sun, 2019-02-03 at 17:46 -0200, Alexis Almeida wrote:
> > Hi Paulo,
> >
> > IMO the simplest way to do this is with an Authenticator Provider.
> Please
> > see here:
> >
> >
>
https://www.keycloak.org/docs/latest/server_development/index.html#implem...
> > .
> >
> > In the authenticate method you can call the GuardianKey and, depending
> on
> > the result, you call a context.success () or context.failure ().
> >
> > Like this:
> >
> > public void authenticate(AuthenticationFlowContext context) {
> > ...
> > if(!GuardianKeyValidation){
> > Response challenge = context.form()
> > .setError("something")
> > .createForm("error_page.ftl");
> >
> > context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS,
> > challenge);
> > return;
> > }
> > ...
> > context.success();
> > }
> >
> > Aléxis
> >
> >
> > > Em dom, 3 de fev de 2019 às 15:38, Paulo Angelo <pa(a)pauloangelo.com>
> > escreveu:
> >
> > > Hi all,
> > >
> > > We are trying to integrate KeyCloak with GuardianKey. However, we have
> > > doubts related to the best way to do this and the best point in the
> > > KeyCloak’s code for this integration.
> > >
> > > GuardianKey is a service to protect systems against authentication
> attacks.
> > > It uses Machine Learning and analyses the user's behavior, threat
> > > intelligence and psychometrics (or behavioral biometrics). The
> protected
> > > system (in the concrete case, KeyCloak) must send an event via REST
> for the
> > > GuardianKey on each login attempt. More info at
>
https://guardiankey.io .
> > >
> > > The best way to integrate would be on having a hook in the procedure
> that
> > > process the user credentials submission in KeyCloak (the script that
> > > receives the POST), something such as:
> > >
> > > if(<POST IN AUTH FORM>) {
> > >
> > > boolean loginFailed = checkLoginInKeyCloak();
> > >
> > > GuardianKeyEvent event =
> createEventForGuardianKey(username,loginFailed);
> > >
> > > boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
> > >
> > > if(GuardianKeyValidation){
> > >
> > > // Allow access
> > >
> > > } else {
> > >
> > > // Deny access
> > >
> > > }
> > >
> > > }
> > >
> > > Where is the best place to create this integration? Is there a way to
> > > create a hook for this purpose? Should we create an extension?
> > >
> > > Any help is welcome.
> > >
> > > Thank you in advance.
> > >
> > > Best regards,
> > >
> > > Paulo Angelo
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Att,
Paulo Angelo