[keycloak-user] Possibility to set new Provider in authentication flow for non-unique usernames
Dominik Guhr
pinguwien at gmail.com
Wed Jan 24 06:52:58 EST 2018
p.s. one provider uses Kerberos for Authentication, other does not.
Am 24.01.18 um 12:51 schrieb Dominik Guhr:
> So, further investigation notes:
>
> I think I should call the Provider like it's done here:
> https://github.com/keycloak/keycloak/blob/master/examples/providers/user-storage-jpa/src/main/java/org/keycloak/examples/storage/user/EjbExampleUserStorageProviderFactory.java
> in the create method, which allows me to call the corresponding
> isValid(...) method of the required providers and only set the boolean
> return value of validatePassword to false if the credentials doesn't
> match in any of the providers.
>
> But to call this for ldap-providers set by admin interface, I need two
> things:
>
> a) a Componentmodel.
> Concrete Question: Anyone knows how to get the right ComponentModel
> instance to use from my AuthenticationFlowContext of
> AbstractUsernameFormAuthenticator.java? I've seen that it's possible to
> get a List of ComponentModels by calling
> context.getRealm().getComponents(), or by getComponent(String s), but I
> don't know which String would be the valid parameter or which Model I
> should take out of the List.
>
> b) the lookup-path.
> Concrete question 2: Anyone knows how to get it form the internally used
> Factories or s.th.?
>
> My Providers are 2 ldap directories which I want to iterate over for the
> username.
>
> Thanks in advance!
>
> Best regards,
> Dominik
>
> Am 24.01.18 um 09:27 schrieb Dominik Guhr:
>> Hi everyone,
>>
>> I'm implementing an authentication SPI execution on top of the
>> "normal" username/password form of kc 3.4.3.Final. ->
>> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java
>>
>>
>> Sadly, usernames are not unique atm, so I need to change the
>> execution, so that it doesn't stop with "invalid credentials" for a
>> user who was found in one Provider.
>>
>> Instead of giving the "invalid credentials"-error, I want my execution
>> to first check all other providers for the same username, and then
>> check the credentials against all matches. And just in case of no
>> credentials matching, it should fail, or login a new session for this
>> user when one is found in any of my (3) Providers, which are added by
>> user federation feature (2 ADs, one by a custom user storage SPI).
>>
>> So I drilled it down to the method validatePassword(...) in
>> AbstractUsernameFormAuthenticator.java ->
>> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
>> line 191, which I want to change accordingly. Sadly, I can't find a
>> method to get all Providers of the realm and check accordingly. The
>> code I want to change is:
>>
>> if (password != null && !password.isEmpty() &&
>> context.getSession().userCredentialManager().isValid(context.getRealm(),
>> user, credentials)) {
>> return true;
>> } else {...}
>>
>> instead of just checking isValid() for one provider, which is what
>> this does atm, I want to check all Providers. Like this pseudocode:
>>
>> if (password != null && !password.isEmpty() &&
>> context.getSession().userCredentialManager().isValid(context.getRealm(),
>> user, credentials)) {
>> boolean isValid = false;
>> List<Provider> realmProviders = context.getAllProviders();
>> for(Provider provider : realmProviders){
>> isValid = provider.isValid(...);
>> }
>> return isValid;
>> } else {...}
>> Could anyone perhaps give me a hint in how to achieve this? I haven't
>> found a method yet to get all Providers and check for isValid in any
>> of the given ones.
>>
>> Best regards,
>> Dominik
>>
>> p.s. I created a stackoverflow question here:
>> https://stackoverflow.com/questions/48399622/keycloak-check-password-in-more-than-one-identity-provider
>> feel free to comment/answer there :)
More information about the keycloak-user
mailing list