feat: Draft to support access restrictions in credential reset flow

see #121

docker-compose.yml

@@ -16,3 +16,8 @@ services:
  volumes:
  - ./target/keycloak-restrict-client-auth.jar:/opt/keycloak/providers/keycloak-restrict-client-auth.jar
  - ./src/test/resources/:/tmp/import
+ mail:
+ container_name: mail
+ image: maildev/maildev
+ ports:
+ - 1080:1080

src/main/java/de/sventorben/keycloak/authorization/client/RestrictClientAuthAuthenticator.java

@@ -1,6 +1,7 @@
 package de.sventorben.keycloak.authorization.client;
 
 import de.sventorben.keycloak.authorization.client.access.AccessProvider;
+import de.sventorben.keycloak.authorization.client.access.AccessProviderResolver;
 import de.sventorben.keycloak.authorization.client.access.role.ClientRoleBasedAccessProviderFactory;
 import org.jboss.logging.Logger;
 import org.keycloak.authentication.AuthenticationFlowContext;
@@ -31,7 +32,7 @@ public void authenticate(final AuthenticationFlowContext context) {
  final ClientModel client = context.getSession().getContext().getClient();
  final RestrictClientAuthConfig config = new RestrictClientAuthConfig(context.getAuthenticatorConfig());
 
- final AccessProvider access = getAccessProvider(context, config);
+ final AccessProvider access = new AccessProviderResolver(config).resolve(context);
 
  if (!access.isRestricted(client)) {
  context.success();
@@ -51,37 +52,6 @@ public void authenticate(final AuthenticationFlowContext context) {
  }
  }
 
- private AccessProvider getAccessProvider(AuthenticationFlowContext context, RestrictClientAuthConfig config) {
- final String accessProviderId = config.getAccessProviderId();
-
- if (accessProviderId != null) {
- AccessProvider accessProvider = context.getSession().getProvider(AccessProvider.class, accessProviderId);
- if (accessProvider == null) {
- LOG.warnf(
- "Configured access provider '%s' in authenticator config '%s' does not exist.",
- accessProviderId, config.getAuthenticatorConfigAlias());
- } else {
- LOG.tracef(
- "Using access provider '%s' in authenticator config '%s'.",
- accessProviderId, config.getAuthenticatorConfigAlias());
- return accessProvider;
- }
- }
-
- final AccessProvider defaultProvider = context.getSession().getProvider(AccessProvider.class);
- if (defaultProvider != null) {
- LOG.debugf(
- "No access provider is configured in authenticator config '%s'. Using server-wide default provider '%s'",
- config.getAuthenticatorConfigAlias(), defaultProvider);
- return defaultProvider;
- }
-
- LOG.infof(
- "Neither an access provider is configured in authenticator config '%s' nor has a server-wide default provider been set. Using '%s' as a fallback.",
- config.getAuthenticatorConfigAlias(), ClientRoleBasedAccessProviderFactory.PROVIDER_ID);
- return context.getSession().getProvider(AccessProvider.class, ClientRoleBasedAccessProviderFactory.PROVIDER_ID);
- }
-
  private Response errorResponse(AuthenticationFlowContext context, RestrictClientAuthConfig config) {
  Response response;
  if (MediaTypeMatcher.isHtmlRequest(context.getHttpRequest().getHttpHeaders())) {

src/main/java/de/sventorben/keycloak/authorization/client/RestrictClientAuthAuthenticatorFactory.java

@@ -32,7 +32,7 @@ public final class RestrictClientAuthAuthenticatorFactory implements Authenticat
 
  @Override
  public String getDisplayType() {
- return "Restrict user authentication on clients";
+ return "Restrict user authentication on clients (via Authenticator)";
  }
 
  @Override
@@ -57,7 +57,7 @@ public boolean isUserSetupAllowed() {
 
  @Override
  public String getHelpText() {
- return "Restricts user authentication on clients based on an access provider";
+ return "Restricts user authentication on clients based on an access provider. Access will be denied during authenticator execution.";
  }
 
  @Override

src/main/java/de/sventorben/keycloak/authorization/client/RestrictClientAuthConfig.java

@@ -13,7 +13,7 @@ public final class RestrictClientAuthConfig {
 
  private final AuthenticatorConfigModel authenticatorConfigModel;
 
- RestrictClientAuthConfig(AuthenticatorConfigModel configModel) {
+ public RestrictClientAuthConfig(AuthenticatorConfigModel configModel) {
  this.authenticatorConfigModel = configModel;
  }
 
@@ -31,7 +31,7 @@ public String getAccessProviderId() {
  .orElse(ClientRoleBasedAccessProviderFactory.PROVIDER_ID);
  }
 
- String getAuthenticatorConfigAlias() {
+ public String getAuthenticatorConfigAlias() {
  return Optional.ofNullable(authenticatorConfigModel)
  .map(AuthenticatorConfigModel::getAlias)
  .orElse(null);

src/main/java/de/sventorben/keycloak/authorization/client/access/AccessProviderResolver.java

@@ -0,0 +1,48 @@
+package de.sventorben.keycloak.authorization.client.access;
+
+import de.sventorben.keycloak.authorization.client.RestrictClientAuthConfig;
+import de.sventorben.keycloak.authorization.client.access.role.ClientRoleBasedAccessProviderFactory;
+import org.jboss.logging.Logger;
+import org.keycloak.authentication.AuthenticationFlowContext;
+
+public final class AccessProviderResolver {
+
+ private static final Logger LOG = Logger.getLogger(AccessProviderResolver.class);
+
+ private final RestrictClientAuthConfig config;
+
+ public AccessProviderResolver(RestrictClientAuthConfig config) {
+ this.config = config;
+ }
+
+ public AccessProvider resolve(AuthenticationFlowContext context) {
+ final String accessProviderId = config.getAccessProviderId();
+
+ if (accessProviderId != null) {
+ AccessProvider accessProvider = context.getSession().getProvider(AccessProvider.class, accessProviderId);
+ if (accessProvider == null) {
+ LOG.warnf(
+ "Configured access provider '%s' in authenticator config '%s' does not exist.",
+ accessProviderId, config.getAuthenticatorConfigAlias());
+ } else {
+ LOG.tracef(
+ "Using access provider '%s' in authenticator config '%s'.",
+ accessProviderId, config.getAuthenticatorConfigAlias());
+ return accessProvider;
+ }
+ }
+
+ final AccessProvider defaultProvider = context.getSession().getProvider(AccessProvider.class);
+ if (defaultProvider != null) {
+ LOG.debugf(
+ "No access provider is configured in authenticator config '%s'. Using server-wide default provider '%s'",
+ config.getAuthenticatorConfigAlias(), defaultProvider);
+ return defaultProvider;
+ }
+
+ LOG.infof(
+ "Neither an access provider is configured in authenticator config '%s' nor has a server-wide default provider been set. Using '%s' as a fallback.",
+ config.getAuthenticatorConfigAlias(), ClientRoleBasedAccessProviderFactory.PROVIDER_ID);
+ return context.getSession().getProvider(AccessProvider.class, ClientRoleBasedAccessProviderFactory.PROVIDER_ID);
+ }
+}

src/main/java/de/sventorben/keycloak/authorization/client/requiredactions/RestrictAccessRequiredAction.java

@@ -0,0 +1,43 @@
+package de.sventorben.keycloak.authorization.client.requiredactions;
+
+import org.keycloak.authentication.InitiatedActionSupport;
+import org.keycloak.authentication.RequiredActionContext;
+import org.keycloak.authentication.RequiredActionProvider;
+import org.keycloak.services.messages.Messages;
+import org.keycloak.sessions.AuthenticationSessionModel;
+
+import javax.ws.rs.core.Response;
+
+public class RestrictAccessRequiredAction implements RequiredActionProvider {
+
+ @Override
+ public InitiatedActionSupport initiatedActionSupport() {
+ return InitiatedActionSupport.SUPPORTED;
+ }
+
+ @Override
+ public void evaluateTriggers(RequiredActionContext requiredActionContext) {
+ }
+
+ @Override
+ public void requiredActionChallenge(RequiredActionContext requiredActionContext) {
+ requiredActionContext.challenge(htmlErrorResponse(requiredActionContext));
+ }
+
+ @Override
+ public void processAction(RequiredActionContext requiredActionContext) {
+ }
+
+ private Response htmlErrorResponse(RequiredActionContext context) {
+ AuthenticationSessionModel authSession = context.getAuthenticationSession();
+ return context.form()
+ .setError(Messages.ACCESS_DENIED, authSession.getAuthenticatedUser().getUsername(),
+ authSession.getClient().getClientId())
+ .createErrorPage(Response.Status.FORBIDDEN);
+ }
+
+ @Override
+ public void close() {
+
+ }
+}

src/main/java/de/sventorben/keycloak/authorization/client/requiredactions/RestrictAccessRequiredActionFactory.java

@@ -0,0 +1,56 @@
+package de.sventorben.keycloak.authorization.client.requiredactions;
+
+import de.sventorben.keycloak.authorization.client.common.OperationalInfo;
+import org.keycloak.Config;
+import org.keycloak.authentication.InitiatedActionSupport;
+import org.keycloak.authentication.RequiredActionContext;
+import org.keycloak.authentication.RequiredActionFactory;
+import org.keycloak.authentication.RequiredActionProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.provider.ServerInfoAwareProviderFactory;
+import org.keycloak.services.messages.Messages;
+import org.keycloak.sessions.AuthenticationSessionModel;
+
+import javax.ws.rs.core.Response;
+import java.util.Map;
+
+public class RestrictAccessRequiredActionFactory implements RequiredActionFactory, ServerInfoAwareProviderFactory {
+
+ static final String PROVIDER_ID = "RESTRICT_CLIENT_AUTH_DENY_ACCESS";
+
+ @Override
+ public String getDisplayText() {
+ return "Restrict user authentication on clients";
+ }
+
+ @Override
+ public RequiredActionProvider create(KeycloakSession keycloakSession) {
+ return new RestrictAccessRequiredAction();
+ }
+
+ @Override
+ public void init(Config.Scope scope) {
+
+ }
+
+ @Override
+ public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
+
+ }
+
+ @Override
+ public void close() {
+
+ }
+
+ @Override
+ public String getId() {
+ return PROVIDER_ID;
+ }
+
+ @Override
+ public Map<String, String> getOperationalInfo() {
+ return OperationalInfo.get();
+ }
+}

src/main/java/de/sventorben/keycloak/authorization/client/requiredactions/RestrictClientAuthRequiredActionAuthenticator.java

@@ -0,0 +1,98 @@
+package de.sventorben.keycloak.authorization.client.requiredactions;
+
+import de.sventorben.keycloak.authorization.client.RestrictClientAuthConfig;
+import de.sventorben.keycloak.authorization.client.access.AccessProvider;
+import de.sventorben.keycloak.authorization.client.access.AccessProviderResolver;
+import de.sventorben.keycloak.authorization.client.common.OperationalInfo;
+import org.jboss.logging.Logger;
+import org.keycloak.authentication.AuthenticationFlowContext;
+import org.keycloak.authentication.AuthenticationFlowError;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.authentication.authenticators.resetcred.AbstractSetRequiredActionAuthenticator;
+import org.keycloak.events.Errors;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.credential.PasswordCredentialModel;
+import org.keycloak.provider.ServerInfoAwareProviderFactory;
+import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
+import org.keycloak.services.messages.Messages;
+import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.utils.MediaTypeMatcher;
+
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.util.Map;
+
+public final class RestrictClientAuthRequiredActionAuthenticator extends AbstractSetRequiredActionAuthenticator implements ServerInfoAwareProviderFactory {
+
+ private static final Logger LOG = Logger.getLogger(RestrictClientAuthRequiredActionAuthenticator.class);
+
+ private static final String PROVIDER_ID = "restrict-client-auth-action-auth";
+
+ public RestrictClientAuthRequiredActionAuthenticator() {}
+
+ @Override
+ public void authenticate(final AuthenticationFlowContext context) {
+
+ if (context.getExecution().isRequired()) {
+
+ final ClientModel client = context.getSession().getContext().getClient();
+ final RestrictClientAuthConfig config = new RestrictClientAuthConfig(context.getAuthenticatorConfig());
+
+ final AccessProvider access = new AccessProviderResolver(config).resolve(context);
+
+ final UserModel user = context.getUser();
+ if (access.isRestricted(client) && !access.isPermitted(client, user)) {
+ context.getAuthenticationSession().addRequiredAction(RestrictAccessRequiredActionFactory.PROVIDER_ID);
+ }
+ }
+
+ context.success();
+ }
+
+ @Override
+ public void action(AuthenticationFlowContext context) {
+ LOG.warn("Action called!");
+ context.failure(AuthenticationFlowError.ACCESS_DENIED);
+ }
+
+ @Override
+ public boolean requiresUser() {
+ return true;
+ }
+
+ @Override
+ public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
+ return true;
+ }
+
+ @Override
+ public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
+ }
+
+ @Override
+ public void close() {
+ }
+
+ @Override
+ public String getId() {
+ return PROVIDER_ID;
+ }
+
+ @Override
+ public Map<String, String> getOperationalInfo() {
+ return OperationalInfo.get();
+ }
+
+ @Override
+ public String getDisplayType() {
+ return "Restrict user authentication on clients (via required action)";
+ }
+
+ @Override
+ public String getHelpText() {
+ return "Restricts user authentication on clients based on an access provider. Should be used in reset credentials flow. Access will be denied during required action evaluation.";
+ }
+}

src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory

@@ -1 +1,2 @@
 de.sventorben.keycloak.authorization.client.RestrictClientAuthAuthenticatorFactory
+de.sventorben.keycloak.authorization.client.requiredactions.RestrictClientAuthRequiredActionAuthenticator

src/main/resources/META-INF/services/org.keycloak.authentication.RequiredActionFactory

@@ -0,0 +1 @@
+de.sventorben.keycloak.authorization.client.requiredactions.RestrictAccessRequiredActionFactory