@Override public boolean validCredentials( RealmModel realm, UserModel user, List<UserCredentialModel> input) { UserFederationProvider link = getFederationLink(realm, user); if (link != null) { validateUser(realm, user); Set<String> supportedCredentialTypes = link.getSupportedCredentialTypes(user); if (supportedCredentialTypes.size() > 0) { List<UserCredentialModel> fedCreds = new ArrayList<UserCredentialModel>(); List<UserCredentialModel> localCreds = new ArrayList<UserCredentialModel>(); for (UserCredentialModel cred : input) { if (supportedCredentialTypes.contains(cred.getType())) { fedCreds.add(cred); } else { localCreds.add(cred); } } if (!link.validCredentials(realm, user, fedCreds)) { return false; } return session.userStorage().validCredentials(realm, user, localCreds); } } return session.userStorage().validCredentials(realm, user, input); }
/** * Is the user configured to use this credential type * * @return */ public boolean configuredForCredentialType(String type, RealmModel realm, UserModel user) { UserFederationProvider link = getFederationLink(realm, user); if (link != null) { Set<String> supportedCredentialTypes = link.getSupportedCredentialTypes(user); if (supportedCredentialTypes.contains(type)) return true; } if (UserCredentialModel.isOtp(type)) { if (!user.isOtpEnabled()) return false; } List<UserCredentialValueModel> creds = user.getCredentialsDirectly(); for (UserCredentialValueModel cred : creds) { if (cred.getType().equals(type)) { if (UserCredentialModel.isOtp(type)) { OTPPolicy otpPolicy = realm.getOTPPolicy(); if (!cred.getAlgorithm().equals(otpPolicy.getAlgorithm()) || cred.getDigits() != otpPolicy.getDigits()) { return false; } if (type.equals(UserCredentialModel.TOTP) && cred.getPeriod() != otpPolicy.getPeriod()) { return false; } } return true; } } return false; }
public void updateCredential(RealmModel realm, UserModel user, UserCredentialModel credential) { if (credential.getType().equals(UserCredentialModel.PASSWORD)) { if (realm.getPasswordPolicy() != null) { PasswordPolicy.Error error = realm.getPasswordPolicy().validate(user, credential.getValue()); if (error != null) throw new ModelException(error.getMessage(), error.getParameters()); } } user.updateCredential(credential); }
@Override public void config( RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { UserModel user = appRealm.getUser("test-user@localhost"); ApplicationModel accountApp = appRealm .getApplicationNameMap() .get(org.keycloak.models.Constants.ACCOUNT_APPLICATION); for (String r : accountApp.getDefaultRoles()) { accountApp.grantRole(user, accountApp.getRole(r)); } UserModel user2 = appRealm.addUser("test-user-no-access@localhost"); user2.setEnabled(true); UserCredentialModel creds = new UserCredentialModel(); creds.setType(CredentialRepresentation.PASSWORD); creds.setValue("password"); appRealm.updateCredential(user2, creds); }
@Override public CredentialValidationOutput validCredentials( RealmModel realm, UserCredentialModel... input) { List<UserFederationProviderModel> fedProviderModels = realm.getUserFederationProviders(); List<UserFederationProvider> fedProviders = new ArrayList<UserFederationProvider>(); for (UserFederationProviderModel fedProviderModel : fedProviderModels) { fedProviders.add(getFederationProvider(fedProviderModel)); } CredentialValidationOutput result = null; for (UserCredentialModel cred : input) { UserFederationProvider providerSupportingCreds = null; // Find first provider, which supports required credential type for (UserFederationProvider fedProvider : fedProviders) { if (fedProvider.getSupportedCredentialTypes().contains(cred.getType())) { providerSupportingCreds = fedProvider; break; } } if (providerSupportingCreds == null) { logger.warn("Don't have provider supporting credentials of type " + cred.getType()); return CredentialValidationOutput.failed(); } logger.debug( "Found provider [" + providerSupportingCreds + "] supporting credentials of type " + cred.getType()); CredentialValidationOutput currentResult = providerSupportingCreds.validCredentials(realm, cred); result = (result == null) ? currentResult : result.merge(currentResult); } // For now, validCredentials(realm, input) is not supported for local userProviders return (result != null) ? result : CredentialValidationOutput.failed(); }