Last active
October 11, 2021 11:38
-
-
Save tulequ/f0d810d7bfcf6cb5db3bba5aad07b7cd to your computer and use it in GitHub Desktop.
keycloak only use existing user (see https://github.com/keycloak/keycloak/pull/7540)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError") | |
ServicesLogger = Java.type("org.keycloak.services.ServicesLogger") | |
AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator") | |
IdpCreateUserIfUniqueAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.IdpCreateUserIfUniqueAuthenticator") | |
var IdpUserMustExists = Java.extend(IdpCreateUserIfUniqueAuthenticator) | |
function authenticate(context) { | |
var auth = new IdpUserMustExists() { | |
authenticateImpl: function(context, serializedCtx, brokerContext) { | |
var parent = Java.super(auth) | |
var session = context.getSession() | |
var realm = context.getRealm() | |
var authSession = context.getAuthenticationSession() | |
if (authSession.getAuthNote(AbstractIdpAuthenticator.EXISTING_USER_INFO) != null) { | |
context.attempted() | |
return | |
} | |
var username = parent.getUsername(context, serializedCtx, brokerContext) | |
if (username == null) { | |
ServicesLogger.LOGGER.resetFlow(realm.isRegistrationEmailAsUsername() ? "Email" : "Username") | |
authSession.setAuthNote(AbstractIdpAuthenticator.ENFORCE_UPDATE_PROFILE, "true") | |
context.resetFlow() | |
return | |
} | |
var duplication = parent.checkExistingUser(context, username, serializedCtx, brokerContext) | |
if (duplication == null) { | |
LOG.info("user not found " + username) | |
context.failure(AuthenticationFlowError.INVALID_USER) | |
return | |
} else { | |
authSession.setAuthNote(AbstractIdpAuthenticator.EXISTING_USER_INFO, duplication.serialize()) | |
context.attempted() | |
} | |
} | |
} | |
auth.authenticate(context) | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"authenticators": [ | |
{ | |
"name": "User must exists", | |
"fileName": "auth-user-must-exists.js", | |
"description": "User must exists" | |
} | |
] | |
} |
I'm trying to add you script to Keycloak, but I'm wondering since this is not valid JavaScript:
var auth = new IdpUserMustExists() { authenticateImpl: function(context, serializedCtx, brokerContext) { var parent = Java.super(auth)
The colon behind
authenticateImpl
doesn't seem to be possible at this location. How could this work? What am I missing here?
I can't explain in detail
But get reference here: https://stackoverflow.com/questions/24136339/get-extended-java-class-from-nashorn
It is a nashorn "feature"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to add you script to Keycloak, but I'm wondering since this is not valid JavaScript:
The colon behind
authenticateImpl
doesn't seem to be possible at this location. How could this work? What am I missing here?