keycloak-uncached

KEYCLOAK-3969 Allow use of ScriptAuthenticator without user Previously …

12/4/2016 8:15:53 PM

ScriptAuthenticator required a user to be authenticated
before it could be used as an additional authentication step which
limited the scenarios the authenticator could be used.

We now allow ScriptAuthenticators to be used without requiring an
user to be authenticated before.
Adapted the authenticator-template.js with a null safe username check.

Note that existing custom ScriptAuthenticators might need some additional
null checks since the user can now be undefined.

Thomas Darimont

Commit: 8610a02

Tree: 2b982c3

Parents: d7df86d

Changes

services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java 11(+8 -3)

services/src/main/resources/scripts/authenticator-template.js 3(+2 -1)

Details

services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java 11(+8 -3)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java
index 9bff3f9..6ab2907 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java
@@ -52,6 +52,10 @@ import java.util.Map;
  * </ol>
  * </p>
  * <p>
+ * Note that the {@code user} variable is only defined when the user was identified by a preceeding
+ * authentication step, e.g. by the {@link UsernamePasswordForm} authenticator.
+ * </p>
+ * <p>
  * Additional context information can be extracted from the {@code context} argument passed to the {@code authenticate(context)}
  * or {@code action(context)} function.
  * <p>
@@ -63,9 +67,10 @@ import java.util.Map;
  *
  *   function authenticate(context) {
  *
- *     LOG.info(script.name + " --> trace auth for: " + user.username);
+ *     var username = user ? user.username : "anonymous";
+ *     LOG.info(script.name + " --> trace auth for: " + username);
  *
- *     if (   user.username === "tester"
+ *     if (   username === "tester"
  *         && user.getAttribute("someAttribute")
  *         && user.getAttribute("someAttribute").contains("someValue")) {
  *
@@ -160,7 +165,7 @@ public class ScriptBasedAuthenticator implements Authenticator {
 
     @Override
     public boolean requiresUser() {
-        return true;
+        return false;
     }
 
     @Override

services/src/main/resources/scripts/authenticator-template.js 3(+2 -1)

diff --git a/services/src/main/resources/scripts/authenticator-template.js b/services/src/main/resources/scripts/authenticator-template.js
index 73bb124..20de702 100644
--- a/services/src/main/resources/scripts/authenticator-template.js
+++ b/services/src/main/resources/scripts/authenticator-template.js
@@ -24,7 +24,8 @@ AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationF
  */
 function authenticate(context) {
 
-    LOG.info(script.name + " trace auth for: " + user.username);
+    var username = user ? user.username : "anonymous";
+    LOG.info(script.name + " trace auth for: " + username);
 
     var authShouldFail = false;
     if (authShouldFail) {