Skip to content
Snippets Groups Projects
Commit c05413fb authored by Johaney-s's avatar Johaney-s
Browse files

IdP check in custom authenticator 

We can set override option for first broker login per IdP in Keycloak
but as VO membership can expire anytime, we need to check for entitlements
also in other flows (browser, etc.) which cannot be overriden in IdP's configuration
directly. Therefor this check need to be in the code.
parent 2d379072
No related branches found
No related tags found
No related merge requests found
Pipeline #12497 passed
Stage: build
Show whitespace changes
Inline Side-by-side
authenticator/src/main/java/cz/cesnet/keycloak/CustomAuthenticator.java
+ 9
1
View file @ c05413fb
...@@ -17,7 +17,6 @@ import org.slf4j.LoggerFactory; ...@@ -17,7 +17,6 @@ import org.slf4j.LoggerFactory;
import jakarta.ws.rs.core.Response; import jakarta.ws.rs.core.Response;
import java.util.List;
import java.util.Map; import java.util.Map;
import static org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE; import static org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE;
...@@ -30,6 +29,7 @@ public class CustomAuthenticator implements Authenticator { ...@@ -30,6 +29,7 @@ public class CustomAuthenticator implements Authenticator {
private final static String EDU_PERSON_ENTITLEMENT = "eduperson_entitlement"; private final static String EDU_PERSON_ENTITLEMENT = "eduperson_entitlement";
private final static String REQUIRED_ENTITLEMENT = "urn:mace:egi.eu:group:eval.c-scale.eu:role=member#aai.egi.eu"; private final static String REQUIRED_ENTITLEMENT = "urn:mace:egi.eu:group:eval.c-scale.eu:role=member#aai.egi.eu";
private final static String REDIRECT_URL = "https://perun.egi.eu/egi/registrar/?vo=eval.c-scale.eu"; private final static String REDIRECT_URL = "https://perun.egi.eu/egi/registrar/?vo=eval.c-scale.eu";
private final static String IDP_ALIAS = "egicheckin";
private final KeycloakSession session; private final KeycloakSession session;
...@@ -54,6 +54,13 @@ public class CustomAuthenticator implements Authenticator { ...@@ -54,6 +54,13 @@ public class CustomAuthenticator implements Authenticator {
} }
BrokeredIdentityContext brokerContext = serializedCtx.deserialize(context.getSession(), authSession); BrokeredIdentityContext brokerContext = serializedCtx.deserialize(context.getSession(), authSession);
String idpAlias = brokerContext.getIdp().getConfig().getAlias();
if (!IDP_ALIAS.equals(idpAlias)) {
context.success();
return;
}
Map<String, Object> contextData = brokerContext.getContextData(); Map<String, Object> contextData = brokerContext.getContextData();
if (contextData != null && contextData.containsKey(USER_INFO) && contextData.get(USER_INFO) != null) { if (contextData != null && contextData.containsKey(USER_INFO) && contextData.get(USER_INFO) != null) {
Object userInfo = contextData.get(USER_INFO); Object userInfo = contextData.get(USER_INFO);
...@@ -62,6 +69,7 @@ public class CustomAuthenticator implements Authenticator { ...@@ -62,6 +69,7 @@ public class CustomAuthenticator implements Authenticator {
JsonNode entitlementsNode = userInfoNode.get(EDU_PERSON_ENTITLEMENT); JsonNode entitlementsNode = userInfoNode.get(EDU_PERSON_ENTITLEMENT);
if (entitlementsNode != null && entitlementsNode.isArray()) { if (entitlementsNode != null && entitlementsNode.isArray()) {
for (JsonNode entitlement : entitlementsNode) { for (JsonNode entitlement : entitlementsNode) {
log.warn("EGI custom - entitlement: " + entitlement.asText());
if (entitlement.asText().equals(REQUIRED_ENTITLEMENT)) { if (entitlement.asText().equals(REQUIRED_ENTITLEMENT)) {
log.debug("EGI custom authenticator - entitlement found, user authenticated."); log.debug("EGI custom authenticator - entitlement found, user authenticated.");
context.success(); context.success();
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment