6.4. JavaScript Providers
Red Hat Single Sign-On has the ability to execute scripts during runtime in order to allow administrators to customize specific functionalities:
- Authenticator
- JavaScript Policy
- OpenID Connect Protocol Mapper
6.4.1. Authenticator
Authentication scripts must provide at least one of the following functions: authenticate(..), which is called from Authenticator#authenticate(AuthenticationFlowContext)action(..), which is called from Authenticator#action(AuthenticationFlowContext)
Custom Authenticator should at least provide the authenticate(..) function. You can use the javax.script.Bindings script within the code.
script-
the
ScriptModelto access script metadata realm-
the
RealmModel user-
the current
UserModel session-
the active
KeycloakSession authenticationSession-
the current
AuthenticationSessionModel httpRequest-
the current
org.jboss.resteasy.spi.HttpRequest LOG-
a
org.jboss.logging.Loggerscoped toScriptBasedAuthenticator
注記
You can extract additional context information from the context argument passed to the authenticate(context) action(context) function.
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
function authenticate(context) {
LOG.info(script.name + " --> trace auth for: " + user.username);
if ( user.username === "tester"
&& user.getAttribute("someAttribute")
&& user.getAttribute("someAttribute").contains("someValue")) {
context.failure(AuthenticationFlowError.INVALID_USER);
return;
}
context.success();
}