Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12854

Authenticated user in Script Authenticator is null

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: 8.0.1
    • Fix Version/s: 8.0.2
    • Component/s: Authentication
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Create a new Web flow and deploy the above Scrip Authenticator.

      Show
      Create a new Web flow and deploy the above Scrip Authenticator.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      The authenticated user in the Script Authenticator is no longer available (it is null). Trying to access the authenticated user through the authenticationSession also returns null.

      As a result, e.g. the following Script Authenticator that blocks access in Web Flow based on role membership, fails when upgrading from Keycloak 7.0.0 to 8.0.1:

      // import enum for error lookup
        AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
      
        /**
         * The following variables are available for convenience:
         * user - current user {@see org.keycloak.models.UserModel}
         * realm - current realm {@see org.keycloak.models.RealmModel}
         * session - current KeycloakSession {@see org.keycloak.models.KeycloakSession}
         * httpRequest - current HttpRequest {@see org.jboss.resteasy.spi.HttpRequest}
         * script - current script {@see org.keycloak.models.ScriptModel}
         * authenticationSession - current authentication session {@see org.keycloak.sessions.AuthenticationSessionModel}
         * LOG - current logger {@see org.jboss.logging.Logger}
         *
         * You one can extract current http request headers via:
         * httpRequest.getHttpHeaders().getHeaderString("Forwarded")
         */
        function authenticate(context) {
            var authSuccess = user.hasRole(realm.getRole("WEB_LOGIN"));
            if (!authSuccess) {
                context.failure(AuthenticationFlowError.INVALID_USER);
                return;
            }
      
            context.success();
        }
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mposolda Marek Posolda
              Reporter:
              jbgeorgiadis John Georgiadis (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: