Add conditional http request header to close #14604 #14605
Conversation
|
@stianst can you explain how to add tests to this feature? i can't find any example for that. |
|
@kreativmonkey take a look at this: org.keycloak.testsuite.forms.AllowDenyAuthenticatorTest#testDenyAccessWithNegateUserAttributeCondition ... however there seems to be no way currently to use a custom HTTP header with the webdriver. Take a look at org.keycloak.testsuite.forms.DirectGrantFlowTest and create a custom direct grant flow with your conditional authenticator and use a http client to call the token endpoint with |
|
Thanks for your answer, I need to figure out how to do the tests. It's much more work than writing the condition ;-) |
4497e92 to
46c7662
Compare
|
@stianst I have finished the implementation of tests. At this point I would like to explain the condition again in more detail. With this authenticator it is possible to check the http header for certain entries using regex patterns. This allows for example to check if a login request comes from the company network or from external. For example, this can be used to control the query of the 2FA. The Authenticator is a bit more flexible than just checking for IP ranges (#16453). However, the user interface is not as comfortable and the operation is not as easy. As an example to match a specific IP range |
This change will add a condition to check the http request header to match on a regex string. It is inspired by the ConditionalOTPFormAuthenticator but not limited to the OTP Form.
|
is there still somthing missing? |
|
I have the following scenario: both internal and external network. If the request originates from the internal network, I add the HTTP Header Now if a login request originates from the external network (header is missing), I only want to allow it IF the user already configured its credentials including the 2FA. That is, initial password change and 2FA setting should NOT be possible if connecting from the external network. So I guess in the Condition that User Configured is not the case, I would need a Sub flow with this conditional to check. |
|
Thank you for your PR - as I needed this functionality, I took the liberty to create it as a separate repository to build as keycloak-extension in https://github.com/elexis/keycloak-conditional-http-header-authenticator. |
|
I'm also using this condition and it would be great if it could be merged into main. Thank you for your effort. |
This change will be close #14604
I added a condition to check the http request header to match on a regex string.
It is inspired by the ConditionalOTPFormAuthenticator but not limited to the OTP Form.