/** * Must validate all credentials. FYI, password hashes may be rehashed and updated based on realm hash password policies. * * @param realm * @param user * @param credentials * @return */ public static boolean validCredentials(KeycloakSession session, RealmModel realm, UserModel user, List<UserCredentialModel> credentials) { for (UserCredentialModel credential : credentials) { if (!validCredential(session, realm, user, credential)) return false; } return true; }
private static boolean validCredential(KeycloakSession session, RealmModel realm, UserModel user, UserCredentialModel credential) { if (credential.getType().equals(UserCredentialModel.PASSWORD)) { if (!validPassword(session, realm, user, credential.getValue())) { return false; } } else if (credential.getType().equals(UserCredentialModel.PASSWORD_TOKEN)) { if (!validPasswordToken(realm, user, credential.getValue())) { return false; } } else if (credential.getType().equals(UserCredentialModel.TOTP)) { if (!validTOTP(realm, user, credential.getValue())) { return false; } } else if (credential.getType().equals(UserCredentialModel.HOTP)) { if (!validHOTP(realm, user, credential.getValue())) { return false; } } else if (credential.getType().equals(UserCredentialModel.SECRET)) { if (!validSecret(realm, user, credential.getValue())) { return false; } } else { return false; } return true; } }
/** * Will update password if hash iteration policy has changed * * @param realm * @param user * @param password * @return */ public static boolean validPassword(KeycloakSession session, RealmModel realm, UserModel user, String password) { UserCredentialValueModel passwordCred = null; for (UserCredentialValueModel cred : user.getCredentialsDirectly()) { if (cred.getType().equals(UserCredentialModel.PASSWORD)) { passwordCred = cred; } } if (passwordCred == null) return false; return validateHashedCredential(session, realm, user, password, passwordCred); }
public static boolean validateHashedCredential(KeycloakSession session, RealmModel realm, UserModel user, String unhashedCredValue, UserCredentialValueModel credential) { if(unhashedCredValue == null){ return false; } boolean validated = PasswordHashManager.verify(session, realm, unhashedCredValue, credential); if (validated) { int iterations = hashIterations(realm); if (iterations > -1 && iterations != credential.getHashIterations()) { UserCredentialValueModel newCred = PasswordHashManager.encode(session, realm, unhashedCredValue); user.updateCredentialDirectly(newCred); } } return validated; }
/** * Must validate all credentials. FYI, password hashes may be rehashed and updated based on realm hash password policies. * * @param realm * @param user * @param credentials * @return */ public static boolean validCredentials(KeycloakSession session, RealmModel realm, UserModel user, UserCredentialModel... credentials) { for (UserCredentialModel credential : credentials) { if (!validCredential(session, realm, user, credential)) return false; } return true; }