-
Notifications
You must be signed in to change notification settings - Fork 0
/
authz-authenticator.js
34 lines (31 loc) · 1.24 KB
/
authz-authenticator.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
function authenticate(context) {
if (!authenticationSession.getClient()) {
context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND);
return;
}
var client = authenticationSession.getClient().getClientId();
LOG.info(script.name + " evalute authorization for user=" + user.username + " client=" + client);
/*
Use employeeStatus verification for service-now which allows some disabled
states to still authenticate.
Also allow class-dev for testing purposes.
*/
if (client && (client.contains("service-now") || client.contains("class-dev"))) {
var allowed = /(REQAPPROVAL|ACTIVE|WEBONLY|RESTRICTED)/;
var employeeStatus = user.getFirstAttribute("employeeStatus");
if (employeeStatus && !allowed.test(employeeStatus)) {
context.failure(AuthenticationFlowError.USER_DISABLED);
return;
}
} else {
/*
All other clients will authorize if the user account is not disabled or locked
*/
if (user.getFirstAttribute("nsAccountLock") == "TRUE" || user.getFirstAttribute("loginDisabled") == "TRUE") {
context.failure(AuthenticationFlowError.USER_DISABLED);
return;
}
}
context.success();
}