Allow more extensive overriding of BackchannelAuthenticationCallbackEndpoint #24993
Conversation
There was a problem hiding this comment.
@patrick-primesign - while I leave the final comment for the core team, here is something I noticed:
You make this protected so a derived class can access it. At the same time you're passing it in to some methods. Can we be consistent to only pass it to methods, as I would assume it would make the code simpler to follow?
As you've been adding protected methods / making methods protected, it might be good to add some Javadoc to them explaining how they are intended to be used.
There was a problem hiding this comment.
@ahus1 yeah, I agree, we needed it in our implementation for getRawBearerToken(), which normally would use the http headers.
I will add response and headers as parameters getRawBearerToken, to make it more readable or consistent.
Javadoc I will also add.
There was a problem hiding this comment.
I pushed some changes to the commit.
44bca59 to
4a28f6c
Compare
There was a problem hiding this comment.
Looking at the code, the changes still look a bit too much. From the Javadocs it is still hard to see the intent when to override which method.
It would be good if you would share more information about your usecase / the class you extend, plus maybe a configuration hint how you're configuring Keycloak to use the other endpoint instead.
There was a problem hiding this comment.
The logic is hard to understand as denyRequest() might have already been called.
There was a problem hiding this comment.
Actually we don't use this, so I will remove it, as the only reason it is there is that we possibly could use it. :)
There was a problem hiding this comment.
Instead of wrapping this here, I'd suggest only to change the line above:
Status status = extractStatusFromResponse(response);
... and then someone can override the one method extractStatusFromResponse.
Or thinking one step further, add the status to the BackchannelAuthCallbackContext, and it can be part of the extendable verifyAuthenticationRequest(). If doing that, the rest of the code can be left as is.
There was a problem hiding this comment.
For our use case this unfortunately doesn't make sense. We don't verify the request itself, we have to check other things (from the database), e.g. our own timeout and other factors which will turn the status to UNAUTHORIZED if they are not met.
There was a problem hiding this comment.
Seems legit. The method extractStatusFromResponse should extract some kind of status from the response. But Keycloak might have a saying as well, without checking on any status from the response.
4a28f6c to
8989417
Compare
|
@patrick-primesign @mschallar Could you please rebase this PR? I hope we can possibly merge it once it is rebased and all the tests are OK. |
…uthenticationCallbackEndpoint to allow developers easier customization when overriding. Two new methods added when approving device code, one before and one after approving, to allow additional checks. Closes keycloak#24992 Signed-off-by: Patrick Weiner <patrick.weiner@prime-sign.com>
8989417 to
03997fe
Compare
|
@mposolda Done. Thanks for merging. |
Add functions and set existing functions to protected in BackchannelAuthenticationCallbackEndpoint to allow developers easier customization when overriding.
Two new methods added when approving device code, one before and one after approving, to allow additional checks.
These changes doesn't change the default behaviour if the class is not overridden.
Closes #24992