Authenticate operation

The authenticate operation authenticates an object on the target system, based on two parameters, usually a unique identifier (username) and a password. If possible, your connector should try to authenticate these credentials natively.

If authentication fails, the connector should throw a runtime exception. The exception must be an IllegalArgumentException or, if a native exception is available and is of type RuntimeException, that native runtime exception. If the native exception is not a RuntimeException, it should be wrapped in a RuntimeException, and then thrown.

The exception should provide as much detail as possible for logging problems and failed authentication attempts. Several exceptions are provided in the exceptions package, for this purpose. For example, one of the most common authentication exceptions is the InvalidPasswordException.

For more information about the common exceptions provided in the OpenICF framework, refer to Common exceptions.

Use the ICF authenticate operation

This section shows how your application can use the framework’s authentication operation, and how to write a unit test for this operation, when you are developing your connector.

The authentication operation throws a RuntimeException if the credentials do not pass authentication, otherwise returns the UID.

Sample Unit Test for the Authentication Operation (Java)
public void authenticateTest() {
    logger.info("Running Authentication Test");
    final ConnectorFacade facade = createConnectorFacade(BasicConnector.class, null);
    final OperationOptionsBuilder builder = new OperationOptionsBuilder();
    Uid uid =
        facade.authenticate(ObjectClass.ACCOUNT, "username", new GuardedString("Passw0rd"
        .toCharArray()), builder.build());
    Assert.assertEquals(uid.getUidValue(), "username");

Implement the authenticate operation

To implement the authenticate operation in your connector, add the AuthenticateOp interface to your connector class, for example:

    displayNameKey = "Sample.connector.display",
    configurationClass = SampleConfiguration.class)
public class SampleConnector implements Connector, AuthenticateOp...

For more information, refer to the AuthenticateOp JavaDoc.

The SPI provides the following detailed exceptions:

  • UnknownUidException - the UID does not exist on the resource.


  • ConnectorSecurityException - base exception for all security-related exceptions.


  • InvalidCredentialException - generic invalid credential exception that should be used if the specific error cannot be obtained.


  • InvalidPasswordException - the password provided is incorrect.


  • PasswordExpiredException - the password is correct, but has expired.


  • PermissionDeniedException - the user can be identified but does not have permission to authenticate.


Implementation of the Authentication Operation, at the SPI Level
public Uid authenticate(final ObjectClass objectClass, final String userName,
        final GuardedString password, final OperationOptions options) {
    if (ObjectClass.ACCOUNT.equals(objectClass)) {
        return new Uid(userName);
    } else {
        logger.warn("Authenticate of type {0} is not supported", configuration
        throw new UnsupportedOperationException("Authenticate of type"
                + objectClass.getObjectClassValue() + " is not supported");
Copyright © 2010-2024 ForgeRock, all rights reserved.