[keycloak-dev] User Profile Extension

Stian Thorgersen sthorger at redhat.com
Mon Oct 22 03:00:08 EDT 2018 

We would be open to that. It would be great if you could start with
describing it in more detail first though. It's pretty simple to implement
something like that, but making it user friendly and a generic feature is
more complicated. See
https://github.com/stianst/keycloak-experimental/tree/master/magic-link for
instance. It does passwordless, but it's not very nice for those setting up
Keycloak or the end user.

I presume you are talking about a SMS with the one time password?

On Fri, 19 Oct 2018 at 08:29, <marco.scheuermann at daimler.com> wrote:

> Thats very good. Would you support a full implementation for passwordless
> login in keykloak?
>
> User has to enter email address, presses login and then he gets a One Time
> Password to login.
>
>
>
> If that`s fine for you, I would discuss with my colleagues if we create a
> PR.
>
>
>
> Ok?
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Freitag, 19. Oktober 2018 um 08:26
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> I'd rather you consider contributing a fully functional feature in
> Keycloak itself, rather than extracting most of it into a separate service
> and only contributing a part of the feature to the rest of the community.
>
>
>
> On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com> wrote:
>
> Thank you Stian,
>
>
>
> I understand your point. I will create a longer description of our
> requirement and why it has a benefit for the community.
>
> Is that ok for you?
>
>
>
> Thank you,
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Freitag, 19. Oktober 2018 um 08:14
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> I understand that you don't need it, but that's past the point. When
> adding new features and capabilities in Keycloak we need to consider the
> bigger picture and add things in a way that has wider use. We do not add
> solutions for one person.
>
>
>
> On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:
>
> Hi Stian,
>
>
>
> thank you for your answer.
>
> We already implemented login with phone number. For that we created a
> microservice that communicates with keykloak. The service does a ROPC with
> keykloak, so from keykloak perspective we DO NOT NEED support for login with
>
> phone number.
>
> Our only requirement was to extend the existing user profile by phone
> number, NOT to allow login via phone number.
>
>
>
> Greetings,
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> Adding support for login with phone number isn't as trivial as simply
> adding another user attribute. The user storage spi also have implications
> here since it's a supported API we can't break backwards compatibility.
>
>
>
> To do this right we should discuss the correct approach. This would
> involve some configuration option for a realm to allow specifying what
> attributes can be used to authenticate the user. Some strategy for when
> there is more than one user with the same phone number. That could be
> unique, allowing user to select from users with the phone number, or simply
> returning an error stating username has to be used.
>
>
>
> Then there's indexing to consider. For the phone number to be useful for a
> login it has to be indexed in the db. Caches should be able to lookup user
> based on phone number.
>
>
>
> Finally, and this is something we have problems with for email today. For
> email we had a limitation that email had to be unique. One email per user
> basically. This doesn't really work all that well and we had a rather hacky
> approach to allowing multiple users with the same email address. To extend
> to phone numbers we would need to address this properly and not introduce
> additional problems.
>
>
>
> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
>
> Hi keykloak developers,
>
> my Name is Marco and I am currently working on a keykloak based
> usermanagement solution for our company and have the following requirement:
> We implemented a native One Time Password (OTP) login for our app. That
> means a user can login using email or mobile number.
> After that he gets a PIN via SMS/email which he can enter into the app to
> trigger the authentication flow.
> During login we check if the user already exists. If not we guide him to a
> registration page. This check is implemented by using keykloaks admin rest
> API.
> We search for a user by email. It must also be possible to search by phone
> number because this attribute could also be used for login as already
> mentioned.
> We added a custom attribute “mobile” to the user but the REST API does not
> allow to search for custom attributes.
>
> Our Requirement:
> The user should be able to use email OR phone number for login. For that
> it should be possible to enter both attributes while registering a new user.
> Currently keykloak only offers a custom field for email, but no phone
> number.
> Therefore we want to extend the User Profile by phone number. Would you
> accept such a Pull Request?
>
> Thank you,
> Marco
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>

More information about the keycloak-dev mailing list