[keycloak-user] Securing Application which is exposed to Guest Users

Stian Thorgersen sthorger at redhat.com
Mon Jan 18 04:43:24 EST 2016


What Thomas said. Just remove the account role from the webinar user and
they can't use account management.

You can use authentication flows to customize the authentication flow. As a
first execution in the flow you check if the app is the webinar app, if it
is then don't include the cookie authenticator, but add a custom one that
asks for webinar id + secret. If it's not the webinar app then just
continue the default flow.

On 18 January 2016 at 10:02, Thomas Darimont <thomas.darimont at googlemail.com
> wrote:

> Hello,
>
> you could just create a new keycloak user per webinar with:
>   webinar id = username
>   webinar secret = password
> ?
>
> Your real users would then just authenticate with those credentials -
> though you'd probably need to disable account management for them (and some
> other self-service operations).
> If you add a user indiviual code to the login url that you send to you
> users then you can associate the login with the actual user (e.g. the email
> address this link was generated for etc.).
>
> Another option would be to generate a bunch of keycloak users with a
> limited lifetime, e.g. for the duration of the webinar + x.
> When the time is up you could deactivate the users.
> In that model you would simply store the email address for each user with
> the actual keycloak user.
> This would enable you to send a concluding "thank you email" and perform
> some analytics on which individual user did what during the webinar.
> Once you're done with you analysis you could delete the users.
>
> Cheers,
> Thomas
>
> 2016-01-18 9:34 GMT+01:00 Naresh Kumar Reddy <pnreddy.svu at gmail.com>:
>
>> Let me clarify the work flow.
>>
>> organizer is a keyclock user. he schedules a webinar and an invitation
>> mail will be sent to all participants(guest users). the mail will have
>> webinarid/webinar secret. When participants(guest users) visits webinar
>> portal it should ask for webinar Id/secret to authenticate.
>>
>> How to achieve this with keycloak assuming two kinds of applications
>> under same realm?
>>
>> Thanks
>>
>> On Mon, Jan 18, 2016 at 1:58 PM, Naresh Kumar Reddy <
>> pnreddy.svu at gmail.com> wrote:
>>
>>> login is required but with custom fields like webinarId/webinar secret
>>> which are common for all guest users.
>>>
>>> On Mon, Jan 18, 2016 at 1:45 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Assuming by guest users you mean that no login is required then why
>>>> does it need securing at all?
>>>>
>>>> On 16 January 2016 at 02:53, Naresh Kumar Reddy <pnreddy.svu at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We have two applications which provides webinar functionality.
>>>>>
>>>>> 1) Provisioning app-- Organizers provision webinar and manage their
>>>>> account. Since organizers are Keycloak users, I can secure provisioning app
>>>>> out of the box.
>>>>>
>>>>> 2) Webinar app-- The users of this app are organizers and
>>>>> participants. Participants are no more provisioned as Keycloack users.
>>>>> Those are guest users.
>>>>>
>>>>>  My question is how do we secure second app with keyclock?
>>>>>
>>>>> * Note*: Both apps will be under same realm.
>>>>>
>>>>> Is there anyway to secure with custom field like webinarId which is
>>>>> passed as a parameter?
>>>>>
>>>>> Or something better solution?
>>>>>
>>>>> Under same realm securing one app with keycloak users and other app
>>>>> with custom authentication?
>>>>>
>>>>> Thanks for the great work.
>>>>>
>>>>>
>>>>> Thanks & Regards
>>>>> Naresh
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/6d35f88a/attachment.html 


More information about the keycloak-user mailing list