[keycloak-user] [UMA] Access a protected resource by using a link

Fernando Mayoral fernando.mayoral at practiv.com
Sun Nov 17 21:16:51 EST 2019 

*What type of application we are talking about? A single monolithic or
separated apps for frontend and backend? Asking because you could just
resume the workflow after the user authenticate again and is redirected
back to your app ...*

We are talking separated frontend/backend, in fact, it's microservices and
micro-frontend architecture.
Correct, authentication & redirect would work and I've just realised I've
missed an important aspect of this:
Our users don't have a username-password with keycloak, not that they know
of at least, there's a third-party authentication provider they can use
through OIDC.
Alternatively, if they don't have an account with that third-party and
can't be bothered with setting one up, we have a custom authenticator that
essentially allows "anonymous authentication", i.e. you don't have an
account, yet you want to use the application, you get an anonymous session.
And we use such user to store protected data (such data expires after some
time in the system and it's erased).
Now we want to provide a way for such anonymous users to be able to recover
their order and be authorised without having them to set a password for the
account and so on, as the intention of the anonymous user mechanism is
mostly for tracking and authorisation which we erase after some time, and
not so much for having a permanent user in the system.

AFAIK, there is nothing you could use OOTB but maybe implementing some
custom authenticator. Even with a custom authenticator, the fact that you
are automatically re-authenticating the user based on some form of code
sent to an email may be risky

Agreed on the risky side, it's not desirable nor recommended from a
security point of view, yet since users in our system are ephemeral, the
attack vector is narrow enough that makes it acceptable to sacrifice that
in order to get a smoother UX. Probably long-lived cookies can help here
too, but we are assuming users can use a different device, so it doesn't
work for all scenarios.
-
Thanks for your comments, I was thinking of a custom authenticator but
wanted to confirm if support existed OOTB, I take your points on the risk
and discuss it with our team.

Regards,
- Fernando



On Sat, Nov 16, 2019 at 1:44 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> What type of application we are talking about? A single monolithic or
> separated apps for frontend and backend ? Asking because you could just
> resume the workflow after the user authenticate again and is redirected
> back to your app ...
>
> AFAIK, there is nothing you could use OOTB but maybe implementing some
> custom authenticator. Even with a custom authenticator, the fact that you
> are automatically re-authenticating the user based on some form of code
> sent to an email may be risky ...
>
>
> On Thu, Nov 14, 2019 at 6:37 PM Fernando Mayoral <
> fernando.mayoral at practiv.com> wrote:
>
>> Yes, they leave the application and their keycloak session expires.
>> So then we want to send them a link for them to get a new session with
>> their user and get redirected to the order they didn't complete.
>> For example, a product is a bank account application:
>> They start filling the forms and early on they are asked for email.
>> But they never finish and submit the form, or maybe they leave the tab
>> open and forget so the session expires, so we send them an email to remind
>> them with a link to get authenticated and redirected back to an arbitrary
>> url.
>>
>> On Fri, Nov 15, 2019 at 2:47 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> When the user "drops" from the system you mean a logout (ending the user
>>> session in Keycloak) ?
>>>
>>> On Thu, Nov 14, 2019 at 1:53 AM Fernando Mayoral <
>>> fernando.mayoral at practiv.com> wrote:
>>>
>>>> Hello!
>>>>
>>>> We have a product on which we create a protected resource (called
>>>> orders)
>>>> in keycloak and we secure access to it by using a UMA as described by
>>>> uma
>>>> authorization process
>>>> <
>>>> https://www.keycloak.org/docs/7.0/authorization_services/#_service_uma_authorization_process
>>>> >
>>>> .
>>>>
>>>> When the user drops from the system before they submit their order (i.e.
>>>> the order is incomplete) we want to be able to send them an email with a
>>>> link to the user so they’ll be able to get automatically authenticated
>>>> and
>>>> authorized so they can continue working on this protected resource.
>>>>
>>>> Does keycloak provide this kind of functionality out of the box?
>>>> (i.e. given a link with some sort of long-lived token, get authenticated
>>>> with keycloak and redirected to some arbitrary url)
>>>> Is there any recommended way to approach this?
>>>>
>>>> any hints would be greatly appreciated.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>

More information about the keycloak-user mailing list