id_token_hint
by Michael Gerber
Hi,
Do you have any plans to include the id_token_hint in the near future?
id_token_hint
OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value.
If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.
Best
Michael
8 years, 6 months
Direct link to registration/forgot-credentials
by Sebastian Rose
Hi all,
i have a requirement to provide an external link for register account and forgot-credentials.
I learned from KEYCLOAK-1904 that using .../openid-connect/registrations?client_id=.... instead auf /openid-connect/auth?client_id=... works for the register account part. KEYCLOAK-1904 brought this to the js-adapter and provided it as an example to js-console. While testing that KEYCLOAK-1910 was created due to a problem with the bean-initialization.
For having the same with forgot-credentials i added simmilar code to make .../openid-connect/forgot-credentials?client_id=... work. This change is described in KEYCLOAK-1927.
My first approach was not considering the Authorization SPI (thanks Stian). Second approach uses the class AuthenticationProcessor which is already used for .../openid-connect/auth to make KEYCLOAK-1910 and KEYCLOAK-1927 work. I am not sure if i understood completely and any hint/help is appreciated. With some manual tests it worked fine (please see https://github.com/keycloak/keycloak/pull/1686)
Please let me know what you think:
1) .../openid-connect/forgot-credentials is something you can live with/find it usefull
2) Is using class AuthenticationProcessor the correct approach . Anything there to consider after the call of .authenticate? There is a lot more code in place for the auth-case, which deals with variants. They don't seem to be useful for the two other cases.
3) I would like to add .../openid-connect/forgot-credentials to the js-adapter and js-console as well.
Best Regards,
Sebastian
8 years, 6 months
Added 'keycloak.jsonPrettyPrint' system property
by Stian Thorgersen
I fixed an issue where lists of json representations included null values
(basically the configuration was just included for packages that started
'org.keycloak' which java.util.List isn't). At the same time I added a
system property 'keycloak.jsonPrettyPrint' if enabled Keycloak will return
pretty printed json which is nice for development/debug.
8 years, 6 months
Does PicketLink Service provider supports ECP ?
by Arulkumar Ponnusamy
Hi All,
We are using picket link as service provider. Our Application supports
different interfaces for authentication such as web browser, CLI, API.
I could not find any document on Picketlink SP supports on ECP client. Can
some clarify on this?
Thanks,
Arulkumar Ponnusamy.
8 years, 6 months
Introduce option to select username mode for a realm
by Stian Thorgersen
We've have someone from the community that wants to use mobile number as
the username, as well as verify mobile number by sending a code via SMS.
See "Login by mobile number" thread in user mailing list for more details.
They are also willing to contribute this back to the community.
That made me think it may be nice to be able to configure the behavior of
the username "field" for a realm. We could have a simple drop-down in the
admin console to configure username mode, with the following options:
* Username/email - default behavior where a user provides both a username
and email, and the user can login with either. In this mode email has to be
unique.
* Username - a user can only login with a username. In this mode we could
relax the requirement that email has to be unique (that may be difficult
though as it would require not using a database constraint, which may make
it rather difficult to guarantee uniqueness in other modes)
* Email - in this mode only email can be used to login. In this mode
username field would not be displayed on the registration form or account
management console. In the token the username would be set to email. In
this mode verify email address should be enabled by default.
* Mobile - user logs in with a mobile number. We can either just add mobile
number to the username field or add a new mobile field and require
uniqueness on that field. In this mode verify mobile number should be
enabled by default.
With regards to implementation I think it would be easier to make the
existing username/password authenticator, registration form and account
management adopt to the mode rather than have separate authenticators,
etc.. for each mode.
8 years, 6 months
Support multiple 2nd factor types
by Stian Thorgersen
At least for now we should add support for multiple types of OTP:
* Software tokens
* Hardware tokens
* U2F
It should be possible for an administrator to select what mechanisms are
available for a realm. We need the option to enforce that a user has at
least one 2nd factor authentication associated with the account. Then it
should be possible for adminstrators to provision tokens on behalf of
users, but also for users themselves to provision their own. For hardware
tokens a lot of them use the same algorithm as the software token, but on
caveat is that you need to be able to exchange a device-id for the token
secret. This could be a rest endpoint or a lookup in a database, but I
don't think there's a generic approach available so maybe we need to
introduce an SPI for this.
Are we able to do the above with the current Authenticator SPI? We also
need:
* Account management - users should be able to choose which mechanism to
use if there's more than one enabled for a realm
* Required action to enable OTP - same as above
* Admin console - administrators should be able to provision on behalf of
users
* We need to refer to it as 2nd factor or multi-factor as OTP is just one
possible mechanism. Other simple examples could be sending a code to email
or sms which has to be copy/pasted back to the login forms.
Looks like we have a community member that is willing to contribute U2F and
another that could contribute hardware tokens.
8 years, 6 months
Hacking Tips
by Stan Silvert
In talking with Marko, I shared some of my hacking tips to aid with
i18n/l10n development. But they are generally handy for easing all
Keycloak development. Others might have other ways to improve on this
stuff and make our lives easier?
Here are mine:
*Build server-dist without artifacts
*I think Bill gets the credit for making this possible in WildFly. You
can build it such that jars are not copied to the server. Instead, they
are retrieved from your local maven repo. For Keycloak, you go to
/distribution/server-dist/server-provisioning.xml and set
copy-module-artifacts="false".
Now when you compile any of Keycloak's java modules you just restart the
server and see your changes.
It would be nice if we could use a system property for this, but it
looks like server-provisioning.xml doesn't support props for that
attribute. Some day I'll fix it and submit a patch.
Anyway, doing that and running mvn compile instead of mvn install brings
the build time from 3 minutes to about 6 seconds. Only 6 seconds to
build the whole server!
I use Windows and Cygwin to do this automatically in a batch file:
cd c:\GitHub\keycloak\distribution\server-dist
call mvn clean
sed -i 's/copy-module-artifacts="true"/copy-module-artifacts="false"/'
server-provisioning.xml
call mvn compile
sed -i 's/copy-module-artifacts="false"/copy-module-artifacts="true"/'
server-provisioning.xml
*Let the the default theme point to your maven clone instead of
/standalone/configuration/themes
*You can tell Keycloak to load the default theme from your development
environment. This is especially handy when you are working on HTML or
JS files for Keycloak Admin Console. To do this, edit
keycloak-server.json. Here is the batch file code I use to automate it:
cd
c:\GitHub\keycloak\distribution\server-dist\target\keycloak*\standalone\configuration
sed -i 's,"dir": "${jboss.server.config.dir}/themes","dir":
"/GitHub/keycloak/forms/common-themes/src/main/resources/theme",'
keycloak-server.json
Note: I had to use a comma for my sed delimiter instead of forward slash /
*Turn off caching in your browser.
*You need to turn off caching to see your HTML and JS changes as soon as
you edit them. But it can be a pain to turn caching on and off. I
found a nifty FireFox extension called "Cache Disabler" that puts a
little button in my toolbar to enable/disable all caching.
8 years, 6 months
Using a custom Protocol Mapper to store granular permissions in a token
by Scott Artman
I’m considering migrating a custom authentication and authorization framework to KeyCloak. I like KeyCloak’s authentication support and role to user mapping capabilities. However, I haven’t seen a feature to replace the granular permission support we have in our custom framework. We assign permissions to individual roles and use them to secure resources such as application pages, specific fields within a page, buttons, menu items, etc.
One option that may work is the Protocol Mapping feature mentioned in this blog post: http://blog.keycloak.org/2015/03/customizing-keycloak.html. I would like to use a custom Protocol Mapper to store a permission map within a token for the roles associated with a user. Can someone point me to documentation that outlines how to write a custom Protocol Mapper and configure KeyCloak to use it?
Thanks,
Scott
CONFIDENTIALITY NOTICE
This e-mail, including any attachments, may include confidential and/or proprietary information from Capson Corp. and/or its subsidiaries or affiliates, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
8 years, 6 months
