Re: [keycloak-user] Multiple Social Providers for Single Account
by Stian Thorgersen
Seems I replied without the list, so including list as cc.
I've looked at your alterations and I'm not confident with letting users link to an existing account without login in to that account first. We should be able to do this relatively easily though.
If you're interested in looking at doing this work let me know and I can give you some pointers. Basically the idea is if an account with the same email exists:
* Use callback url from social provider, including query params, as redirect-uri
* Return login form with message saying user with email exists, please login to link accounts
* Login form is submitted and processed by token service as usual
* Login form redirects to social callback uri
* Social callback uri creates social link (which it can do now as the user is authenticated)
* Redirect to app
----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> To: "Stian Thorgersen" <sthorger(a)redhat.com>
> Sent: Wednesday, 11 June, 2014 1:41:13 PM
> Subject: Re: [keycloak-user] Multiple Social Providers for Single Account
>
> That is totally fine, I'm just hoping I can help you guys somehow,
> contribute with something too
>
>
> On Wed, Jun 11, 2014 at 9:07 AM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
> > I'll have a look at it and get back to you. It won't be until beginning of
> > next week though.
> >
> > Rodrigo Sasaki <rodrigopsasaki(a)gmail.com> wrote:
> >
> >
> > We need this feature now, so we're making some alterations to make it work
> > for us.
> >
> > Although we'd like to contribute to the Keycloak project if you feel our
> > alteration is fitting. We have done some tests, and we changed the
> > SocialResource class to treat this special flow.
> >
> > What we did is add a step to find the user by e-mail, before going into
> > the block where it creates a new user from scratch. I'm not a security
> > specialist, that's why I'd like you to take a look at it, because there may
> > exist security flaws that I'm not aware of, and if we can come up with
> > something that looks good, we could submit a PR for the project.
> >
> > Here's how our code looks now, we built it on top of the beta-2 source:
> > http://pastebin.com/H9S0fWjH
> >
> > I highlighted the part where alterations begin and end.
> >
> > I hope we can help each other in this.
> >
> > Best regards,
> > Rodrigo
> >
> >
> > On Tue, Jun 10, 2014 at 8:11 AM, Stian Thorgersen <sthorger(a)redhat.com>
> > wrote:
> >
> >> Currently the only way we support to link multiple accounts is through
> >> the account managent. There's no automatic linking, so the problem you're
> >> seeing is at the moment the expected behavior as we only allow one account
> >> per email.
> >>
> >> We would like to improve this flow in the future, and any suggestions on
> >> how it could/should work would be great. It would most likely not be added
> >> until after 1.0.final.
> >>
> >> Rodrigo Sasaki <rodrigopsasaki(a)gmail.com> wrote:
> >>
> >>
> >> I guess it can wait, it would be good to get this sorted but I know
> >> you're all very busy.
> >>
> >> I'll download the master branch again and see what I can find
> >>
> >>
> >> On Mon, Jun 9, 2014 at 4:13 PM, Bill Burke <bburke(a)redhat.com> wrote:
> >>
> >>> Stian wrote this code and is at a face to face meeting this week. Can
> >>> you wait until next week for an answer? I could look into it, but I'm
> >>> focused on some caching features and pushing out Beta 3 at the moment.
> >>>
> >>> On 6/9/2014 10:43 AM, Rodrigo Sasaki wrote:
> >>> > I've been trying to work with the Social Providers feature of Keycloak,
> >>> > but I've had some problems.
> >>> >
> >>> > First of all I'm using the beta-2 version, and I created Facebook and
> >>> > Google links to applications I have there and it worked fine.
> >>> >
> >>> > If I create a new user logging in with Facebook it works
> >>> > If I create a new user logging in with Google it works aswell.
> >>> >
> >>> > When I try linking things, that's where things go wrong.
> >>> >
> >>> > I have created a new Keycloak user, and accessed:
> >>> >
> >>> > *http://localhost:8080/auth/realms/myrealm/account*
> >>> >
> >>> > and on that URL I associated my Google and Facebook accounts, when I do
> >>> > it like that, it all works fine, but when I tried to see if it worked
> >>> > automatically it all went south.
> >>> >
> >>> > I deleted the social links from this account, and then tried to login
> >>> to
> >>> > a keycloak secured application via Facebook, and the e-mail of my
> >>> > Facebook account is the same of the keycloak accunt, which led to an
> >>> > exception
> >>> >
> >>> > /org.keycloak.models.ModelDuplicateException:
> >>> > javax.persistence.PersistenceException:
> >>> > org.hibernate.exception.ConstraintViolationException: ERROR: duplicate
> >>> > key value violates unique constraint "userentity_realm_email_key"/
> >>> >
> >>> > The same happens if I have no account at all, and create one with
> >>> > Facebook, then try logging in with Google.
> >>> >
> >>> > Is there something I'm missing, or is this flow still being worked on?
> >>> >
> >>> > I have read this wiki, and I think it's the item 5 that isn't working
> >>> > correctly
> >>> >
> >>> >
> >>> https://github.com/keycloak/keycloak/wiki/Registration-Authentication-wit...
> >>> >
> >>> >
> >>> > --
> >>> > Rodrigo Sasaki
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > keycloak-user mailing list
> >>> > keycloak-user(a)lists.jboss.org
> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> >
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >>
> >> --
> >> Rodrigo Sasaki
> >>
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>
>
>
> --
> Rodrigo Sasaki
>
11 years, 4 months
Nevermind
by Dean Peterson
Nevermind about the KeycloakLogger error. I ran a few other maven commands
other than maven install to get around the error.
11 years, 4 months
KeycloakLogger error on Maven install
by Dean Peterson
It has been a while since I tried to upgrade. Now when I perform a maven
install on Keycloak-parent I get a no class def error on the wildfly
subsystem. I get the same thing when I try to run maven install directly
on the wildfly subsystem piece too:
java.lang.NoClassDefFoundError: Could not initialize class
org.keycloak.subsystem.logging.KeycloakLogger
11 years, 4 months
Email Verification
by Conrad Winchester
Hi all,
sorry to keep asking questions, but I’m stuck again.
What is the correct configuration to get keycloak to send out email address verification emails?
Conrad
11 years, 4 months
Recommended way to identify user from token
by Conrad Winchester
Hi,
I have keyclick integrated into my application and have it protecting several end points. A user can login to get access to the protected resources by adding the bearer token into the authorisation header.
I was wondering what the recommended way is to actually identify the user who has authenticated. Is this the way to do it?
@Context
private SecurityContext securityContext;
.
.
.
KeycloakPrincipal principal = (KeycloakPrincipal)securityContext.getUserPrincipal();
logger.info("Logged in user: "+ principal.getName());
I noticed the the name is the ‘id’ of the user from the keycloak table.
Are there any other ways to get data from the token?
Thanks
Conrad
11 years, 4 months
Multiple Social Providers for Single Account
by Rodrigo Sasaki
I've been trying to work with the Social Providers feature of Keycloak, but
I've had some problems.
First of all I'm using the beta-2 version, and I created Facebook and
Google links to applications I have there and it worked fine.
If I create a new user logging in with Facebook it works
If I create a new user logging in with Google it works aswell.
When I try linking things, that's where things go wrong.
I have created a new Keycloak user, and accessed:
*http://localhost:8080/auth/realms/myrealm/account
<http://localhost:8080/auth/realms/myrealm/account>*
and on that URL I associated my Google and Facebook accounts, when I do it
like that, it all works fine, but when I tried to see if it worked
automatically it all went south.
I deleted the social links from this account, and then tried to login to a
keycloak secured application via Facebook, and the e-mail of my Facebook
account is the same of the keycloak accunt, which led to an exception
*org.keycloak.models.ModelDuplicateException:
javax.persistence.PersistenceException:
org.hibernate.exception.ConstraintViolationException: ERROR: duplicate key
value violates unique constraint "userentity_realm_email_key"*
The same happens if I have no account at all, and create one with Facebook,
then try logging in with Google.
Is there something I'm missing, or is this flow still being worked on?
I have read this wiki, and I think it's the item 5 that isn't working
correctly
https://github.com/keycloak/keycloak/wiki/Registration-Authentication-wit...
--
Rodrigo Sasaki
11 years, 4 months
Devoxx UK
by Conrad Winchester
I just had a thought!
I’m at Devoxx in London over the next couple of days.
Is anybody from the Keycloak team going to be there?
Conrad
11 years, 4 months
REST API - Bearer Exception
by Rodrigo Sasaki
Hi,
I'm trying to work with the Keycloak REST API, I logged into the
administration console, and then tried accessing */auth/admin/realms* and
got this exception:
*Failed executing GET /admin/realms:
org.jboss.resteasy.spi.UnauthorizedException: Bearer*
How should I build my request to be able to get a response? How should I
authenticate myself in this situation?
--
Rodrigo Sasaki
11 years, 4 months
Proxying Registration
by Conrad Winchester
Hi again,
a requirement of the application I am working on is for one person to very easily be able to add another using their email address.
We must not use the keycloak realm registration page and so I was wondering what the best way to proxy a realm user registration is?
I am trying to use the rest api like this
----
HttpPost post = new HttpPost(
KeycloakUriBuilder
.fromUri("http://localhost:8080/auth")
.path("/realms/shift/tokens/registrations")
.queryParam("client_id","security-admin-console")
.build());
List<NameValuePair> formparams = new ArrayList<>();
formparams.add(new BasicNameValuePair("username", user.getEmail()));
formparams.add(new BasicNameValuePair("password", user.getPassword()));
formparams.add(new BasicNameValuePair("email",user.getEmail()));
UrlEncodedFormEntity form = new UrlEncodedFormEntity(formparams, "UTF-8");
post.setEntity(form);
HttpResponse response = client.execute(post);
——
But I am not sure what the returned entity is, nor how to get the ID of the newly registered user.
Is there another way to do this?
Any help would be greatly appreciated
Thanks
Conrad
11 years, 4 months
