Updating an email address of an account
by Manuel Baumann
Hi all
I am new to this list but have some experience with Keycloak and am
looking for a solution of the following problem:
Let's assume there is a user account with email and password and
he/she also uses that account to login and then access our
application.
Now we want to allow the user to modify its email address.
I saw this use case implemented in other products. There it would send
an email to the old address to verify the change (this step is not
required in our case) and then send an email to the new email address
with a verification link. Only when the link in the second email is
clicked, the email is updated.
What I managed to do so far is to update a users email, setting it to
not verified and triggering the "send-verify-email" action all via
admin REST interface.
However my approach has the con that the entered email address is
updated on the user whether it was verified or not, which makes a user
who did not finish the email update (by verifying it) unable to login
with the currently active credentials (email, password) anymore since
the email was updated.
Hopefully there is another way to achieve that and any hints are appreciated.
Best regards
Manuel
5 years, 3 months
OpenID Connect Dynamic Client Registration - Grant Types
by Buddhika Karunatilleke
Hi all,
I'm using the dynamic client registration endpoint with openid-connect
built-in provider. However, when I'm creating a client by selecting only
"client-credentials" grant type, Keycloak creates the client with both
"authorization-code" and "client-credentials" grant types.
*Request: *
curl -H"Authorization: Bearer XXX '
https://XXX.com/auth/realms/Test/clients-registrations/openid-connect' -d
'{ "clientId": "test-client-1", "grant_types":[*"client_credentials"*] }' -v
*Grant types in the response from Keycloak:*
"grant_types":[*"authorization_code"*,"client_credentials","refresh_token"]
Can someone help me understand as to why Keycloak adds the
"authorization-code" grant type in addition to the provided grant type
which is "client-credentials"?
Thanks and regards,
Buddhika.
5 years, 3 months
Custom GET parameters in the registration page
by İlhan Subaşı
Is it possible to have custom GET parameters in the url of the
registration page? I wrote a JavaScript to auto fill a field in the
registration page that gets its value from the GET url. My issue is that
when I add a custom parameter to the url Keycloak redirects the
registration page to the same page without my custom parameter, as a
result I cannot autofill the form field from the url.
5 years, 3 months
Plain-text vault
by Hynek Mlnarik
Recently, vault capability has been introduced recently in Keycloak
(master) with an out-of-the-box implementation that is basically providing
secrets in the same format as if mounting secrets volume within Kubernetes
[1]. Now there have been considerations regarding name and storage layout
which I would like to gather feedback on.
The questions are the following ones. Both have arguments for the current
implementation explained below:
1. Is there any better way of storing the credentials?
2. Is there a better name for the OOTB implementation?
Storage layout:
The aim: The plain text vault implementation respects realm to prevent
leaking a secret used in one vault into another realm. The implementation
also accounts for Kubernetes secret keys naming restrictions [1] which are
only consisting of alphanumeric characters, ‘-’, ‘_’ or ‘.’. Note that
forward slash is not among allowed characters.
Since the vault adheres to the same format as provided by Kubernetes
secrets volume, it also limits the file possible names for easy usage.
While kubernetes support exposing the secret keys as files in various
subdirectories of the mount directory, the default way of providing secrets
is via flat file structure (no subdirectories). To achieve structure where
secret would be looked up in a file with a given key within a realm
directory (i.e. realm_name/secret_key), every secret would have to be
accompanied with "path" specification which is not particularly user
friendly.
Having kubernetes secrets per realm and mounting them into separate
directories could be an option, however that limits the ability to easily
add a new realm because the Pod definition would need to change with every
new realm to incorporate the new volume, and the whole deployment restarted
to reflect the changes. Alternatively, secrets for all realms could be
mounted into a single directory and "path" would be defined for every
secret as described above - but that is error-prone as well.
Thus the implementation where realm name and secret key would be separated
by a single underscore, and to prevent ambiguity, every underscore within
the either realm name and secret keys would be doubled. In other words, to
get secret called "some-secret" or "other_secret" from vault from within
realm called "realm-1" or "other_realm", the files would be called
"realm-1_some-secret" and "other__realm_other__secret", respectively. This
is clearly readable in the former case but may be error-prone in the latter.
Name:
The SPI name was chosen to be "plaintext" since the secrets are stored
openly in the files. Perhaps there is a better name? "kubernetes"? Any
other suggestion or +1 or -1 with arguments to the alternatives are welcome.
I would love to hear your opinion on the two questions.
[Apologies for cross-posting, this can gain valuable feedback from both
devs and users though]
--Hynek
[1] https://kubernetes.io/docs/concepts/configuration/secret/
5 years, 3 months
Automatic Client registration: Assign roles to service account
by Pavel Micka
Hello,
We are currently trying to use client registration policy, so our services can register themselves in Keycloak. The registration itself works perfectly, but we have one (big) issue: we do not know, how to assign roles to the associated service account in the ClientRepresentation (as without roles for the client, the registration is a bit useless for us).
Is there any way, how to assign roles (client roles of other services in our case) to service account during automatic registration? Or do we need an admin account to do that.
Thanks,
Pavel
5 years, 3 months
Re: [keycloak-user] How to create a Validation Flow to Registration Form using Authentication SPI?
by Celso Agra
Hi Cezary,
Unfortunately, I didn't get any progress in this flow.
So I decided to create a separated service to store some info about of my
users.
My webservice receives a request with some data about user, such as name,
documents, password, etc... Part of this information is sent to Keycloak,
and some of it, is is stored in my app. The registration flows procceds
normally (send confirmation e-mail and so on), but registration and updates
are made by my app.
Kind regards,
Celso Agra
Em qua, 18 de set de 2019 às 08:22, Cezary Skura <cskura(a)mobiquityinc.com>
escreveu:
> Good afternoon Sir,
>
> Did You solve your problem with registration flow (validate the username).
>
> Kind regards
> Cezary Skura
>
--
---
*Celso Agra*
5 years, 3 months
support for local user account
by Alex Rozenberg
Hello,
Does Keycloak support authentication of local Windows users (not part of LDAP or Active Directory)?
Thank you in advance,
Alex Rozenberg
5 years, 3 months
Gatekeeper failing to proxy a redirect link
by Nick Powers
I am using keycloak and gatekeeper to authenticate my web app against
Google. Everything seems to work fine, with regular links, but if I
redirect the user to a page within my web app gatekeeper exposes the
internal URL rather than proxying the data.
I'm using the following to redirect the user, via PHP:
< ?php header("Location: https://commentcontext.com/protected/dashboard"); ?>
But instead of being sent through gatekeeper to that URL it tries to send
the user to https://webapp/protected/dashboard which is the internal URL of
my webapp and of course webapp doesn't resolve in DNS so it fails.
Why is this happening? Is it a known issue? Is there a workaround?
Thanks!!!
Nick
5 years, 3 months
app-authz-photoz: error 403
by Alex Rozenberg
Hello,
I'm new to Keycloak and trying to follow the example in the keycloak-quickstarts: app-authz-photoz
I've got photoz-html5-client and restful-api built using the instruction in the Readme file.
After I login using the specified credentials (alice or admin) I get error 403:
You can not access or perform the requested operation on this resource
Profile page does not display the name and I cannot create albums.
Any clues or tips are greatly appreciated.
Thank you in advance,
Alex Rozenberg
Project Engineer, Software
[RA_Logo_Left_Bug_4C]
arozenb(a)ra.rockwell.com<mailto:arozenb@ra.rockwell.com>
5 years, 3 months
