Password-free login using email link
by Valerij Timofeev
Hi all,
we have a couple of use-cases where login is password-free and is based on
email link with a login key, for example:
* consumer is allowed to review merchant or product without registration
* customer receives confirmation email on review submission
* consumer logs in on a client application without password using a link in
the confirmation email, but is not authorized to update review comment
* if consumer logs in using username/email and password (e.g. after
registration), "update review comment" functionality becomes available
We have to support such use-cases, if we decide to adopt Keycloak.
I searched through Keycloak JIRA tickets, but found the only similar
feature request "Invitation email"
https://issues.jboss.org/browse/KEYCLOAK-439
Should I submit another feature request for our use case?
My vision:
* implement optional email-link authenticator (
http://keycloak.github.io/docs/userguide/html/auth_spi.html#auth_spi_walk...
)
* client application creates new user via Admin REST API
<http://keycloak.github.io/docs/userguide/html/admin-rest-api.html> and
sets credential type to "email_link" and value to login key. Then it sends
email including login link
* I suppose that it is difficult or even impossible to transmit query
parameters via Open ID Connect flow, so the link could point to unprotected
page storing username and login key in a cookie
* email-link authenticator checks presence of the email-link cookie and if
found tries to authenticate user using username and key values provided in
the cookie
* if no cookie is set or login fails, user is redirected to login form
Challenge: how to limit roles bound to user session if login type
"email_link" is used, may be via configuration parameter for this
authenticator? The rest of assigned roles should not appear in the user
session.
Thank you in advance
Valerij Timofeev
Software Engineer
Trusted Shops GmbH
P.S. "Password-free" logins seem to become a trend: Yahoo Mail gets a
redesign, goes “password-free” http://www.siliconbeat.com/2015/10/15/yahoo/
8 years, 6 months
Can Keycloak simulate LDAP server?
by Valerij Timofeev
Hi all,
we are interested to know if it is possible to authenticate users of pure
LDAP client against Keycloak?
Why? We are planning to migrate legacy user storage to Keycloak and we'd
like to avoid dead end if for example some product (e.g. SaaS) does not
support user authentication against Keycloak, but does against standard
LDAP server.
If it is impossible, has anybody succeeded to implement reverted direction
of user federation synchronization (all users data from Keycloak should be
copied to a fresh LDAP server installation)?
Answers to these questions may be decisive for the Keycloak usage in our
organization.
Thank you in advance
Valerij Timofeev
Software Engineer
Trusted Shops GmbH
8 years, 6 months
Unexpected element '{urn:jboss:domain:keycloak:1.1}subsystem'
by Chen Keong Yap
Hi,
Iam unable to secure war file using jboss subsytem. Can please advise?
error :
Message: Unexpected element '{urn:jboss:domain:keycloak:1.1}subsystem'
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
at
org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)
at
org.jboss.as.server.parsing.StandaloneXml.parseServerProfile(StandaloneXml.java:1199)
at
org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:457)
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:144)
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:106)
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123)
... 3 more
snippet of standalone.xml
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="WAR MODULE NAME.war">
<realm>demo</realm>
<realm-public-key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsy3CI+Un3CTFC/yoMzXNb7+Zm2gExw7khOduINB6wVIZpx+BT60DtXqcr0jZgxsO06ITL1/whVwHBx8G0KNG+t3McoYjXtEgkU5q0F+UA97M863Sg/762dC/2os7KiD/WVreXxA4wuueil/PPGj8YS0EUacx28yOhbhIIbva/jEWCtgKS3r/H6OtxZNM0lE0taimKlNT7NfLTBm/XH6IsdF75QD2WKTdzMHrd92zBg7lzHvp+/tZ7JwGhlR/+9N8O2qnPZWKVub7Wgum30trV8slFhWsneraosG2mnmeJLuIkNtev2gYvuNc5i8uZuKUnrdz2CUWEbViEReWm3uWRwIDAQAB</realm-public-key>
<auth-server-url>http://localhost:8080/auth</auth-server-url>
<bearer-only>true</bearer-only>
<ssl-required>EXTERNAL</ssl-required>
<resource>http://localhost:8080/jasperserver-pro/</resource>
</secure-deployment>
</subsystem>
</profile>
8 years, 6 months
Regarding Reset Password
by Satyajit Das
Hi Team,
Kindly answer by below query.
I can see admin api has 2 services for reset password.
Do we have an api where in user can enter new password and it should be
permanent instead of temporarary.
Regards,
Satya
8 years, 6 months
Exception while running kaycloak 1.5.0 third party example
by Harish Kumar
I was trying out examples from keycloak 1.5.0, specifically i was trying third-party example. Same example worked fine while i took distribution (keycloak-appliance-dist-all-1.1.0.Final)I did following steps.
1. Installed keycloak 1.5.02. Set third-party client with valid redirect URL as /oauth-client/*3. Keycloak Json mentioned below (towards end of that email)4. Initially when i deployed then i got error (No class definition error :Lorg/keycloak/servlet/ServletOAuthClient) then added files from keycloak-wf9-adapter-dist-1.5.0.Final.zip.5. After that application could deploy but when i type http://localhost:8080/oauth-client/ and click on "pull data" then getting error. I would appreciate if you could pls let me know how this error can be fixed ? Any module missing ?
javax.servlet.ServletException: java.lang.NoClassDefFoundError: org/keycloak/adapters/ServerRequest$HttpFailure
org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:848)
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:777)
org.apache.jsp.redirect_jsp._jspService(redirect_jsp.java:63)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
Keycloak json{
"realm": "demo", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPt1q5aq8xZGUZVHAwj7xW6vJ20qk/awf6kK6NqQ2CvblWoSYyZOeLF+NpGue3Wn5r4ImKVUST89wPMrO83Y5st31Zpe4kZKoe8kvUj7tI6eeRrUsEsUWwpZ6I5yR5uVgj+8hJ9TaZQNAgB8zK0FvAxmu5bO+mq7c6eDEsYbcuMt3X+VZrkD36toaWM+gXPqziVkiNxp8DdS2TB8EN2J+MBGQRkbG6t6zdVMF0XrWpoT2UeMeFQ05I5lk1mlVupa6TJCpeH7sZBL2pgR+6TRDhViShur5PZUepHayS45PjPYPMsejfGZInRjHl/aqGcRK8YkXPjVDqPSp0xIa/QXYwIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "third-party", "credentials": { "secret": "7269abc3-4de8-4be7-b881-8c3fcacf4ef4" }}
8 years, 6 months
spring security adapter
by chenkeong.yap@izeno.com
hi guys,
do you have any documentation or sample program for configuring keycloak to use with spring security?
Regards,
CK Yap
8 years, 6 months
User Federation Provider and roles
by carmen
Hi all,
I am writing a user federation provider so we can authenticate users stored in a database.
Our roles are also stored there.
Is there an interface to provide roles to the realm and trap updates so changes to roles in keycloak effect changes in the DB?
Thanks
Maria
8 years, 6 months
Creating a WAR file.
by Revanth Ayalasomayajula
Hi,
I am using Keycloak1.5.0 and have used the Keycloak's source code and
extended some of it's classes to make a few adjustment's as per my
requirments. I want to know how i can generate a war file of this code and
deploy it onto my container.
Thanks.
8 years, 6 months
Sending Forgot-Password Mail via Admin API/Reverse Proxy
by Sebastian Rose
Hi all,
we have keycloak configured to live behind a reverse proxy and the external domain ist used in emails (e.g. forgot-passwd) -> fine.
For security reasons i want to use the internal url for the master-realm (externally not reachable). When i send a reset-password mail via the admin interface, the mail contains the wrong URL.
Is there anything i can do about it via configuration?
Best regards,
Sebastian
[AOESigLogo]
Sebastian Rose
Developer
AOE GmbH
LuisenForum, Kirchgasse 6
65185 Wiesbaden
Germany
Tel. +49 6122 70 70 7 -234
Fax. +49 6122 70 70 7 -199
e-Mail: sebastian.rose(a)aoe.com<mailto:sebastian.rose@aoe.com>
Web: http://www.aoe.com/
Pflichtangaben laut Handelsgesetz §37a / Aktiengesetz §35a
USt-ID Nr.: DE250247455
Handelsregister: Wiesbaden B
Handelsregister Nr.: 22567
Stammsitz: Wiesbaden
Creditreform: 625.0209354
Geschäftsführer: Kian Toyouri Gould
Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail.
8 years, 6 months
Re: [keycloak-user] Keycloak to set up Teams and Organizations
by Nic Grange
Thanks for the quick response.
Can an admin of the parent group administer sub groups?
Yes, I think so. It should be hierarchical. If you don’t want them to have that privilege then make them only admin of the sub-group.
I like the idea of each group having an "user-admin” role.
Say you have an application that allows users to create/modify/share documents.
I see Groups as useful for tagging the document with the Group Id (additionally to the User Id)
so that if another user logs in from the same group and the original user has chosen to allow this document to be shared within their group,
the application can securely retrieve all the documents that are shared within their group.
Hope this makes sense,
Nic
>Date: Wed, 14 Oct 2015 19:23:46 -0400
>From: Bill Burke <bburke(a)redhat.com>
>Subject: Re: [keycloak-user] Keycloak to set up Teams and
> Organizations
>To: keycloak-user(a)lists.jboss.org
>Message-ID: <561EE402.7090608(a)redhat.com>
>Content-Type: text/plain; charset=windows-1252; format=flowed
>
>
>
>On 10/14/2015 7:06 PM, Nic Grange wrote:
>>>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.
>>
>
>Exactly.
>
>>
>>
>> Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.
>>
>> The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).
>>
>
>I like that idea. A better alternative might be that each group has an
>"user-admin" role. If a user has the "user-admin" role of the group, it
>can administer users in that group and assign roles defined in that
>group. One thing to really think about is, what about sub-groups. Can
>an admin of the parent group administer sub groups?
>
>
>
>--
>Bill Burke
8 years, 6 months
