You can implement this with our authentication SPI.
On 10/16/2015 11:59 AM, Valerij Timofeev wrote:
Hi all,
we have a couple of use-cases where login is password-free and is based
on email link with a login key, for example:
* consumer is allowed to review merchant or product without registration
* customer receives confirmation email on review submission
* consumer logs in on a client application without password using a link
in the confirmation email, but is not authorized to update review comment
* if consumer logs in using username/email and password (e.g. after
registration), "update review comment" functionality becomes available
We have to support such use-cases, if we decide to adopt Keycloak.
I searched through Keycloak JIRA tickets, but found the only similar
feature request "Invitation email"
https://issues.jboss.org/browse/KEYCLOAK-439
Should I submit another feature request for our use case?
My vision:
* implement optional email-link authenticator
(
http://keycloak.github.io/docs/userguide/html/auth_spi.html#auth_spi_walk...)
* client application creates new user via Admin REST API
<
http://keycloak.github.io/docs/userguide/html/admin-rest-api.html> and
sets credential type to "email_link" and value to login key. Then it
sends email including login link
* I suppose that it is difficult or even impossible to transmit query
parameters via Open ID Connect flow, so the link could point to
unprotected page storing username and login key in a cookie
* email-link authenticator checks presence of the email-link cookie and
if found tries to authenticate user using username and key values
provided in the cookie
* if no cookie is set or login fails, user is redirected to login form
Challenge: how to limit roles bound to user session if login type
"email_link" is used, may be via configuration parameter for this
authenticator? The rest of assigned roles should not appear in the user
session.
Thank you in advance
Valerij Timofeev
Software Engineer
Trusted Shops GmbH
P.S. "Password-free" logins seem to become a trend: Yahoo Mail gets a
redesign, goes “password-free”
http://www.siliconbeat.com/2015/10/15/yahoo/
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user