[keycloak-dev] User Profile Extension
Lilian BENOIT
lilian.benoit at lbenoit.fr
Tue Oct 23 08:07:31 EDT 2018
Hi.
For one project, i extended Keycloak for implement login with mobile
number or email.
I have implemented login, registration by mobile number.
I used activation by code because a link is too long by SMS. But i could
use a link reducer (internal or external)
I developed a new SPI for send SMS (inspired by EmailSenderProvider).
It's to permit to implement a specific solution with our SMS provider.
Currently, i saved mobile number in a attribute but it's more elegant
that using mobile number same email (for example, activate or not
authentication by mobile)
If there is a subject, i am interested to contribute.
Best Regards.
Lilian BENOIT.
Le 2018-10-19 08:26, Stian Thorgersen a écrit :
> I'd rather you consider contributing a fully functional feature in
> Keycloak
> itself, rather than extracting most of it into a separate service and
> only
> contributing a part of the feature to the rest of the community.
>
> On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com> wrote:
>
>> Thank you Stian,
>>
>>
>>
>> I understand your point. I will create a longer description of our
>> requirement and why it has a benefit for the community.
>>
>> Is that ok for you?
>>
>>
>>
>> Thank you,
>>
>> Marco
>>
>>
>>
>> *Von: *Stian Thorgersen <sthorger at redhat.com>
>> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
>> *Datum: *Freitag, 19. Oktober 2018 um 08:14
>> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
>> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
>> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
>> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David
>> Christian
>> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)"
>> <
>> lukas.schmitt at daimler.com>
>> *Betreff: *Re: [keycloak-dev] User Profile Extension
>>
>>
>>
>> I understand that you don't need it, but that's past the point. When
>> adding new features and capabilities in Keycloak we need to consider
>> the
>> bigger picture and add things in a way that has wider use. We do not
>> add
>> solutions for one person.
>>
>>
>>
>> On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:
>>
>> Hi Stian,
>>
>>
>>
>> thank you for your answer.
>>
>> We already implemented login with phone number. For that we created a
>> microservice that communicates with keykloak. The service does a ROPC
>> with
>> keykloak, so from keykloak perspective we DO NOT NEED support for
>> login with
>>
>> phone number.
>>
>> Our only requirement was to extend the existing user profile by phone
>> number, NOT to allow login via phone number.
>>
>>
>>
>> Greetings,
>>
>> Marco
>>
>>
>>
>> *Von: *Stian Thorgersen <sthorger at redhat.com>
>> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
>> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
>> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
>> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
>> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
>> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David
>> Christian
>> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)"
>> <
>> lukas.schmitt at daimler.com>
>> *Betreff: *Re: [keycloak-dev] User Profile Extension
>>
>>
>>
>> Adding support for login with phone number isn't as trivial as simply
>> adding another user attribute. The user storage spi also have
>> implications
>> here since it's a supported API we can't break backwards
>> compatibility.
>>
>>
>>
>> To do this right we should discuss the correct approach. This would
>> involve some configuration option for a realm to allow specifying what
>> attributes can be used to authenticate the user. Some strategy for
>> when
>> there is more than one user with the same phone number. That could be
>> unique, allowing user to select from users with the phone number, or
>> simply
>> returning an error stating username has to be used.
>>
>>
>>
>> Then there's indexing to consider. For the phone number to be useful
>> for a
>> login it has to be indexed in the db. Caches should be able to lookup
>> user
>> based on phone number.
>>
>>
>>
>> Finally, and this is something we have problems with for email today.
>> For
>> email we had a limitation that email had to be unique. One email per
>> user
>> basically. This doesn't really work all that well and we had a rather
>> hacky
>> approach to allowing multiple users with the same email address. To
>> extend
>> to phone numbers we would need to address this properly and not
>> introduce
>> additional problems.
>>
>>
>>
>> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
>>
>> Hi keykloak developers,
>>
>> my Name is Marco and I am currently working on a keykloak based
>> usermanagement solution for our company and have the following
>> requirement:
>> We implemented a native One Time Password (OTP) login for our app.
>> That
>> means a user can login using email or mobile number.
>> After that he gets a PIN via SMS/email which he can enter into the app
>> to
>> trigger the authentication flow.
>> During login we check if the user already exists. If not we guide him
>> to a
>> registration page. This check is implemented by using keykloaks admin
>> rest
>> API.
>> We search for a user by email. It must also be possible to search by
>> phone
>> number because this attribute could also be used for login as already
>> mentioned.
>> We added a custom attribute “mobile” to the user but the REST API does
>> not
>> allow to search for custom attributes.
>>
>> Our Requirement:
>> The user should be able to use email OR phone number for login. For
>> that
>> it should be possible to enter both attributes while registering a new
>> user.
>> Currently keykloak only offers a custom field for email, but no phone
>> number.
>> Therefore we want to extend the User Profile by phone number. Would
>> you
>> accept such a Pull Request?
>>
>> Thank you,
>> Marco
>>
>> If you are not the addressee, please inform us immediately that you
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> If you are not the addressee, please inform us immediately that you
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>>
>>
>>
>>
>> If you are not the addressee, please inform us immediately that you
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list