[keycloak-dev] User Profile Extension

Lilian BENOIT lilian.benoit at lbenoit.fr
Tue Oct 23 08:07:31 EDT 2018 

Hi.

For one project, i extended Keycloak for implement login with mobile 
number or email.
I have implemented login, registration by mobile number.

I used activation by code because a link is too long by SMS. But i could 
use a link reducer (internal or external)
I developed a new SPI for send SMS (inspired by EmailSenderProvider). 
It's to permit to implement a specific solution with our SMS provider.

Currently, i saved mobile number in a attribute but it's more elegant 
that using mobile number same email (for example, activate or not 
authentication by mobile)

If there is a subject, i am interested to contribute.

Best Regards.
Lilian BENOIT.


Le 2018-10-19 08:26, Stian Thorgersen a écrit :
> I'd rather you consider contributing a fully functional feature in 
> Keycloak
> itself, rather than extracting most of it into a separate service and 
> only
> contributing a part of the feature to the rest of the community.
> 
> On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com> wrote:
> 
>> Thank you Stian,
>> 
>> 
>> 
>> I understand your point. I will create a longer description of our
>> requirement and why it has a benefit for the community.
>> 
>> Is that ok for you?
>> 
>> 
>> 
>> Thank you,
>> 
>> Marco
>> 
>> 
>> 
>> *Von: *Stian Thorgersen <sthorger at redhat.com>
>> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
>> *Datum: *Freitag, 19. Oktober 2018 um 08:14
>> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
>> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
>> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
>> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David 
>> Christian
>> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" 
>> <
>> lukas.schmitt at daimler.com>
>> *Betreff: *Re: [keycloak-dev] User Profile Extension
>> 
>> 
>> 
>> I understand that you don't need it, but that's past the point. When
>> adding new features and capabilities in Keycloak we need to consider 
>> the
>> bigger picture and add things in a way that has wider use. We do not 
>> add
>> solutions for one person.
>> 
>> 
>> 
>> On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:
>> 
>> Hi Stian,
>> 
>> 
>> 
>> thank you for your answer.
>> 
>> We already implemented login with phone number. For that we created a
>> microservice that communicates with keykloak. The service does a ROPC 
>> with
>> keykloak, so from keykloak perspective we DO NOT NEED support for 
>> login with
>> 
>> phone number.
>> 
>> Our only requirement was to extend the existing user profile by phone
>> number, NOT to allow login via phone number.
>> 
>> 
>> 
>> Greetings,
>> 
>> Marco
>> 
>> 
>> 
>> *Von: *Stian Thorgersen <sthorger at redhat.com>
>> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
>> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
>> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
>> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
>> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
>> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David 
>> Christian
>> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" 
>> <
>> lukas.schmitt at daimler.com>
>> *Betreff: *Re: [keycloak-dev] User Profile Extension
>> 
>> 
>> 
>> Adding support for login with phone number isn't as trivial as simply
>> adding another user attribute. The user storage spi also have 
>> implications
>> here since it's a supported API we can't break backwards 
>> compatibility.
>> 
>> 
>> 
>> To do this right we should discuss the correct approach. This would
>> involve some configuration option for a realm to allow specifying what
>> attributes can be used to authenticate the user. Some strategy for 
>> when
>> there is more than one user with the same phone number. That could be
>> unique, allowing user to select from users with the phone number, or 
>> simply
>> returning an error stating username has to be used.
>> 
>> 
>> 
>> Then there's indexing to consider. For the phone number to be useful 
>> for a
>> login it has to be indexed in the db. Caches should be able to lookup 
>> user
>> based on phone number.
>> 
>> 
>> 
>> Finally, and this is something we have problems with for email today. 
>> For
>> email we had a limitation that email had to be unique. One email per 
>> user
>> basically. This doesn't really work all that well and we had a rather 
>> hacky
>> approach to allowing multiple users with the same email address. To 
>> extend
>> to phone numbers we would need to address this properly and not 
>> introduce
>> additional problems.
>> 
>> 
>> 
>> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
>> 
>> Hi keykloak developers,
>> 
>> my Name is Marco and I am currently working on a keykloak based
>> usermanagement solution for our company and have the following 
>> requirement:
>> We implemented a native One Time Password (OTP) login for our app. 
>> That
>> means a user can login using email or mobile number.
>> After that he gets a PIN via SMS/email which he can enter into the app 
>> to
>> trigger the authentication flow.
>> During login we check if the user already exists. If not we guide him 
>> to a
>> registration page. This check is implemented by using keykloaks admin 
>> rest
>> API.
>> We search for a user by email. It must also be possible to search by 
>> phone
>> number because this attribute could also be used for login as already
>> mentioned.
>> We added a custom attribute “mobile” to the user but the REST API does 
>> not
>> allow to search for custom attributes.
>> 
>> Our Requirement:
>> The user should be able to use email OR phone number for login. For 
>> that
>> it should be possible to enter both attributes while registering a new 
>> user.
>> Currently keykloak only offers a custom field for email, but no phone
>> number.
>> Therefore we want to extend the User Profile by phone number. Would 
>> you
>> accept such a Pull Request?
>> 
>> Thank you,
>> Marco
>> 
>> If you are not the addressee, please inform us immediately that you 
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>> 
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> 
>> 
>> If you are not the addressee, please inform us immediately that you 
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>> 
>> 
>> 
>> 
>> If you are not the addressee, please inform us immediately that you 
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>> 
>> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list