[keycloak-dev] User Profile Extension

Tue Oct 23 08:12:16 EDT 2018

Right. SMS with OTP.

Marco

Von meinem iPhone gesendet

Am 22.10.2018 um 09:00 schrieb Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>:

We would be open to that. It would be great if you could start with describing it in more detail first though. It's pretty simple to implement something like that, but making it user friendly and a generic feature is more complicated. See https://github.com/stianst/keycloak-experimental/tree/master/magic-link for instance. It does passwordless, but it's not very nice for those setting up Keycloak or the end user.

I presume you are talking about a SMS with the one time password?

On Fri, 19 Oct 2018 at 08:29, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Thats very good. Would you support a full implementation for passwordless login in keykloak?
User has to enter email address, presses login and then he gets a One Time Password to login.

If that`s fine for you, I would discuss with my colleagues if we create a PR.

Ok?
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Freitag, 19. Oktober 2018 um 08:26
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

I'd rather you consider contributing a fully functional feature in Keycloak itself, rather than extracting most of it into a separate service and only contributing a part of the feature to the rest of the community.

On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Thank you Stian,

I understand your point. I will create a longer description of our requirement and why it has a benefit for the community.
Is that ok for you?

Thank you,
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Freitag, 19. Oktober 2018 um 08:14
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

I understand that you don't need it, but that's past the point. When adding new features and capabilities in Keycloak we need to consider the bigger picture and add things in a way that has wider use. We do not add solutions for one person.

On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi Stian,

thank you for your answer.
We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with
phone number.
Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number.

Greetings,
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Donnerstag, 18. Oktober 2018 um 11:33
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility.

To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used.

Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number.

Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems.

On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi keykloak developers,

my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement:
We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number.
After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow.
During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API.
We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned.
We added a custom attribute “mobile” to the user but the REST API does not allow to search for custom attributes.

Our Requirement:
The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user.
Currently keykloak only offers a custom field for email, but no phone number.
Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request?

Thank you,
Marco

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.