[keycloak-dev] User Profile Extension

marco.scheuermann at daimler.com marco.scheuermann at daimler.com
Wed Oct 24 02:05:26 EDT 2018


Hi Lilian,

that sounds really good.
I`d like to review your implementation if it also fulfills our requirements.
How could we proceed?

Thx,
Marco

Am 23.10.18, 14:07 schrieb "Lilian BENOIT" <lilian.benoit at lbenoit.fr>:

    Hi.

    For one project, i extended Keycloak for implement login with mobile
    number or email.
    I have implemented login, registration by mobile number.

    I used activation by code because a link is too long by SMS. But i could
    use a link reducer (internal or external)
    I developed a new SPI for send SMS (inspired by EmailSenderProvider).
    It's to permit to implement a specific solution with our SMS provider.

    Currently, i saved mobile number in a attribute but it's more elegant
    that using mobile number same email (for example, activate or not
    authentication by mobile)

    If there is a subject, i am interested to contribute.

    Best Regards.
    Lilian BENOIT.


    Le 2018-10-19 08:26, Stian Thorgersen a écrit :
    > I'd rather you consider contributing a fully functional feature in
    > Keycloak
    > itself, rather than extracting most of it into a separate service and
    > only
    > contributing a part of the feature to the rest of the community.
    >
    > On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com> wrote:
    >
    >> Thank you Stian,
    >>
    >>
    >>
    >> I understand your point. I will create a longer description of our
    >> requirement and why it has a benefit for the community.
    >>
    >> Is that ok for you?
    >>
    >>
    >>
    >> Thank you,
    >>
    >> Marco
    >>
    >>
    >>
    >> *Von: *Stian Thorgersen <sthorger at redhat.com>
    >> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
    >> *Datum: *Freitag, 19. Oktober 2018 um 08:14
    >> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
    >> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
    >> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
    >> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David
    >> Christian
    >> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)"
    >> <
    >> lukas.schmitt at daimler.com>
    >> *Betreff: *Re: [keycloak-dev] User Profile Extension
    >>
    >>
    >>
    >> I understand that you don't need it, but that's past the point. When
    >> adding new features and capabilities in Keycloak we need to consider
    >> the
    >> bigger picture and add things in a way that has wider use. We do not
    >> add
    >> solutions for one person.
    >>
    >>
    >>
    >> On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:
    >>
    >> Hi Stian,
    >>
    >>
    >>
    >> thank you for your answer.
    >>
    >> We already implemented login with phone number. For that we created a
    >> microservice that communicates with keykloak. The service does a ROPC
    >> with
    >> keykloak, so from keykloak perspective we DO NOT NEED support for
    >> login with
    >>
    >> phone number.
    >>
    >> Our only requirement was to extend the existing user profile by phone
    >> number, NOT to allow login via phone number.
    >>
    >>
    >>
    >> Greetings,
    >>
    >> Marco
    >>
    >>
    >>
    >> *Von: *Stian Thorgersen <sthorger at redhat.com>
    >> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
    >> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
    >> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
    >> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
    >> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
    >> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David
    >> Christian
    >> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)"
    >> <
    >> lukas.schmitt at daimler.com>
    >> *Betreff: *Re: [keycloak-dev] User Profile Extension
    >>
    >>
    >>
    >> Adding support for login with phone number isn't as trivial as simply
    >> adding another user attribute. The user storage spi also have
    >> implications
    >> here since it's a supported API we can't break backwards
    >> compatibility.
    >>
    >>
    >>
    >> To do this right we should discuss the correct approach. This would
    >> involve some configuration option for a realm to allow specifying what
    >> attributes can be used to authenticate the user. Some strategy for
    >> when
    >> there is more than one user with the same phone number. That could be
    >> unique, allowing user to select from users with the phone number, or
    >> simply
    >> returning an error stating username has to be used.
    >>
    >>
    >>
    >> Then there's indexing to consider. For the phone number to be useful
    >> for a
    >> login it has to be indexed in the db. Caches should be able to lookup
    >> user
    >> based on phone number.
    >>
    >>
    >>
    >> Finally, and this is something we have problems with for email today.
    >> For
    >> email we had a limitation that email had to be unique. One email per
    >> user
    >> basically. This doesn't really work all that well and we had a rather
    >> hacky
    >> approach to allowing multiple users with the same email address. To
    >> extend
    >> to phone numbers we would need to address this properly and not
    >> introduce
    >> additional problems.
    >>
    >>
    >>
    >> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
    >>
    >> Hi keykloak developers,
    >>
    >> my Name is Marco and I am currently working on a keykloak based
    >> usermanagement solution for our company and have the following
    >> requirement:
    >> We implemented a native One Time Password (OTP) login for our app.
    >> That
    >> means a user can login using email or mobile number.
    >> After that he gets a PIN via SMS/email which he can enter into the app
    >> to
    >> trigger the authentication flow.
    >> During login we check if the user already exists. If not we guide him
    >> to a
    >> registration page. This check is implemented by using keykloaks admin
    >> rest
    >> API.
    >> We search for a user by email. It must also be possible to search by
    >> phone
    >> number because this attribute could also be used for login as already
    >> mentioned.
    >> We added a custom attribute “mobile” to the user but the REST API does
    >> not
    >> allow to search for custom attributes.
    >>
    >> Our Requirement:
    >> The user should be able to use email OR phone number for login. For
    >> that
    >> it should be possible to enter both attributes while registering a new
    >> user.
    >> Currently keykloak only offers a custom field for email, but no phone
    >> number.
    >> Therefore we want to extend the User Profile by phone number. Would
    >> you
    >> accept such a Pull Request?
    >>
    >> Thank you,
    >> Marco
    >>
    >> If you are not the addressee, please inform us immediately that you
    >> have
    >> received this e-mail by mistake, and delete it. We thank you for your
    >> support.
    >>
    >> _______________________________________________
    >> keycloak-dev mailing list
    >> keycloak-dev at lists.jboss.org
    >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
    >>
    >>
    >> If you are not the addressee, please inform us immediately that you
    >> have
    >> received this e-mail by mistake, and delete it. We thank you for your
    >> support.
    >>
    >>
    >>
    >>
    >> If you are not the addressee, please inform us immediately that you
    >> have
    >> received this e-mail by mistake, and delete it. We thank you for your
    >> support.
    >>
    >>
    > _______________________________________________
    > keycloak-dev mailing list
    > keycloak-dev at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-dev




If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.




More information about the keycloak-dev mailing list