[keycloak-user] Password-free login using email link

Valerij Timofeev valerij.timofeev at gmail.com
Fri Oct 16 11:59:16 EDT 2015


Hi all,

we have a couple of use-cases where login is password-free and is based on
email link with a login key, for example:
* consumer is allowed to review merchant or product without registration
* customer receives confirmation email on review submission
* consumer logs in on a client application without password using a link in
the confirmation email, but is not authorized to update review comment
* if consumer logs in using username/email and password (e.g. after
registration), "update review comment" functionality becomes available

We have to support such use-cases, if we decide to adopt Keycloak.

I searched  through Keycloak JIRA tickets, but found the only similar
feature request "Invitation email"
https://issues.jboss.org/browse/KEYCLOAK-439

Should I submit another feature request for our use case?

My vision:
* implement optional email-link authenticator (
http://keycloak.github.io/docs/userguide/html/auth_spi.html#auth_spi_walkthrough
)
* client application creates new user via Admin REST API
<http://keycloak.github.io/docs/userguide/html/admin-rest-api.html> and
sets credential type to "email_link" and value to login key. Then it sends
email including login link
* I suppose that it is difficult or even impossible to transmit query
parameters via Open ID Connect flow, so the link could point to unprotected
page storing username and login key in a cookie
* email-link authenticator checks presence of the email-link cookie and if
found tries to authenticate user using username and key values provided in
the cookie
* if no cookie is set or login fails, user is redirected to login form

Challenge: how to limit roles bound to user session if login type
"email_link" is used, may be via configuration parameter for this
authenticator? The rest of assigned roles should not appear in the user
session.

Thank you in advance
Valerij Timofeev
Software Engineer
Trusted Shops GmbH

P.S. "Password-free" logins seem to become a trend: Yahoo Mail gets a
redesign, goes “password-free” http://www.siliconbeat.com/2015/10/15/yahoo/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/73c8977b/attachment.html 


More information about the keycloak-user mailing list