is there any way to link end-user to register with attribute somehow incorporated?
For example:
User needs attribute customerId to access the data.
I'll send him a link to register with his customer id already in it.
PS: will be using OAuth too so there is no way of creating premade account with temporary password
Related
I configure the Github Identity Provider in my Keycloak.
And now I just allow user browser when first login and create the user account manually first by myself.
But I found I need to configure the Provider User ID for the user first.
Do you know how to get this Provider User ID?
Thanks!
I tried to set registeration first then get ID to configure. But for other new user, I don't know how to do that.
If user login with username/password or sign in with google, that user should have same data and profile if he chooses to signup first or signup later with same email. How do you manage these thing in User Model creation
Creating a relationship of usertype and checking the way user gets created and adding it to usertype. like 'local', 'google' ,'twitter' etc.
I'm using Keycloak for Identity Brokering through Google, Microsoft, etc. But Keycloak only allows one email per user. So the user can be authenticated only through one of the social login options (Google if gmail is added as user's email address, etc.). Is there any way to include more than one email per user, or any other workaround?
EDIT: (Editing based on comments to make scenario more clear)
In my scenario, I'm using a federated user store which contains a large number of users and and I need Keycloak to access all the emails linked to a user when that user is logging in using Google,Azure,etc. because Keycloak is using the email as the unique identifier for the authentication response from the social login provider. Without having the required email as the main email, Keycloak won't allow that user to log in through social IdP
Although, Keycloak emphasises on keeping a unique email,but there are certain scenarios where you may want to keep , say, secondary email.
This can be achieved in a couple of steps:
1. Add a custom attribute for secondary email in user like this:
2. Next , in your client create attribute mapper like this:
When I generated the token after above configuration, the new attribute was avialble in token. You can use this attribute in your app as you desire.
Parsed JWT:
I figured out the best way to deal with this is through the custom user provider (federated user store). Even though we can't add multiple emails per user through the Keycloak admin console, we can write the user provider in such a way that it can get all the emails linked to a user from our database and assign them to the email attribute of each user. Once this is done, all the emails will appear on the admin console as well.
For the social login to recognize those emails, we have to get all the emails linked to a user in the provider to an array and iterate through it until the authentication is complete. This would help to create the social login link to the user through First Login Broker authentication flow.
This is a crude way to approach this, but nevertheless it works!
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs.
Use case:
The registration page for new users shouldn't be public. New user get an invitation email from the admin. The email contains a link to the registration page.
I thought about using an initial access token (like for client registration) and add it to the link to the registration page. Afaik there is nothing like that for user registration?
Are there any other ways to do it?
I think you've got two options to implement it:
First
You know the e-mail of the destination user before sending the invitation, so you would let the admin create a user in keycloak with the e-mail itself as the username. Then the admin should check 'Verify e-mail', 'Update profile' and 'Update password' as required actions, so keycloak will send an activation mail (you can customize the e-mail template) and user will be required to fill his data and set a password.
If you don't want the admin to access keycloak directly, you could do it via the user management API.
Second
Implement this logic in your application. Write a user data form which is publicly accessible using a code (it might be some UUID). When admin sending the invitation mail, link a random code to the address, so when user enters the page, you can verify it. Then you'll need to save the data in keycloak as a new user, using the user management API.
I am currently using the JavaScript adapter to retrieve the profile for the currently logged in user via the loadUserProfile() function. Is it possible to control what properties and attributes are returned in this profile object returned?
I have some custom attributes set against the user account in my Keycloak server which I do see coming back.
I then noticed I could add a 'User Address' mapper for my client which I have added and was hoping I would see this come back in the loadUserProfile but it does not show up.
I have made sure the 'Add to userinfo' toggle button is enabled for the address mapper I have added. I assume though this option is only for when retrieving from the userinfo endpoint, not this user profile function I am calling through the JavaScript adapter.
Can I get this address field to show in the profile response, or do I have to have custom address attribute configured and set on the user in the Keycloak admin portal?
The client mappers are meant to put (or not) user attributes into the tokens (idtoken and/or access token), if you inspect idTokenParsed object for instance , you will see your address object in there. loadUserProfile() just calls the user account endpoint and is unrelated to these client mappers.