Is it possible to create a custom authenticator where multiple users can login and we give option to change user without logging out the other user. kinda like google account chooser.
https://admin.google.com/ac/accountchooser?pli=1
As browser flow works on keycloak cookies(AUTH_COOKIE_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION). I believe we will to use these cookies. Is there any way we can customize these cookies.
Any insight on how can we achieve this using custom authenticator or anything that will be helpful.
Thanks.
Related
I have a Cognito User Pool and need to prompt users select their country from a dropdown list during registration. As far as I can tell, Cognito doesn't provide the ability to customize the registration page with a dropdown. Is there a way to redirect the "Sign Up" link in the Cognito sign-in page to point to a specific URL so I can provide my own registration page (and use the Cognito APIs to create the user)?
Or, if someone knows of a different way to solve this problem, I'm all ears.
My OIDC clients are websites (i.e., not a mobile apps) and I'm using the authorization code flow.
You can create your own registration page and use AWS cognito SDK or amplify to make calls to cognito. For example, if you are using javascript you can use the following code for your signup calls: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#signUp-property
I would like to hide Keycloak's interface from my Customers.
Is it possible to login to Keycloak through an API (specially for Authorization Code grant type), so I can build a React component for example for my customers to login?
Is it possible to build my own Account app, that will interact with Keycloak through an API?
Only my staff should use Keycloak's interface to manage security.
You can redirect your application to the Keycloak login page, and change that login page to have the looks and feel that you desire using Keycloak Custom Themes. To communicate from your Account app to Keycloak Api you can use the Keycloak Admin API.
Yeah, almost every SPA (Angular, React, Vue, ...) developer dreams about replacing of IdP (Keycloak in your case) login screen (because default IdP login is ugly/it doesn't match app style/... and he can build cool login screen on the SPA level :-)).
Sure, it's possible. Switch to Direct Access Grants (Resource Owner Password Credentials Grant) and you can use that. But you will sacrifice security. Let's say you have Google IDP identity brokering, so users will be able to use also own Google account. Will you put your Google credentials to some custom login form, which claims that those credentials will be used only to login and they won't be stolen. I would say no, because app will see your credentials. That is purpose of IdP (OIDC or SAML protocol). It provides user identity to any app (especially for 3rd party apps) without exposing user credentials - that is perfect case for Authorization Code grant type.
So I would say it's possible to use own SPA login form, but it is wrong idea. I would use local app auth in you case.
Second question: you can build own Account based on Account REST API. It is pretty new, so there is no good doc for that and it's only available as an preview feature. New account console should use it - https://www.keycloak.org/2020/09/new-account-console.adoc.html, so you can watch network browser console to see API requests.
i have a client with 6 different Facebook accounts.
i would like to create a button to each profile with auto login
when the user press on one of the button it will redirect and log him in to the specific account with out typing user name and password.
is it possible?
Look into something called OAuth2.
Create your own for your website/endpoint.
Try to make sure that all those 6 Facebook accounts are able to authorise and perform a handshake with your custom OAuth2 implementation as part of the authentication process.
Check Facebook's OAuth documentation and guidelines that you need to abide by. And then see if it possible with your prefered programming language.
Obviously, there are certain limitations to the usage of the OAuth2 implementation.
I would like to know if it's possible to custom the user's login page with 2 forms, with one form with the login compoment and one with the registry compoment.
If you have examples, I'm willing to try.
Best regards
I am creating a SaaS that will allow users to interact with it via their web applications. I would like to create a CAS type login mimicking Facebook connect so when you click the 'Login' button on the users website it will popup a window for you to login with my SaaS credentials.
I do not want the SaaS users site to be able to access the users login credentials so this is why I thought of CAS. However, it doesn't look like Facebook Connect redirects to the CAS server. It looks like they just popup a window to the facebook login then create a cookie once the user successfully logs into facebook. How then does the Facebook Connected site access that cookie?
I am wanting to basically be able to keep the end user on the current website without being redirected to my login application. I would like to mimic what facebook does with just popping up a little window and have them login then refresh the page after they login but I am not sure how to go about this.
Any ideas?
Facebook uses a third party cookie: they set a cookie on your domain that you can access to get the necessary credentials.
EDIT: the easiest example would be to look at PHP's setcookie function. Notice that there is a domain parameter. If you change the domain to match the domain of the actual website that initiated the authentication action then you'll be able to set a third-party cookie.
Note that on IE there are certain headers the domain that initiated the authentication action needs to set to allow your third-party cookie to be set. See http://www.spamcollect.com/archives/33 for a short writeup of how that works.
If you are working in a different language you'll need to use whatever cookie management functions they offer.
Another option may be to do this with CAS programmatically using the REST client.
https://wiki.jasig.org/display/CASUM/RESTful+API
In this way you could take the users details and login to CAS without being redirected.
Facebook uses Cross Domain communication which is what I will be using.