Does anyone have experience with the following situations regarding Keycloak:
what is the standard approach if you have a lot of custom attributes in Keycloak?
Is it better to create an own application which holds the additional attributes for a user or
is it better to maintain all attributes in Keycloak and query them via the UserEndpoint.
is it possible to add a 2FA to Keycloak in some way if the login and registration is done through the RestAPI.
So is there a way to use 2FA without the login redirect solution of Keycloak?
Is Keycloak even designed to solve everything via REST API and without using the login mechanism already provided by Keycloak via Redirect?
And can the following features be implemented without the Keycloak Redirect login mechanism:
Forgot password
2-factor authentication
Social logins
Are there any security concerns when using the REST API for login & registration?
I have already created a custom application with its own login mask which makes a login to Keycloak via REST API.
Related
I would like to hide Keycloak's interface from my Customers.
Is it possible to login to Keycloak through an API (specially for Authorization Code grant type), so I can build a React component for example for my customers to login?
Is it possible to build my own Account app, that will interact with Keycloak through an API?
Only my staff should use Keycloak's interface to manage security.
You can redirect your application to the Keycloak login page, and change that login page to have the looks and feel that you desire using Keycloak Custom Themes. To communicate from your Account app to Keycloak Api you can use the Keycloak Admin API.
Yeah, almost every SPA (Angular, React, Vue, ...) developer dreams about replacing of IdP (Keycloak in your case) login screen (because default IdP login is ugly/it doesn't match app style/... and he can build cool login screen on the SPA level :-)).
Sure, it's possible. Switch to Direct Access Grants (Resource Owner Password Credentials Grant) and you can use that. But you will sacrifice security. Let's say you have Google IDP identity brokering, so users will be able to use also own Google account. Will you put your Google credentials to some custom login form, which claims that those credentials will be used only to login and they won't be stolen. I would say no, because app will see your credentials. That is purpose of IdP (OIDC or SAML protocol). It provides user identity to any app (especially for 3rd party apps) without exposing user credentials - that is perfect case for Authorization Code grant type.
So I would say it's possible to use own SPA login form, but it is wrong idea. I would use local app auth in you case.
Second question: you can build own Account based on Account REST API. It is pretty new, so there is no good doc for that and it's only available as an preview feature. New account console should use it - https://www.keycloak.org/2020/09/new-account-console.adoc.html, so you can watch network browser console to see API requests.
A React SPA sends registration details to a backend (including username and password). Besides other things, the backend creates a keycloak user via the REST admin API.
The user then still needs to go to the keycloak login page for authentication. Is it possible to skip this step and automatically log-in the user on registration via API?
I thought if maybe the backend can obtain a token and send it to the SPA. But I do not know how to initialize keycloak-js in this scenario.
You can register the user and, after a successful registration, call the login endpoint with the same credentials in order to receive the access token.
Update:
We have very specific requirement, where we are going to have 2 types of authentication mechanism,
username & password
username(authentication will be done in mobile app by putting pin)
We have login page build in react, which is calling keycloak login by keycloak admin client, with this approach we are not able to maintain session so try to use keycloak session management, but when we try to use keycloak, I don't find any option to use existing login page.
We need to use keycloak's login page and customize it as per our need, but even we do that keycloak always require password to login.
NOTE:
We have custom authenticator to handle condition for password login or mobile app login.
I am using keycloak as security layer and working towards enabling social login.
Social login was working and I was able to integrate Facebook with just configurations using the doicuments.
However I have a requirement where in I need to provide an API end points for the same.
Our mobile devices will be communicating to facebook via the app and will have the token from the facebook (Implicit Flow).
I will then be exchanging the token with keycloak for the keycloak access token.
I have two questions:
Is this approach correct? If not why?
How can I achieve this?
I was thinking of writing a custom authenticator (Am not sure if thats the right approoach as I have to register user are well if FB Access token user is not available with us (We can afford to login user and with jsut emailID as we can onbaord new users later)
I am blocked because authenticator is not working with any build from 2.4.0 onwards
Let me know if my approach is correct and if so how to proceed about it.
I am working on a site that uses Facebook Connect for user login/creation. I have a development server which is used for QA, and I'd like it to be password protected. We wanted to use HTTP basic authentication, but that seems to break Facebook Connect (it falls in a loop). Does anybody know why that may be happening?
I believe that basic authentication is done on a browser basis, and all the communication between Facebook and our site is done in the browser of the user. What could be the problem?
Facebook Connect uses iFrame inside iFrame hack to overcome cross domain boundaries limitation (see http://wiki.developers.facebook.com/index.php/Cross_Domain_Communication for details). My guess is that when Facebook redirects to the callback page (xd_receiver.htm) it fails because later requires basic authentication.
More information needed on the "falls in a loop". But based on your question, from what I've read is that facebook connect will create a random password on account creation, and if they are logging in over basic auth, it will need to be changed to match up(http://www.boonex.com/unity/forums/topic/facebook-connect-error-.htm)
But you don't specify if that's the way you are using FBconnect.
Are you requiring basic auth to get to the point of FBconnect account link/create?
Or are you using FBconnect to create the login for the basic auth?
How are you requiring basic auth? Server type?
Does everything work without requiring basic auth?