The use case is that a user logs in on a private website and after sometime we want to offer the user to setup login with biometrics (for example, FaceID/TouchID) to replace the password login.
Is it possible to do that with Keycloak?
I've already setup the "Creating a password-less browser login flow" and "W3C Web Authentication (WebAuthn)" examples from the official documentation but all of them requires to setup everything as part of the login, instead of something that the user could do later.
Perhaps another way to ask would be: Does Keycloak provide a url to redirect the user to activate biometrics outside and after a login?
Thanks in advance for any information, perhaps I'm not understanding how this works.
Related
I am trying to integrate the Keycloak with Facebook social plugin. I had gone through the examples and documentation. This works fine if I use the Keycloak hosted Login Page.
What I need is that we want to host our own login page and use the Keycloak APIs to register the user and login. I mean, I want to host our Sign Up/Login Page.
When the user clicks on the Login with Facebook, we want to redirect the user to FB and get the approval and collect the details, create the user details that we need for our application. Then register the user on the Keycloak.
I don’t see any documentation for this. I would be really grateful if you can shed some light on this and point to the documentation that would help me in achieving this.
Thanks in Advance.
For that I think you have to register your application with facebook using a valid facebook user account to connect with facebook API services.
Refer : https://developers.facebook.com/docs/facebook-login/multiple-providers/
Now, I wish to redirect to a private Google group on click of a button on my website along with search parameters. I have generated the required URL using perl. Then I made a simple redirection using . It works when the user is already logged in(using cookies). But it doesn't work if the user has not logged in. I wish to redirect to Google's login page to make sure the user has logged in and thus can access the private group. How do I do this? I read some documentation mentioning OAuth. Is this the only way?
Typically Google handles the login themselfs. A user not logged in will be redirected to their login page first.
You can't use OAuth to log someone into a foreign (aka Google own) service. You could use OAuth to check if a user is logged in at all, but it's not necessary.
The Dancer::Plugin::Auth::Google documentation has a pretty good description on how to setup a Google OAuth login. The Auth::GoogleAuth module might do the job (with less documentation) without using Dancer, but I never tried it myself.
I have a web application that authenticates users through the standard Tomcat mechanism. More specifically, I configured a JDBCRealm that points to my own user and role tables and I am using form-based authentication, which submits the user details to the j_security_check action (as j_username and j_password). The security constraints are configured in my web.xml file.
Now, I'd like to provide users with a second login option: Facebook. I've already configured Facebook login using their Javascript SDK, but I'm having problems to integrate both login options. Ideally, when the user logs into Facebook, I would have to simulate an authentication in the Tomcat realm as well to make sure the Facebook user behaves as a regular Tomcat user. That means I also have to register the Facebook user in my own user table.
My first idea was to register the user in my own user table right after they finish their Facebook login (using an Ajax request, for example). When this request finishes, I would be able to trigger a manual submit to j_security_check.
The Facebook response includes a user id and a token that I could use. However, I don't know what information to use as j_password. I don't even know if using form-authentication is the best option any more.
What would be the best way to integrate both login options?
Thanks a lot!
One option could be to use a Combined Realm: See http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#CombinedRealm
Realm 1 should be JDBCRealm, then implement realm 2 (FacebookRealm). You might change the order, based on which one is the most frequently used. See Tomcat docs for how to implement a realm.
Of course you don't have a password in FacebookRealm, but you could do the following trick:
JDBCRealm:
username = username/userId in your application
password = password
FacebookRealm:
username = username/userId in your application
password = unique user id provided by Facebook
This could allow users to log in with whatever method they want.
Basically, this could be a possible use case for logging in through FacebookRealm (first steps might be a little bit different with JS SDK, but the idea is similar):
1. User is sent, through a link, to Facebook for authentication.
2. Facebook redirects to your server with a token.
3. Your server makes a Facebook call to verify the authenticity of the user.
4. Your server knows that it's a valid user, so it calls login(username, facebookUserId) method from Servlet. See: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String, java.lang.String)
4.1. Make sure "username" and "facebookUserId" exist in your database before calling the login method.
5. Tomcat FacebookRealm will just perform a database query for that username and id.
I hope this gives you more insights about how this could be done.
Other options could be through Apache Shiro, Spring Security or probably others as well.
We have enabled SSO for our Google Apps Domain. When users try to access "http://mail.google.com/a/domainname.com" they get redirected to the custom SSO Sign in page url. But when url http://google.com/a/domainame.com is accessed users are able to login to google apps users hub without being redirected to SSO sign in page url. As per my understanding, this kind of login should be only enabled for administrator of domain. Why is it happening for normal users of our domain.
How can we redirect http://google.com/a/domainname.com" url to custom sso sign in page. Please help. Thanks in advance.
You can't block people from logging into Google through 'local' credentials, if they know them: they need this for access via mobile devices, where you can't be redirected to a web page for SAML SSO, for example.
The normal solution is to change the password to something the user doesn't know.
Further, if you force 2-factor authentication for your users, this means a user can have one-time passwords for their mobile devices and still have an account password they don't know.
The www.google.com/a/yourdomain.com url points to google cpanel, which can never, ever be restricted through custom SSO, as this is your only recourse to disable SSO. If anything goes wrong, you need to hit that url to turn off SSO or change SSO settings.
If you wish to restrict access to cpanel, please look into organizations restrictions / superuser privileges; you can restrict cpanel superadmins to only one or two trusted admins.
If you wish to have only a single admin account with access to cpanel, but want to give some cpanel features to regular users, check out some third party apps in the google marketplace; gPanel is especially good as it gives you fine grained control over who can access what. Couple that with SSO, and you get a complete logging / monitoring / access control solution.
I am creating a SaaS that will allow users to interact with it via their web applications. I would like to create a CAS type login mimicking Facebook connect so when you click the 'Login' button on the users website it will popup a window for you to login with my SaaS credentials.
I do not want the SaaS users site to be able to access the users login credentials so this is why I thought of CAS. However, it doesn't look like Facebook Connect redirects to the CAS server. It looks like they just popup a window to the facebook login then create a cookie once the user successfully logs into facebook. How then does the Facebook Connected site access that cookie?
I am wanting to basically be able to keep the end user on the current website without being redirected to my login application. I would like to mimic what facebook does with just popping up a little window and have them login then refresh the page after they login but I am not sure how to go about this.
Any ideas?
Facebook uses a third party cookie: they set a cookie on your domain that you can access to get the necessary credentials.
EDIT: the easiest example would be to look at PHP's setcookie function. Notice that there is a domain parameter. If you change the domain to match the domain of the actual website that initiated the authentication action then you'll be able to set a third-party cookie.
Note that on IE there are certain headers the domain that initiated the authentication action needs to set to allow your third-party cookie to be set. See http://www.spamcollect.com/archives/33 for a short writeup of how that works.
If you are working in a different language you'll need to use whatever cookie management functions they offer.
Another option may be to do this with CAS programmatically using the REST client.
https://wiki.jasig.org/display/CASUM/RESTful+API
In this way you could take the users details and login to CAS without being redirected.
Facebook uses Cross Domain communication which is what I will be using.