If I understand this correctly it means that if I want to do 'my own' auth, the database entry for the user will be deleted after he logs out. How can I possibly work with this then? After all, how do I deal with data that is tied to the user?
as per note in this
using jwt strategy, will not persist session in database.
session: {
strategy: 'jwt'
}
this discussion may helps you out:
however, it is not about persisting session into the database.
Related
I want to achieve transaction functionality in keycloak. I am creating a user then a role and associating that role with the user. I want all of these operations in a single transaction.
Here is my code snippet:
Keycloak keyClk = getKeyCloakInstance();
UserRepresentation userRepresentation = new UserRepresentation();
userRepresentation.setEnabled(user.getStatus());
userRepresentation.setUsername(user.getUserId() != null ? user.getUserId() : "");
userRepresentation.setEmail(user.getEmail());
RealmResource realmResource = keyClk.realm(KeyCloakUtil.realmName);
UsersResource usersRessource = realmResource.users();
Response response = usersRessource.create(userRepresentation);
List<Role> roleList = user.getRoles();
if (!roleList.isEmpty() || roleList != null) {
createUserRoleList(user.getUserId(), roleList, KeyCloakUtil.clientId, KeyCloakConstant.ACTION_ADD);
}
I am not sure if keycloak is able to handle that task transactionally. What i did is after creating a user in keycloak, i would save the reference of the created user in a database. This approach is risky if something went wrong with your workflow and maybe you end up having some users in keycloak but not in your local database.
I know you can enhance keycloak and create a new rest API. When you do that, you will have access to keycloak transaction classes and can do everything under s transaction, at least this is what I understand when I searched for it.
I would have liked them to expose this feature without needing to enhance the code.
Another approach is to simulate a transaction your self. Before you start handling the request create a job Id and store it with the information you need to complete the job. Update the job as you go. If the code fails you can revert the changes you made. Even if the application stops when it starts again, you can go over the jobs and find the in-progress jobs and decide if you should try to complete them or revert the changes.
Is it possible to store multiple credentials for a given user in Keycloak?
They don't need to be all active/enabled at the same time. The use case for us is rather that we want to store new credentials in advance but don't want to have them active yet. They should be activated/enabled at a later time after some manual user verification.
The Keycloak REST API documentation states that UserRepresentation indeed comprises an array of CredentialRepresentation but in my few tests the GET call wouldn't even return a credentials attribute.
I would say that's impossible to have more credentials for a user.
But you can always implement your own user storage SPI that implements interface CredentialInputValidator, where you can check for the valid password.
Let's say in your DB, you have 2 colums for passwords: pas_col1 and pas_col2, and 1 more column as flag, which tells what column is used for user authentication, so in isValid(RealmModel realm, UserModel user, CredentialInput input) method you can check for your conditions.
Link to SPI: https://www.keycloak.org/docs/3.4/server_development/index.html#_user-storage-spi
I have a multi-tenant application built in Laravel 5.1. It uses one main database connection for storing users, roles, permissions, as well as jobs and failed_jobs. Additionally, every user has his own database.
I use a Job class for sending mail, and when it is executed, the following exception occurs:
[PDOException] SQLSTATE[3D000]: Invalid catalog name: 1046 No database selected
The class uses tables from two db connections (the main connection, and the one associated with the current user).
Thanks in advance, any help is appreciated.
Ok, this was easy. For anyone who is interested, I totally forgot to set the database in the second connection.
In fact, the database field in the second db connection is dynamically filled, depending on the authenticated user. So, each time the job class is executed, there should be initialization of the database field:
Config::set('database.connections.second_connection.database', 'user_' . $user_id);
// $user_id is in fact auth()->user()->id, passed as parameter
That solves the problem.
In my Scala/Play application i have to work with database but there's no default user and password because every authenticated application user is bound to different DB user. So i'd like to specify user name and password on obtaining connection, smth like:
DB.withConnection(user = "James", password = "secret") { ... }
For now i can't find such capabilities in docs (and honestly saying i'm not sure how to specify a search query for my question).
And another question: is it safe to store user password in session taking into account that session is stored on user side? Or are there any best practices for such case when different DB users work with app?
Answer to Question 1
In Play, you obtain datasources by name:
def getDataSource(name: String): DataSource
You'd have to do some heavy hacking of the stuff in package play.api.db to get the functionality you require.
That, or you can predefine a bunch of datasources if the number of users of your app is small, and retrieve the connection by their login name, e.g.:
db.bob.url="jdbc:h2:mem:db_for_bob"
db.bob.driver=org.h2.Driver
db.alice.url="jdbc:h2:mem:db_for_alice"
db.alice.driver=org.h2.Driver
And
DB.withConnection("bob") { implicit connection =>
Or
DB.withConnection(userNameKnownAtRuntime) { implicit connection =>
Answer to Question 2
Even though the data in sessions are heavily encrypted using the application secret, I would recommend not to store these client-side. Instead, implement something along the lines of Resource Owner Password Credentials Grant according to this section in the OAuth 2 spec. That would give your client a token which is only valid for a set period, and could be invalidated server-side if need be.
I'm new to PHP and Zend, and I would like to cache sensitive data about a logged user. The problem is that I don't want the user to be able to change values of this data, so I don't know how to store it.
I wanted to store it in Zend_Register once the user has logged in, but I don't think this is the right solution.
Zend_Registry::set('ud', $userData);
Then I retrieve the data in another controller :
$ud = Zend_Registry::get('ud');
Is there another way to do this ? like storing the values in cookies, and checking their integrity with a hash, or setting-up a server-side cache per session...
Thanks in advance,
Jerec
Zend_Registry is not persistent and it's purpose is for sharing temporary data within the application and is lost after script is finished.
If you want persistent data, use Zend_Session
I would suggest to use Zend_Session
$session = new Zend_Session_Namespace('sensetive_data');
$session->name = 'User';
$session->email = 'Email#email.com';
Now the interessting part, to take care of integrity you could use some kind of hash.. (not sure if this a good solution?). But if the server is configured correct, the session should be save..