Keycloak - enable email mapping or alias - email

We are using keycloak as auth provider by utilizing the OAuth Code Flow. The user logs in with their normal email and password on the keycloak login page. Is there a way to mask/hide or even map email adresses? Apple is doing this by saving the real email but using fake mails like j24hj21h4#apple.com for the "outer world". The reason I need this feature is to hide the real email adresses of our users for SSO.

From my point of view, your best bet would be extend the Authentication SPI of keycloak and implement your logic, it's is totally achievable.
This is not something you get out of keycloak by default, but it provides flexibility to plug our extensions.
Here you can find more details on this https://www.keycloak.org/docs/latest/server_development/#_auth_spi

Related

Keycloak 18 proper configuration

I am using Keycloak to authenticate a user for a Vaadin application. The Vaadin application creates its own user session after successful authentication with Keycloak. I need the user to be able to change the password and email address.
Now I do not quite understand how to implement it correctly. There is a user Keycloak console that has this kind of functionality. But, for example, when a user changes their email address, the user is not prompted to confirm that new email address until a new login. Should I disable the Keycloak user console and e.g. use the Keycloak REST API directly from the Vaadin app to perform email/password changes? Or should I keep using Keycloak's custom console and configure it there?
What is the proper way to deal with such things with Keycloak? In case of Keycloak API I'd really appreciate the examples of API calls which should I perform in order to change the user password and email.

Invite user by email and set their password

I have an email address of a user. I’d like to create a user and send them an email with a link to set their password and activate their account. Is this kind of flow support in Keycloak ? I think I can provision user in Keycloak and send executeActionsEmail using UserResource. Is that the right way to do ?
Yes keycloak does support this kind of flow. You can use keycloak admin client for this.
UserResource is the right class for this. You are going in correct direction.

Get control after user authentication for sending modified user details

The general intent is controlling user details visibility while interacting with third party services.
Our application is using a single sign-on (SSO). Hence third party services should use Keycloak for user authentication. But we would like to provide information about user from our application, not from Keycloak.
For example, Stephen Clark has work email stephen.clark#jourrapide.com and personal email stephen.c#armyspy.com. He is authenticating using Keycloak. After authentication third party service would like to request additional information about Stephen. We would like to send information to third party service based on specific user settings. For instance, if Stephen is using his work profile then our application should send stephen.clark#jourrapide.com as an email to third party service. But the stephen.c#armyspy.com email should be sent for Stephen's personal profile. The same should be done for other user details.
That's why our application should get control after user authentication and send appropriate user details to third party service.
I assume that following options could help us to achieve this goal. But I do not have enough information for implementation. It would be good if you could provide me with some options with implementation examples.
Use the "Post Login Flow" in Keycloak.
Create custom identity provider in Keycloak.
Use the Impersonate user functionality in Keycloak with REST API for switching to required user.

Is it possible to add more than one email per user in Keycloak?

I'm using Keycloak for Identity Brokering through Google, Microsoft, etc. But Keycloak only allows one email per user. So the user can be authenticated only through one of the social login options (Google if gmail is added as user's email address, etc.). Is there any way to include more than one email per user, or any other workaround?
EDIT: (Editing based on comments to make scenario more clear)
In my scenario, I'm using a federated user store which contains a large number of users and and I need Keycloak to access all the emails linked to a user when that user is logging in using Google,Azure,etc. because Keycloak is using the email as the unique identifier for the authentication response from the social login provider. Without having the required email as the main email, Keycloak won't allow that user to log in through social IdP
Although, Keycloak emphasises on keeping a unique email,but there are certain scenarios where you may want to keep , say, secondary email.
This can be achieved in a couple of steps:
1. Add a custom attribute for secondary email in user like this:
2. Next , in your client create attribute mapper like this:
When I generated the token after above configuration, the new attribute was avialble in token. You can use this attribute in your app as you desire.
Parsed JWT:
I figured out the best way to deal with this is through the custom user provider (federated user store). Even though we can't add multiple emails per user through the Keycloak admin console, we can write the user provider in such a way that it can get all the emails linked to a user from our database and assign them to the email attribute of each user. Once this is done, all the emails will appear on the admin console as well.
For the social login to recognize those emails, we have to get all the emails linked to a user in the provider to an array and iterate through it until the authentication is complete. This would help to create the social login link to the user through First Login Broker authentication flow.
This is a crude way to approach this, but nevertheless it works!

Identity Server 3 - Silent sign-in / sign in without login page. Including single sign on

I have come across a number of articles that discuss a similar matter but I cannot find a definitive answer.
My company would like to begin using Identity Server 3, however one of the requirements is to be able to authenticate an external user without them having to manually enter their credentials.
This must be capable of providing single sign on capabilities also as we have 3 different systems and our users should only have to sign in once.
Essentially, the external user has their own CRM.
The CRM holds their username and password for our software.
They then click a button in their CRM to launch our application
This redirects them to our website with a payload containing their credentials
We call a web service to authenticate the user
It is fundamental that we do not change this process for our partners.
Can I implement a custom service provider to provide the authentication or is there some other way of achieving this? If so, could you point me in the right direction for how this can be done?
Many thanks
Craig
I would assume that you'd create a mechanism for their CRM to get a token at the time the client logs into their site and then have them send that token via url to your callback page. This would use the machine-to-machine type grant, or the client-credentials flow. Then that page could validate the token and log the user in. There would have to be some sort of unique identifier between the two systems like email or something. Just an idea.