I've configured Keycloak authentication for the following behaviour:
The user inputs its userid
Keycloak should try to authenticate it with the passwordless flow
As an alternative the user could switch to password authentication
NOTE: The user already has a registered passwordless device:
The authentication flow has been configured as follows:
I access localhost:8080/realms/myrealm/account and click on Sign in:
I input the userid:
But, instead of being offered to sign up with the security device, I'm asked for the password:
If I select Try another way and click on Security Key:
I am now offered to login with the device:
Which I can do successfully.
The problem here is that I need the passwordless login to be offered directly, not the password form. Passwordless is actually configured as the first alternative option so why isn't it working as expected?
Looking at the code of AuthenticationSelectionResolver this seems to be intended behaviour.
Try to change the order/position of credentials for your user from within the admin console.
The order of credentials should affect the order in which alternative authenticators will be executed.
Related
I am trying to set up SSO between two Keycloaks. The target Keycloak, where I want to configure the SSO has user federation set up in place and the user management is disabled. I was thinking of configuring IdP brokering between my source Keycloak and the target Keycloak so that I can use the same authentication token.
I have configured login redirection and when I try to login to the target system, I was promptly redirected to the source Keycloak. Unfortunately, upon entering the username and password, I was presented with a dialog box stating that my user already exists and offering me to either Review the profile or Add to existing profile.
Initially, I thought it is because the user modification is disabled by the user federation. I have manually created the same username on the system, which is providing a list of the users but even with this in place, I am still unable to log in and am presented with exactly the same error message.
I have configured Keycloak to the SAML/IDP given by "samltest.id" and it works if the user logs into the application. On some user actions I want to enforce the user to enter his credentials again.
In the application I use the login method in the Keycloak JS adapter as follows:
keycloak.login({ prompt: 'login' })
Also I set the "force authentication" flag in the SAML configuration in Keycloak.
So, what is happening is, that after trying the re-login, the user is redirected to the IDP (like expected) but after entering his credentials a WARN message is shown in Keycloak log:
WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code
and the user is again redirected to the IDP.
After entering the credentials again, instead of updating the active user session, an additional session is created by Keycloak (so I can see two sessions for the user in the Keycloak admin console). This way, the token (which belongs to the first session) will not be updated, so in the application I can not recognize the success of the re-login of the user.
Currently I use the Keycloak version 7.0.0
This re-login behavior work just fine, if I do it on user authenticated directly by Keycloak .
This behavior I can not just reproduce with "samltest.id" but also with another IDP.
I also thought about, to do a logout instead of re-login, but this will close the user session and if the user decides to cancel his action, he will not be able to go just back to the application without authenticating himself again.
Has someone an idea how to solve this issue? Or if it can be solved at all?
We've got an install of Azure Devops server that currently authenticates against our active directory server and authentication works, but it appears to do so by means of browser basic authentication (the browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such that users that have never logged in, actually get a login page... not just the basic authentication prompt in the browser.
I appreciate any input, I've used and administered azure devops in the cloud for a LONG time, but the devops server stuff I'm new to.
NOTE: I've played with IIS settings for authentication (enabling and disabling basic authentication and forms auth etc, but nothing really seemed to help there)
it appears to do so by means of browser basic authentication (the
browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such
that users that have never logged in, actually get a login page... not
just the basic authentication prompt in the browser.
What's the login page do you mean?
1.If you mean the login page to connect to TFS web portal, as I know using basic prompt with username+password is the only appraoch.
Web Portal:
Only logic page:
2.But if you mean something used for authentication when accessing the code. I think you must be familiar with PAT which is widely used in Azure Devops Service. IIS Basic Authentication is not recommended. You can check Enabling IIS Basic Authentication invalidates using Personal Access Tokens and Use the TFS Cross Platform Command Line with TFS using basic authentication or personal access tokens (PATs).
Hope it helps to resolve your puzzle :)
So after lots of research, I found that in the differences between azure devops server and azure devops services documentation. In this documentation it states that it uses windows authentication, and you will never be presented with any login experience.
I'd vote that this should be something that be configured to show a login screen, as sometimes we want to log in as users other than the users we logged into the machine as.
I'm using the Rocket.Chat REST API for some automated user management. This was working great after I installed Rocket.Chat and my admin user had a username/password combo. Then, I activated the "iframe authentication" system in the admin panel. Now, when I try to use the REST API "login" endpoint, I get the error "User has no password set". Any ideas why this is happening? When I look at the user document in the MongoDB for Rocket.Chat, there is no "password" field (seems to have been deleted when I activated the iframe authentication).
UPDATE: I disabled the "iframe authentication" system and set a new password on my account. Looking at the DB now, that user has a "password" entry, so the password is there. But, now I can't log in because it says my password is incorrect. In summary, this software has a lot of bugs, it seems.
I am trying to ByPass Login credentials in JasperReports Server 4.5, so user can login directly without entering any username and password, this I have done by passing username and password directly in URL:
http://localhost:8080/jasperserver/flow.html?_flowId=searchFlow
&j_username=jasperadmin&j_password=jasperadmin
Now I want to hide these user credentials, so nobody can see the username and password.
How can I hide these credentials?
The best way is to use Token Based Authentication and to encrypt the token. This video covers the entire process.