Is there any way in Keycloak to alert users that they have very few login attempts left by showing alert messages in Keycloak UI. I know that Keycloak keep count of incorrect attempt in UserLoginFailureModel.
Related
Keycloak sends out duplicate emails when you hit Forgot password button right after user session expired and you want to login again.
It might be configuration issue with Keycloak but it is quite annoying so any help would be appreciated.
Keycloak client is set to public and used in combination javascript adapter on mobile app.
Steps to reproduce:
Login with your user account using public client.
Wait for your access token to expire and you will need to login again.
Go to login page and instead of login hit Forgot password button.
Enter your email and hit submit.
You get your first forgot password email.
You will be redirected to login-page-expired and on "click here" link.
You get your second password email (which shouldn't happen).
Used Keycloak version is 12.0.1.
We're using keycloak (KC) with custom providers for the registration flow. At the end of the registration flow, before the confirmation email is sent to the user (as a default KC functionality), we disable the user as it fits our use case.
When user clicks on the email confirmation, mail is confirmed and user is automatically logged in, despite the fact he/she is disabled at that point. Logins after that work as expected (if user is disabled, login is forbidden, else it succeeds).
Upon reviewing Keycloak source, it seems as if session id is sent in the confirmation mail and if session already exists in KC, it is automatically reused and user proceeds as if logged in. If session doesn't exist, "email confirmed" page is shown and user is not logged in (as expected).
To confirm my theory of KC not checking user status (enabled/disabled) in the middle of an existing session, I've disabled a user that's currently been active in the application. User was not logged out or anything of the like.
My conclusion is that when user complets the registration, session exists and that session is then automatically "hijacked" upon clicking on the confirmation link. Nowhere in the middle of that, does KC check if user is actually enabled or not. Same as if you disable user while he/she is logged in and is browsing the protected application.
Does anyone have any workaround of the issue? My next step is somehow to programatically invalidate session at the end of the registration, so user won't have any when clicking on the confirmation mail. I am not sure how to track this bug on KC jira either, since they don't seem to have any public bug tracker. Regardless, this is not the point of this question - my question is if anyone else already had this problem and if yes, how was it solved?
I have solved a similar issue writing a custom Required Action. The required action is triggered after email validation, so you can check if user is enabled or not (Secret question required action example).
In my case if user validation is not ok, I redirect to error page:
Response challenge =
context.form().setError(MessagesIDs.NOT_VALIDATED_ID).createErrorPage(Status.UNAUTHORIZED);
context.challenge(challenge);
return;
I am facing an issue with Keycloak:
When user clicks on Forget password button, he is asked to enter basic details. Once details are entered, the user receives a mail with link to change his password. User Changes his password, and is redirected to Login page of the application.
Users account gets locked. Admin uses application to unlock the account. User gets email, clicks on link, and generates new password. User now sees a message : Your account is successfully updated.
What I want to do is that the second flow should work in same way as the first one. i.e when user has given new password, he'd be redirected to login page.
Can someone guide me about how to proceed with this?
Difference I've noticed in two flows is the URL that I receive in both of them is different.
First flow, I get this in mail: http://[keycloak-host]/auth/realms/[realm]/login-actions/reset-credentials?code=[code]
Second flow, I get this URL: http://[keycloak-host]/auth/realms/[realm]/login-actions/execute-actions?key=[key]
I'm using Drupal 7. When I add a user via Peoples > + Add User, I want the user to receive a notification e-mail.
If I tick the box: " Notify user of new account ", and then click "Create New Account", the page redirects to a blank page at "/admin/people/create". The user IS created, but no message is sent. There isn't even a log for an attempt to send an SMTP message in Drupal, or a failure etc. But the user exists.
If I DON'T tick the box, then the user is still properly created, but I don't get stuck at a blank page (the page is refreshed and I can see the green checkmark saying my changes have been applied)
How can I investigate this problem? I would like the e-mail to be sent (and I assume the blank page problem is related/the same issue) Like I said, I see no logs of e-mail trying to be sent, but it only crashes when I try to do so. Perhaps there's some other logs/debugging info I can enable?
Thank you very much,
Found my problem. The Token module was broken, and my user registration message used tokens, so this is why it crashed on user registration but not SMTP test.
Re-installing a fresh copy of the Token module fixed it.
I'm wondering if anyone knows how exactly Gmail, Hotmail, Facebook etc handles following scenario. (NOTE: Assuming Cookie is shared between tabs)
Opens two login page to the application.
User 1 logs in the domain.
User 1 changes some data without saving it.
User 2 logs in the domain in a separate tab.
User 1 switches back to his tab and saves the data.
I tried repeating the steps FF for Gmail, it sometimes gives me
"This may have happened automatically because another user signed in from the same browser" and logs the previous user out automatically" but the other times just shows "The page isn't redirecting properly" and I'll have to clear my cookie.
Hotmail, seems to be a bit better, where it immediately detects that I'm logged in the first page and asking if I would like to switch account. If I selected to switch account and goes back to try to save the data, hotmail throws a login error message.
Anyone can shed some light on how each one is implemented as well as what might be the best practice to handle this problem?
In general, to counteract such issues you'll want to do cross-references of the identity from cookie and other submitted data. So the submitted form will include the user id, and the cookie will include the user session. If those are inconsistent, then reject the attempt, invalidate the session, and send the user to login.
If your forms have CSRF protection tokens (which they should), then the CSRF token can also encode the user ID, so the attempt for user 1 to save their data will fail due to an invalid CSRF token on the form.