I am not able to find a way to get the user credentials from the okta which will be in the hash format. No API is available to make export for the credentials. To export a user I got the solution from this chrome extension ( https://github.com/gabrielsroka/gabrielsroka.github.io/tree/master/rockstar ) which is internally using the Okta API by which I am able to get the user information except credentials. I am not getting the solution to get credentials.
My main goal is to migrate Users from okta to keycloak
I do not believe that it's possible to achieve. Okta does not have any APIs to retrieve user credentials.
Related
Does anyone have experience with the following situations regarding Keycloak:
what is the standard approach if you have a lot of custom attributes in Keycloak?
Is it better to create an own application which holds the additional attributes for a user or
is it better to maintain all attributes in Keycloak and query them via the UserEndpoint.
is it possible to add a 2FA to Keycloak in some way if the login and registration is done through the RestAPI.
So is there a way to use 2FA without the login redirect solution of Keycloak?
Is Keycloak even designed to solve everything via REST API and without using the login mechanism already provided by Keycloak via Redirect?
And can the following features be implemented without the Keycloak Redirect login mechanism:
Forgot password
2-factor authentication
Social logins
Are there any security concerns when using the REST API for login & registration?
I have already created a custom application with its own login mask which makes a login to Keycloak via REST API.
I would like to hide Keycloak's interface from my Customers.
Is it possible to login to Keycloak through an API (specially for Authorization Code grant type), so I can build a React component for example for my customers to login?
Is it possible to build my own Account app, that will interact with Keycloak through an API?
Only my staff should use Keycloak's interface to manage security.
You can redirect your application to the Keycloak login page, and change that login page to have the looks and feel that you desire using Keycloak Custom Themes. To communicate from your Account app to Keycloak Api you can use the Keycloak Admin API.
Yeah, almost every SPA (Angular, React, Vue, ...) developer dreams about replacing of IdP (Keycloak in your case) login screen (because default IdP login is ugly/it doesn't match app style/... and he can build cool login screen on the SPA level :-)).
Sure, it's possible. Switch to Direct Access Grants (Resource Owner Password Credentials Grant) and you can use that. But you will sacrifice security. Let's say you have Google IDP identity brokering, so users will be able to use also own Google account. Will you put your Google credentials to some custom login form, which claims that those credentials will be used only to login and they won't be stolen. I would say no, because app will see your credentials. That is purpose of IdP (OIDC or SAML protocol). It provides user identity to any app (especially for 3rd party apps) without exposing user credentials - that is perfect case for Authorization Code grant type.
So I would say it's possible to use own SPA login form, but it is wrong idea. I would use local app auth in you case.
Second question: you can build own Account based on Account REST API. It is pretty new, so there is no good doc for that and it's only available as an preview feature. New account console should use it - https://www.keycloak.org/2020/09/new-account-console.adoc.html, so you can watch network browser console to see API requests.
I'm working on securing a legacy monolith webapp with Keycloak (I'm pretty new to Keycloak) and am trying to figure out how best to retrieve the JWT token so I can extract some attributes from it. I've been playing around with it for a couple of days now, and the authentication portion works fine, but once authenticated, I need to extract some application specific attributes from the JWT token so I can handle authorization in the target app. I have not been able to figure out how to easily do that.
Any help would be greatly appreciated as I'm sure I'm just missing something super obvious.
EDIT: I'm using the keycloak-servlet-filter-adapter to handle the authentication with Keycloak.
EDIT2: I've been playing around some with the AuthzClient and from there I can get the access token. Is there something I can do to retrieve the "user attributes" for the user that has this access token? In Keycloak I have some custom user attributes that are being fetched from an external user store, and I need to be able to programmatically retrieve those after logging the user in.
I will try to keep the question as clear and direct as possible.
Social authentication (Facebook) configured with Okta with redirect URI as URL to my custom webapp. This custom webapp relies on Okta for authentication.
User visits my custom webapp (unauthenticated) and clicks on the social authentication URL to login to my custom webapp.
User follows the normal flow, gets authenticated by facebook and thereby by Okta (as per usual flow) and is then redirected by Okta back to the custom webapp.
The entire flow is successful and the user can see an Okta session cookie set in their browser.
Custom webapp now needs to show the user their own profile by making an Okta API call.
Problem: How can my custom webapp identify who just logged in so that they can fetch their Okta profile using API?
I am aware that Okta knows who just logged in due to claims that facebook sends to the OAuth client (Okta), but how will my app know the identity of the user who logged in?
Thanks,
Jatin
It depends on the OAuth2 flow you've chosen for your app, but the end state is getting an id_token from Okta which contains claims about the user that just logged in.
If you've set response_type=code in your social auth url (/authorize), after Step 4 you'll get a code query param in the redirect that you can then exchange for the id_token using the /token endpoint.
Or, if you've set response_type=id_token, you should already have the id_token in the redirect - you just need to validate/decode it (more info here).
my question relates to how to log users into LinkedIn (SP) automatically from a company web portal that I am making. (As opposed to how to authenticate user on my website using linked in as the IdP).
I need my website users to be able to configure their LinkedIn account username and be automatically logged in to LinkedIn when they click the LinkedIn icon. I achieved this with Sales Force by use of an uploaded certificate and a SAML token and ideally would be able to use a similar approach with LinkedIn.
Is this possible? Has anyone else managed to achieve this and what is the best approach?