If Keycloak's self-registration form is used, once submitted, it will send an email verification link to that newly registered user.
Once the user clicks the link, his email will be verified, and it will redirect him to the redirectUri from his client and provide the authorization code, which is perfect.
The problem arises when I don't want to use Keycloak's registration form, instead I have a custom registration mobile form, which sends the user data. Those data is then sent to the Keycloak by Admin REST create user API.
Once the user is created, by triggering /send-verify-email or /execute-actions-email APIs none of them are returning authorization code in the end. Yes, they do redirect to the redirectUri which you specified, but I need authorization code as well, in order to be logged in automatically upon clicking on the link.
Related
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs.
Use case:
The registration page for new users shouldn't be public. New user get an invitation email from the admin. The email contains a link to the registration page.
I thought about using an initial access token (like for client registration) and add it to the link to the registration page. Afaik there is nothing like that for user registration?
Are there any other ways to do it?
I think you've got two options to implement it:
First
You know the e-mail of the destination user before sending the invitation, so you would let the admin create a user in keycloak with the e-mail itself as the username. Then the admin should check 'Verify e-mail', 'Update profile' and 'Update password' as required actions, so keycloak will send an activation mail (you can customize the e-mail template) and user will be required to fill his data and set a password.
If you don't want the admin to access keycloak directly, you could do it via the user management API.
Second
Implement this logic in your application. Write a user data form which is publicly accessible using a code (it might be some UUID). When admin sending the invitation mail, link a random code to the address, so when user enters the page, you can verify it. Then you'll need to save the data in keycloak as a new user, using the user management API.
I have a simple setup with IdentityServer4 (custom user store) and Mvc client app. Some pages in the client app are protected. So for example when a user hits /pageX he gets redirected to IdentityServer for authentication. This works fine when the user exists, he just logs in and gets redirected.
If he is not registered, he is asked to register and he gets an activation code via email.
Then he goes to inbox, clicks activation link and is invited to login again.
Now, after activation and login, I would like to redirect him to the /pageX he originally asked.
My problem is - at this point I no longer have a valid returnUrl which contains /pageX encoded somehow. I tried using the returnUrl which works in simple login flow:
returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3DmyClientIdt%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A5501%252Fsignin-oidc%26response_type%3Did_token%26scope%3Dopenid%2520profile%26response_mode%3Dform_post%26nonce%3D636469643044666440.MmZlNzFlMWYtZThhMS00ZjFlLTgyYjYtMDU5NjRmODBhZmNkMzk1MzJiZWItODY2Yy00NzYwLWE4YjQtOGU5YWU5Y2IxMDJk%26state%3DCfDJ8IK-YquShZdNsC5l0tQGkLIvU-_O1FbdO5RV9KrOZ9hCTixBZc-YeVLkKB2mvHkV9U42U83N7RfFCHywKjdbGRGnpfqwgG08_ip1Pt2sAqfa_sPlwYOO7fSiKUbnk2IpA1BMWvfeXNwIeFB7AMv0q0Y2z7vjCTNWawwNS6m5EM3h9V0uCpHE-1H19VPhE0OQcXmmcaNViWbdmWE14VNTH8MYQaPfE90smHtRwYtbYaYhfj-g4ziXbhN6m_R6PYni1ApazIDUBOowEq6yV9ynF91SM82gohud4Ek3juozL-A4W_dTIBZnj1C5PMmUISWl9yw_UPOvTwsCskVH2OmavgI%26x-client-SKU%3DID_NET%26x-client-ver%3D2.1.4.0)
But if I use this return url after registration, I get a correlation error message.
Any idea how can I return the user back to his original requested /pageX?
The returnUrl (as sampled in the question) is a result of redirection from Authorize Endpoint to Login/Register Page. You need to use IdentityServer Interaction Service to retrieve the actual returnUrl.
var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
context.RedirectUri will hold the actual url (/PageX), where user needs to be redirected after activation.
You can pass context.RedirectUri as a query parameter to the activation link and retrieve it on the activation page. When activation is complete you can redirect the user to the returnUrl.
string activationLink = "<your activation url>?return=" + returnUrl;
Check this docs
Basically this situation can be avoided by not providing a link to click in the confirmation email which will land the user in a different browser tab.
Instead of a link provide an n-digit code in the email and let the user enter the code in the already open browser tab where you still have access to the returnUrl
I'm looking for the correct way to customize or extend identityserver3 to implement passwordless authentication.
the user scenario is
user uses browser to go to website
website detects non-authenticated
user and redirects to idsrv3 instance
idsrv3 asks for email address (or uses a cookie stored one) and if email address matches a known user, sends an email with a link (e.g. like the registration or password reset link)
user clicks on link
idsrv3 instance checks if token in link matches a known user and is not expired
idsrv3 issues token
idsrv3 redirects to original url
after some reading, I think the correct way to customize idsrv3 would be to
create a custom viewservice
checks the emailaddress
generates and stores a token in the user account record
sends an email with a link consisting of a custom grant, the token and a returnurl
create a custom grant and corresponding validator
checks the incoming token and if valid returns a positive validation result linked to a user account
the normal idsrv3 token issuing flow takes over to issue a token and redirect to the returnurl
In my experience, idsrv3 is great, but it can be time-consuming to get things right when customizing and I would like to be sure that I don't hit a brick wall somewhere near the end of the solution.
In our login process with identity server we need additional input on the login page itself that will influence the tenant where user is authenticated. So we can't send this information in the acr_values that is stored in the SignInMessage cookie, but we need to somehow modify the tenant based on the user input on the login page. However, when IUserService.AuthenticateLocalAsync is called, the SignInMessage is created based on the initial values sent to /authorize endpoint.
Any tips on how to achieve this?
You can control the <form> in the login page, then in your user service you can access the form post body (by injecting the OwinEnvironmentService).
Our application uses oauth2 & openid connect for auth&auth. It's built using an angular client that calls a REST API. I would like to know how to authorize access to the API, based on the possession of an unguessable url.
I'll explain this a little more. In the application, a user can invite another user. When this happens, an email is sent to the second user. When user 2 clicks a link in the email, he is sent to a webpage with details about the invitation.
Only user 2 should be allowed to see the invitation page. I was planning to solve this by using an 'unguessable url' in the email. Upon visiting the url, the user must somehow be authorized to fetch the invitation details from the API.
The question: how do I authorize a user, based on knowing the unguessable url? How do I assign a claim when the page is loaded, and how do I verify this claim in the API call that follows? The only solution I see, is to set a cookie containing a token. But this is not in line with our existing auth mechanism. I prefer not writing my own token validation code, and let the Identity Provider handle this.
Additional info: user 2 may or may not have an account in the system, and he may or may not be logged in. Neither should prevent the user from seeing the invitation details. In other words: a totally unknown user should be able to see the page. The knowledge of the url should be the only requirement.
Any solution to this problem? Or am I handling it all wrong?
After asking around, the general consensus is to NOT let the external auth mechanism take care of this, but to validate the link ourselves.
The solution is to turn the unguessable part of the url (the 'link id') in some kind of token, which can be validated upon calling the API. This is done by the API itself, not by the Identity Server.
Applied to the invitation issue: when an invitation is created, store the link id together with some info, i.e. what kind of access it allows (invitation access) and the id of the invitation. When the user calls the API to get the invitation, pass the link id for validation. Match the invitation id with the invitation id stored in the link, and if it doesn't, throw an error.