Is there any possibility to configure custom registration flows in keycloak? I want to integrate a SMS OTP validation after the user fills the registration form and submit it.
Yes, you can copy the default registration flow and modify it to your needs (add authenticators for OTP etc.)
Afterwards change the authentication flow bindings to your newly created registration flow.
Related
I need to implement a login flow with KeyCloak where a user will be prompted to reauthenticate with an existing account (by email/password or via social IdP) after authentication with a non-existing socialĀ account OR choose to create a new KeyCloak account.
Something like on the picture below:
Is it possible to implement such a flow with KeyCloak?
It is possible that flow with regular Identity Providers feature in Keycloak
Overview Steps
detail information here
1. IDP URL
{keyclaok URL}/realms/{realm}/broker/{idp name}/endpoint
example:
http://localhost:8180/auth/realms/test/broker/stackoverflow/endpoint
2. Register Application at Social App
example: StackOverflow https://stackapps.com/
3. Get Client Information from Social App
example: StackOverflow
4. Set IDP at Keycloak
5. Test
5.1 Before add user
5.2 login by Social
5.3 Update user account (set password and e-mail)
5.4 check added user
5.5 Test added user login by username/password OR
Social Icon Click without credential
5.6 logged in test by both ways
5.7 Picked up e-mail from Facebook and detect e-mail already exists.
5.8 I select "Add to existing account" then filled out e-mail and password from Keycloak.
The authentication flows within Keycloak can be customized (virtually all of the flows can be customized or extended). I believe you'll need to implement a custom Authentication SPI (Service Provider Interface). This will be a JAR that you can add custom logic upon account creation.
Here's the Keycloak documentation for SPIs.
On registration, Keycloak provides the ability to add custom user attributes via the Keycloak theme's registration page template via "input" elements that look something like:
<input id="user.attributes.[the_custom_attribute]" name="user.attributes.[the_custom_attribute]" />
However, this only seems to work if the user creates an account and submits the form.
If the user were to login via a Social Identity Provider (google, microsoft, github, etc...) how do we go about adding custom user attributes?
If you are using Social Identity Provider to login into application then the customer_attribute won't be available to you.
But if you still want that attribute to be set for that user before he/she logs in, then you can add custom required action to implement this feature. You can create new RequiredCustomAttribute action and enable it from Admin console.
Implement your own required action, similar to that of org.keycloak.authentication.requiredactions.UpdateProfile class provided by keycloak. You can mark your customer_attribute as required in this new required action flow.
When you do all above things, next time when user logs in using Social Identity Provider, he/she will be asked to enter custom_attribute on next page.
We are using Keycloak v4.5.0.Final and configured OTP for all the users. Is it possible to generate backup codes (like how google does for their dual factor authentication) in case the user doesn't have the Google Authenticator handy?
Yes, but you will have to create your own implementation for OTP authenticator. In my company we customized default OTP authenticator and Configure OTP required action, so now after OTP initiation user will receive OTP recovery code, that will be stored in his attributes (e.g. Users -> john.doe -> Attributes). Then when user has to provide next OTP code, he also can hit "Lost device" link at OTP code form (we've also customized Keycloak themes) and provide recovery code, and reinstall OTP settings.
Keycloak customizing docs
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs.
Use case:
The registration page for new users shouldn't be public. New user get an invitation email from the admin. The email contains a link to the registration page.
I thought about using an initial access token (like for client registration) and add it to the link to the registration page. Afaik there is nothing like that for user registration?
Are there any other ways to do it?
I think you've got two options to implement it:
First
You know the e-mail of the destination user before sending the invitation, so you would let the admin create a user in keycloak with the e-mail itself as the username. Then the admin should check 'Verify e-mail', 'Update profile' and 'Update password' as required actions, so keycloak will send an activation mail (you can customize the e-mail template) and user will be required to fill his data and set a password.
If you don't want the admin to access keycloak directly, you could do it via the user management API.
Second
Implement this logic in your application. Write a user data form which is publicly accessible using a code (it might be some UUID). When admin sending the invitation mail, link a random code to the address, so when user enters the page, you can verify it. Then you'll need to save the data in keycloak as a new user, using the user management API.
Does Okta have the ability to check the activation token programmatically without the user browsing to the site.
The activation token comes as part of the url from calling this api: {{url}}/api/v1/users/00u4invit2tTNJ1Gf0h7/lifecycle/activate?sendEmail=false
Per request: http://developer.okta.com/docs/api/resources/users.html#activate-user
If there is not, what is the recommended method for sending a custom activation email to the user without the user going through Okta's activation wizard. We would like for the user go to through our own activation wizard after clicking on the activation email.
If you have custom activation logic you would want to implement your own portal site. You will still email the Okta token to the user but do user activation in your portal site through the API. We have done this in the past without any trouble.