My requirement is enable 2FA using email in Keycloak.
When enabled, if user tries to login through email & password ,after user is successfully authenticated ,time based token will be sent to email .
User will do this action from custom UI i.e in our product we have UI to enable/disable 2FA for user.
We are using Keycloak & we want to achieve this using Keycloak API.
I am using keycloak-admin-client to interact with Keycloak API but I did not find sufficient resources to achieve this using keycloak-admin-client.
I am looking a way using keycloak-admin-client how to enable 2FA for user.
Any help will be highly appreciated.
Thank You
You should add custom REST endpoints to Keycloak to be able to enable 2FA from your custom UI. We have done this before. It's not that much complicated, but it requires you to have a look at Keycloak source to see what it's doing when OTP gets activated. Some important classes to check/use are TotpBean, OTPCredentialModel and OTPPolicy.
In order to enable the 2FA, we needed to show the QR code image in our custom UI. So we added an endpoint to Keycloak that instantiates an instance of TotpBean. It's the one that gives you access to the QR code image and the secret value that are required to generate the equivalent string representation of the image so that it could be scanned/entered in the 2FA app (e.g. Google Authenticator). Here is an example of how such an endpoint would look like:
#GET
#Produces({MediaType.APPLICATION_JSON})
#Path("/o2p-enable-config/{email}")
#NoCache
public Response fetchOtpEnableConfig(#Email #PathParam("email") String email) {
UserModel user = session.users().getUserByEmail(email, realm);
TotpBean totp = new TotpBean(session, realm, user, session.getContext().getUri().getRequestUriBuilder());
return Response
.ok(new YouOTPResponseClass("data:image/png;base64, " + totp.getTotpSecretQrCode(), totp.getTotpSecret(), totp.getTotpSecretEncoded()))
.build();
}
Then on your own backend, you call this endpoint and send the user's email to it and receive the image and the secret value. You can just display the image as is in your UI and keep the secret value on your backend (e.g. in user's session). When user scans the image using the app and enters the totp value provided by the app in your custom UI, you send the totp value and the secret to another endpoint that you should add to the Keycloak. This second endpoint is the one that does that verification of the value and enables 2FA.
#POST
#Consumes(MediaType.APPLICATION_JSON)
#Path("/enable-2fa/{email}")
#NoCache
public Response enable2Fa(#Email #PathParam("email") String email, OtpDetails optDetails) {
OTPPolicy policy = realm.getOTPPolicy();
String totp = optDetails.getTotp();
UserModel user = session.users().getUserByEmail(email, realm);
OTPCredentialModel credential = OTPCredentialModel.createFromPolicy(realm, optDetails.getSecret(), optDetails.getUserLabel());
if (CredentialValidation.validOTP(totp, credential, policy.getLookAheadWindow())) {
CredentialHelper.createOTPCredential(session, realm, user, totp, credential);
return Response.noContent().status(204).build();
} else {
return Response.status(BAD_REQUEST).build();
}
}
Keycloak supports multiple 2FA for each user. That's why it also has a property named label that allows user to name them so that it would be displayed in the 2FA login scenario with given name. You can also allow user to enter the label value in your custom UI and pass it to the second endpoint (or just pass an empty value to Keycloak if you're not going to allow your users to setup multiple 2FA).
I know it seems complicated, but it's actually not that much. The Keycloak domain model is well designed and when you get familiar with it, you can easily find what you need to do and wrap it in custom APIs. But always ensure that exposing a functionality would not compromise the overall security model of the system.
Take a look at keycloak two factor email authenticator provider
https://github.com/mesutpiskin/keycloak-2fa-email-authenticator
I agree that is necessary to write a custom provider for this use case.
Take a look at https://www.n-k.de/2020/12/keycloak-2fa-sms-authentication.html and https://www.youtube.com/watch?v=GQi19817fFk for a look at how to implement that.
That is an example via SMS, but via e-mail would be very similar, changing just the way of sending the code to the user.
I'm using Azure AD B2C / IEF Custom Policies. As part of my Password Reset user journey, I want to use SendGrid to handle the email for the OTP / verification code. I also want to use custom HTML templates for the password reset page(s). The Azure docs give a good example for using SendGrid... BUT it uses DisplayControl elements to format the password reset page and it's not immediately obvious how to augment or replace the DisplayControl element to instead use Custom HTML.
Did anyone manage to get this working? Any pointers?
TIA
EDIT: Is it simply a case of adding a LoadUri element to the ContentDefinition that contains the DataUri?
Actually, it turns out that the DisplayControl works fine. It forms part of the HTML that is dynamically generated and injected into the Custom Template HTML ("App" element) by B2C.
Initially I was getting Server 500 errors from B2C, which lead be to believe there was a problem with the approach - but the I found the source of the errors elsewhere and once fixed, the DisplayControl components worked pretty seemlessly
I am using Contact Form 7 to collect data and send it through the CF7 to API Plugin.
For security reasons, I receive the data via email through the [wpcf7.remote_ip] tag, which I insert in the email field as per the guide.
Screen of The Email Body:
But when I try to send the same data via API through "CF7 to API", the value is empty.
Screen of the CF7 to API setup:
Where am I wrong?
Screen of the CF7 to API log:
wpcf7.remote_ip is only valid in an email template because it is created/populated by the CF7 plugin when the notification mail is being processed. You will need to create your own hidden field on the form when the page is loaded which you can then use in your API listing,
add_filter('wpcf7_form_hidden_fields','add_hidden_ip_field');
function add_hidden_ip_field($fields){
$fields['remote_ip'] = ... //get the remote IP
return $fields;
}
NOTE: to get the request remote IP, see this answer
You can then use the field remote_ip in your API
I am calling Salesforce classic email template through URL :
/_ui/core/email/author/EmailAuthor
I have tried to create a lightning component for email where I created the email functionality But that doesn't fit my requirement.
I need to use the default lightning email template and call it from URL or VF page or any other method. URL hack is not working here so is there any way to do so.
when using github users api to return users data through
https://api.github.com/users?page=6&per_page=2
return the same data every one although change page parameter value and per_page
why this and how to fix to change different data
i try to edit header request and add this header
Name Link
Value <https://api.github.com/users?page=1&per_page=2>; rel="next",<https://api.github.com/users?page=50&per_page=2>; rel="last"
But Still not working
After my search
now Github use API V3 and if you want return users with paging you can use this
https://api.github.com/users?since=1&per_page=100
Instead of using "page" and "per_page", that endpoint uses "since" and "per_page".
The since parameter says from which user ID the API should start listing users. For example:
https://api.github.com/users?since=1&per_page=100
will start listing users from the user with ID 1, and
https://api.github.com/users?since=10001&per_page=100
will start listing users from the user with ID 10001.