I want to use Keycloak to implement SSO but I noticed that there is no email OTP embedded in Keycloak. How do I sent OTP through email in Keycloak?
I want the OTP to be provided not only via GoogleAuthenticator or FreeOTP app but also via email.
Is it possible to do it with Keycloak?
Yes, it is possible, you need to new authenticator provider.
The Server Development part of the Keycloak reference documentation contains additional resources and examples for developing custom Keycloak extensions.
https://www.keycloak.org/docs/latest/server_development/index.html
or you can use this email 2fa otp keycloak provider
https://github.com/mesutpiskin/keycloak-2fa-email-authenticator
Related
We are using keycloak as auth provider by utilizing the OAuth Code Flow. The user logs in with their normal email and password on the keycloak login page. Is there a way to mask/hide or even map email adresses? Apple is doing this by saving the real email but using fake mails like j24hj21h4#apple.com for the "outer world". The reason I need this feature is to hide the real email adresses of our users for SSO.
From my point of view, your best bet would be extend the Authentication SPI of keycloak and implement your logic, it's is totally achievable.
This is not something you get out of keycloak by default, but it provides flexibility to plug our extensions.
Here you can find more details on this https://www.keycloak.org/docs/latest/server_development/#_auth_spi
I am using Keycloak to authenticate a user for a Vaadin application. The Vaadin application creates its own user session after successful authentication with Keycloak. I need the user to be able to change the password and email address.
Now I do not quite understand how to implement it correctly. There is a user Keycloak console that has this kind of functionality. But, for example, when a user changes their email address, the user is not prompted to confirm that new email address until a new login. Should I disable the Keycloak user console and e.g. use the Keycloak REST API directly from the Vaadin app to perform email/password changes? Or should I keep using Keycloak's custom console and configure it there?
What is the proper way to deal with such things with Keycloak? In case of Keycloak API I'd really appreciate the examples of API calls which should I perform in order to change the user password and email.
I need to implement a login flow with KeyCloak where a user will be prompted to reauthenticate with an existing account (by email/password or via social IdP) after authentication with a non-existing socialĀ account OR choose to create a new KeyCloak account.
Something like on the picture below:
Is it possible to implement such a flow with KeyCloak?
It is possible that flow with regular Identity Providers feature in Keycloak
Overview Steps
detail information here
1. IDP URL
{keyclaok URL}/realms/{realm}/broker/{idp name}/endpoint
example:
http://localhost:8180/auth/realms/test/broker/stackoverflow/endpoint
2. Register Application at Social App
example: StackOverflow https://stackapps.com/
3. Get Client Information from Social App
example: StackOverflow
4. Set IDP at Keycloak
5. Test
5.1 Before add user
5.2 login by Social
5.3 Update user account (set password and e-mail)
5.4 check added user
5.5 Test added user login by username/password OR
Social Icon Click without credential
5.6 logged in test by both ways
5.7 Picked up e-mail from Facebook and detect e-mail already exists.
5.8 I select "Add to existing account" then filled out e-mail and password from Keycloak.
The authentication flows within Keycloak can be customized (virtually all of the flows can be customized or extended). I believe you'll need to implement a custom Authentication SPI (Service Provider Interface). This will be a JAR that you can add custom logic upon account creation.
Here's the Keycloak documentation for SPIs.
We are using Keycloak v4.5.0.Final and configured OTP for all the users. Is it possible to generate backup codes (like how google does for their dual factor authentication) in case the user doesn't have the Google Authenticator handy?
Yes, but you will have to create your own implementation for OTP authenticator. In my company we customized default OTP authenticator and Configure OTP required action, so now after OTP initiation user will receive OTP recovery code, that will be stored in his attributes (e.g. Users -> john.doe -> Attributes). Then when user has to provide next OTP code, he also can hit "Lost device" link at OTP code form (we've also customized Keycloak themes) and provide recovery code, and reinstall OTP settings.
Keycloak customizing docs
The general intent is controlling user details visibility while interacting with third party services.
Our application is using a single sign-on (SSO). Hence third party services should use Keycloak for user authentication. But we would like to provide information about user from our application, not from Keycloak.
For example, Stephen Clark has work email stephen.clark#jourrapide.com and personal email stephen.c#armyspy.com. He is authenticating using Keycloak. After authentication third party service would like to request additional information about Stephen. We would like to send information to third party service based on specific user settings. For instance, if Stephen is using his work profile then our application should send stephen.clark#jourrapide.com as an email to third party service. But the stephen.c#armyspy.com email should be sent for Stephen's personal profile. The same should be done for other user details.
That's why our application should get control after user authentication and send appropriate user details to third party service.
I assume that following options could help us to achieve this goal. But I do not have enough information for implementation. It would be good if you could provide me with some options with implementation examples.
Use the "Post Login Flow" in Keycloak.
Create custom identity provider in Keycloak.
Use the Impersonate user functionality in Keycloak with REST API for switching to required user.