I want to add a question into the Keycloak auth flow after the user’s name and pw have been authenticated to ask what type of two factor authentication they prefer. The choices are OTP or SMS. If the user has already made the choice before, I will skip the question and continue to either OTP or SMS authenticators. Need some advice on how to implement this.
I have created an authenticator class that shows a template. Is that right? I have seen examples of creating a required action.
How do I skip the question if the user has already made his choice? I tried using returning false from configuredFor() but that just halts the flow with an error since my authenticator is set as required.
I plan on storing the user’s choice in a user attribute or possibly a cookie. Any thought on which is better?
As always, thanks.
You can use a Conditional authenticator to check the condition, there is an example of this in the server developer documentation: https://www.keycloak.org/docs/latest/server_development/#algorithm-overview
Related
As the title suggests, I'm trying to implement the mechanism of retyping the password again before proceeding any critical action, e.g. change email, deactivate an account, invites a new user, ... etc.
The problem is, I'm confused about how it should be done in the REST world.
Should it be like, first, use the password to authenticate the user, but with a different backing authentication made especially for this action and use the resulted token to access this protected resource later? E.g. a JWT token with a specific claim for this action and guard that endpoint with this custom authentication to authenticate for this custom token?
Or should it be done in one request providing the password and based on password check the action will be proceeded or denied?
Or should it be something else?
Thanks in advance for your help, I really appreciate it.
Note: I'm using DRF that's why I added it's the tag to the question, but as this is a general question
For authenticating a user I am using keyCloak to get an access token. Some of the pages of application (ex: profile) needs to provide more information(User needs to answer some questions set by him earlier). Once the user's answers are validated, user should not be required to answer the questions again.
I am a beginner in JWT and keycloak. What is the best way to implement the above scenario?
As per my understanding, there should be 2 different tokens now, one will established that the user is authenticated for login and another will establish that user is authenticated for accessing profile page. If it's correct, how can I implement this in keycloak?
If not keycloak, what is the best way to implement this? I was reading the information available about keycloak but unable to get in a right direction.
If you want user to fill more info about him and to store this info at keycloak, you should consider implementing custom Required Action Spi. Also check out implementation of "Update Profile" required action.
I am using Shopify's OAuth for developing a custom Shopify public app and the OAuth part is working fine. I have used the state parameter to include the user id in the nonce value and then capture the user id from there so that I know which user to save that access token for. However, this seems really hacky to me. What is the standard way of doing it, ie capturing user id(User is a "user" on my application backend. The user id is his id for my application, not his shopify user ID) in this case? I am making the application fully REST API based so I cannot use sessions here. What is the general approach?
Here's the Shopify documentation on OAuth implementation. https://help.shopify.com/en/api/getting-started/authentication/oauth
Any help would be appreciated!
If I understand the question correctly, I don't think there's a more efficient/secure/non-hacky way of doing this other than how you're currently doing it. Ultimately you'd have to send something to Shopify, that Shopify then turns around and send back to you.
I'm doing a similar thing using the state parameter, but I'm encrypting the value (security by obscurity?) when sending, and decrypting when received. In my case, it's not a user id I'm using but a session id.
I have come across a number of articles that discuss a similar matter but I cannot find a definitive answer.
My company would like to begin using Identity Server 3, however one of the requirements is to be able to authenticate an external user without them having to manually enter their credentials.
This must be capable of providing single sign on capabilities also as we have 3 different systems and our users should only have to sign in once.
Essentially, the external user has their own CRM.
The CRM holds their username and password for our software.
They then click a button in their CRM to launch our application
This redirects them to our website with a payload containing their credentials
We call a web service to authenticate the user
It is fundamental that we do not change this process for our partners.
Can I implement a custom service provider to provide the authentication or is there some other way of achieving this? If so, could you point me in the right direction for how this can be done?
Many thanks
Craig
I would assume that you'd create a mechanism for their CRM to get a token at the time the client logs into their site and then have them send that token via url to your callback page. This would use the machine-to-machine type grant, or the client-credentials flow. Then that page could validate the token and log the user in. There would have to be some sort of unique identifier between the two systems like email or something. Just an idea.
I need to implement an email verification mechanism in play after after the user has registered on my website.
I am trying to understand what is the best architecture, this is my guess:
Define a special route for email validation
When the user register generate a token and save it inside the cache with a token -> user mapping.
Send an email containing an url which points to the route providing the token as a parameter
In the special route controller, retrieve the user from the cache using the token, validate the email and store it in the database.
Is my approach right?Is there a better solution?
There are modules out there that provide this functionality for Play 2.x. You might want to take a look at Secure Social, or Play Authenticate (as mentioned in a comment to the question by #biesior).