Is it possible to hide Keycloak's interface from users? - keycloak

I would like to hide Keycloak's interface from my Customers.
Is it possible to login to Keycloak through an API (specially for Authorization Code grant type), so I can build a React component for example for my customers to login?
Is it possible to build my own Account app, that will interact with Keycloak through an API?
Only my staff should use Keycloak's interface to manage security.

You can redirect your application to the Keycloak login page, and change that login page to have the looks and feel that you desire using Keycloak Custom Themes. To communicate from your Account app to Keycloak Api you can use the Keycloak Admin API.

Yeah, almost every SPA (Angular, React, Vue, ...) developer dreams about replacing of IdP (Keycloak in your case) login screen (because default IdP login is ugly/it doesn't match app style/... and he can build cool login screen on the SPA level :-)).
Sure, it's possible. Switch to Direct Access Grants (Resource Owner Password Credentials Grant) and you can use that. But you will sacrifice security. Let's say you have Google IDP identity brokering, so users will be able to use also own Google account. Will you put your Google credentials to some custom login form, which claims that those credentials will be used only to login and they won't be stolen. I would say no, because app will see your credentials. That is purpose of IdP (OIDC or SAML protocol). It provides user identity to any app (especially for 3rd party apps) without exposing user credentials - that is perfect case for Authorization Code grant type.
So I would say it's possible to use own SPA login form, but it is wrong idea. I would use local app auth in you case.
Second question: you can build own Account based on Account REST API. It is pretty new, so there is no good doc for that and it's only available as an preview feature. New account console should use it - https://www.keycloak.org/2020/09/new-account-console.adoc.html, so you can watch network browser console to see API requests.

Related

Custom Registration Page for Cognito User Pool

I have a Cognito User Pool and need to prompt users select their country from a dropdown list during registration. As far as I can tell, Cognito doesn't provide the ability to customize the registration page with a dropdown. Is there a way to redirect the "Sign Up" link in the Cognito sign-in page to point to a specific URL so I can provide my own registration page (and use the Cognito APIs to create the user)?
Or, if someone knows of a different way to solve this problem, I'm all ears.
My OIDC clients are websites (i.e., not a mobile apps) and I'm using the authorization code flow.
You can create your own registration page and use AWS cognito SDK or amplify to make calls to cognito. For example, if you are using javascript you can use the following code for your signup calls: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#signUp-property

How to secure REST service that login from third parties

I have a REST service that my mobile app uses to authenticate when the users click on the Facebook or Google icons.
The service accepts the user's id from the provider and checks if it exists on the database and then issues the access_token to be used for the other methods.
The problem is that I just thought that it could be pretty easy for someone to intercept the calls and discover which service authenticates and what the user id is and then call it with to get a token.
How can I avoid this?
I think you just need to separate the authentication and authorization functions. You can let Google (Google Sign-In) handle authentication. If you follow the API they will securely authenticate the user and send you the token which you can validate.
Once you know who they are for sure, your site can safely authorize that user approriately. For example, they might be an existing user, need to make an account, be an administrator. You can make those authorizations on your site based on the user authenticated by Google (in my example).
Twitter, Facebook and others do the same. Also see OpenID Connect.

Using Google as the Source IDP

Is there a way of passing username/ password to Google Apps IDP and get a response as to whether a username/ password pair is correct?
I know I can use OAuth for authorization and access user data but note that I want to check if his credentials itself are valid. OAuth for sure will not work for me. I need a way to directly query Google Apps' IDP particularly not to use it and access something else.
I wish to use this to customize the Google's standard login page itself. OAuth doesn't allow me to do that.
Short answer: no.
Google actively tries to prevent the scenario that you describe because it would mean that Google users hand over their Google credentials to your application, aka. phishing.
That precludes branding of the Google login pages as well since it would make it harder for users to verify that they actually type in their credentials on a login page provided by Google.
As said in the other answer, Google Signin with OpenID Connect (built on top of OAuth 2.0) is the standardized way to offer users login to your application with their Google account.
Google (Apps) accounts can be used as an OpenID identity provider. By implementing your app as as a relying party, you could authenticate your users based on their Google accounts. Much like stackoverlow Google login: http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
With SAML SSO, Google acts as a relying party. While its possible to use provisioning API and clientLogin, this is not supported and is possibly against Google Apps ToS.

ThinkTecture IdentityServer and identity federation

I'am trying to enter in the huge world of the SSO and making things to be clearer.
Here is my use case :
I have a web app (the RP in the SSO jargon) which uses a REST API. We have customers that would like to use a SSO way to connect to our web application and our API.
For example, a user "A" from our customer "A-Company" is connected to its intranet. And in this intranet there's a link to our Web App. If this user A clics on it the Web App must redirect it to the IDP of the "A-Company". User A then signin and gets an access token and is redirected back to our web app. Then, our web app validate this access token, get the claims and etc ...
If a user "B" from our customer "B-Compagny" wants to do the same, it'll have to be redirected to its own IDP too.
How this can be achieve using IdentityServer3? How my WebApp (the RP) knows where to redirect the incoming request to be authenticated (to IDP-A or IDP-B or elsewhere ...)
Is this use case illustrates what is called "Identity federation"?
I was looking at OpenID Connect and ThinkTecture IdentityServer V3 that seem to be a very good product but I have some difficulties to see if it will fit my needs.
Thank you for your help
Fred

Can my web service api call facebook/google oauth2 on behalf of another web service?

I'm building a web service for use as an api component in web sites or apps built by others.
I am building a set of functionality that my clients can use on their sites for their users, but which are served by my application.
One of these services is user login. I intend to support multiple types of logins, and provide the client application a user token once the user is logged in. So the client application only has to implement one login interface, but they get a variety of oauth2 strategies for it.
To make this work with their google or facebook accounts, they would have to provide my app with their application id and secret key. Entering a secret key on someone else's site, even for integrating with your own site seems dangerous. They call it a "secret" key for a reason.
I have found one web service which seems to be doing something similar to what I am planning to do:
https://www.authic.com/documentation/google_oauth2
They have a configuration page for client accounts where the user enters oauth2 credentials to enable the Authic oauth2 login pages on behalf of the client app.
What are the security concerns to be aware of with this kind of service, and can the client app use a service like this safely? If it can be used safely, what is required for safe use? I think the app doing the oauth2 interface would be able to do other things on behalf of the client app, since it has an app secret, and the client app owners would have to trust that this was not happening.
The alternative to this strategy seems to be using my own application id with oauth2, and having the client apps redirect to my app's login page. Then the user will see the oauth2 permissions page with my app's logo instead of the app they were intending to log in to.