I have added a user attribute "Role" to my B2C application via User Flows.
When I login and redirect to https://jwt.ms I get a response and on the "Decoded Token" tab that says "extension_Role": "Tester",
However, it isn't listed in the "Claims" tab.
Is this just a quirk of the https://jwt.ms display or am I misunderstanding the difference between User Attributes and Claims?
(Moving from comments to Answer)
You should be able to get the Custom user attributes/Custom claims in the claims tab too. To verify create an user with custom user attributes and you will able to see the information both in Decode token and claims tab.
Related
Have a scenario where I need to get the access token based on the user details.
There are few users configured in the connected app and there is already logic to retrieve the access tokens for the default users.
How can I pass the user name dynamically to the jwtUsername attribute and get the access token based on the user name?
In the keycloak administration, if I set the "Required User Action" of a user to "Update Password". The user is asked for a new password after a successful login, calling:
https://SERVER/auth/realms/REALM/login-actions/required-action?execution=UPDATE_PASSWORD&client_id=CLIENT_ID&tab_id=TAB_ID
Calling this URL with a user logged-in but not configured "Update Password" I get a message "User is already logged in".
What would be the correct URL to call from an external application, e.g. from a menu with actions edit-profile, change-password...
Edit: In our application we authenticate users managed in keycloak. We would like to be able to link a keycloak page (similar as the one posted) where the user can update/change his password (e.g. old-pw, new-pw, confirm-pw).
This answer is based on Keycloak 12 (latest version at the time of writing the answer)
You can ask users to change their profile details or passwords from the manage account section. You can get the URL of that screen and direct users to that.
"manage account" link location
Account management screen
I am building a GitHub app that requires user-to-server access tokens. I am following the Web application flow so a user can sign in and my app gets the access token.
My question is about the login parameter in the href when requesting the user's identity:
When your GitHub App specifies a login parameter, it prompts users with a specific account they can use for signing in and authorizing your app.
What does specific account mean? Does it mean the currently logged in
GitHub's user account?
What is the point of this parameter?
What is the difference between supplying the parameter and not
supplying the parameter?
Thanks!
The login is a suggested github user. When I supplied a valid login, the authorization screen showed the suggestion on top when I was logged in with a different user account.
So a use case would be if you saved the user name already somewhere and want to remind the user to use that account.
Consider I have two registration pages:
1) Student : /register-student
2) Tutor : /register-tutor
I have another URL for login : /login
Now for each of them I have their own callback URL's.
/callback-student
/callback-tutor
/callback
On registration once the user is authenticated, based on the Callback we assign the respective roles. And then redirect the user to the home page.
Note: Once registration is done we do not let the user be authenticated. Rather we redirect the user to login page and expect the user to login.
Once the user logs in, he is authenticated and at the same time I expect to have the user mapped to the right role as we have Role based policies on our resources.
This is my approach of doing the registration, I want to know if this is the right way to do it using Keycloak.
If there is a better way, it would be helpful if you can provide links wherein I can refer to and implement the same.
I want to allow users to sign up using either a user-pool identity (email + password) or a Facebook-federated identity.
But I also want them to be able to switch later on: either add Facebook federation if they didn't sign up using Facebook initially, or remove the Facebook link from their account if they initially signed up using Facebook.
Is this possible?
Thanks in advance!
Yes, it is. I'm assuming that Facebook is added directly to the Userpool as an IdP.
Splitting your query into 2 parts:
1. User signs up using username & password. Later, he wants to link his Facebook account
This is pretty easy. Give an option in your UI and use the AdminLinkProviderForUser API to link Facebook/Google account to the user. Now, when the user signs in using this Facebook/Google account next time, Cognito will treat it as the native user & generate token for the same. Of course, the Facebook info will be mentioned in the identities claim. If the user wants to remove this Facebook/Google link later, it is possible using the AdminDisableProviderForUser API call.
2. User signs up using Facebook
This is a bit tricky since Facebook login will automatically create a user in your Userpool with status EXTERNAL_PROVIDER (unlike native users who have CONFIRMED status). As the name suggests, this user can only be logged in using the relevant external provider - Facebook in this case. If the user wants to login using a username password, a new account will have to be created using SignUp API or AdminCreateUser API. Also, this account can not be linked to the previous Facebook account using AdminLinkProviderForUser because a pre-requisite is that no Facebook user with the same details (email etc.) should exist in the Userpool. But at this moment, we have an auto-created Facebook user with EXTERNAL_PROVIDER status.
So, in short, you would have to - create a new user using SignUp or AdminCreateUser API, delete the auto-created Facebook user & Finally link the Facebook account as mentioned in case 1.