There are a certian set of reset actions provided by keycloak for email.
They are:
Configure_TOTP
UPDATE_PASSWORD
UPDATE_PROFILE
VERIFY_EMAIL
How I add a new action here along with its own email theme and its own custom inputs?
You need to implement your own Required Action. Whole process is described in docs.
Related
Keycloak provides "Forgot Password" functionality out of the box. This is working perfectly fine. On clicking this, I enter email and a link is sent to my email. On clicking the link I can reset my password.
My question is, Is it possible to make Keycloak send an email after successfull password reset?
Thanks to some of the hints from Fabrice. I wrote a event listener do achieve this.
In the listener I filtered for event type UPDATE_PASSWORD and sent email myself. Something like this
public class ResetPasswordEventListenerProvider implements EventListenerProvider {
public ResetPasswordEventListenerProvider() {
}
#Override
public void onEvent(Event event) {
if(event.getType() == EventType.UPDATE_PASSWORD){
//Send email.
}
}
These are some of the articles I referred
https://dev.to/adwaitthattey/building-an-event-listener-spi-plugin-for-keycloak-2044
If you do not use any external dependency in your code, then packaging your code as jar and deploying is enough as indicated in the above article. But if you have any external dependency in your code, then it is very difficult to include those in the resulting jar.
For example in my case once I catch the event, I send the details to a Jms Queue(which will be picked by other service to send email). So I needed Jms related dependencies in the pom. This was not straightforward.
Hence I packaged the code as ear and deployed. The deployment process is similar to jar. But packaging is a bit different. It is shown clearly in this project
https://github.com/thomasdarimont/keycloak-user-storage-provider-demo
Yes, this is possible if you provide a customized copy of the "Reset credentials" authentication flow.
See documentation on how to cutomize a flow https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
I guess you'll have to add a custom authenticator (e.g. "Send Reset Confirmation Email") after the "Reset Password" authenticator.
For the implementation of this custom authenticator, you'll only need to send the confirmation email in the authenticate() method.
You can look at keycloak built-in authenticators such as https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java.
Regards,
In Keycloak, by default, users are able to change their first and last name in the account manager page. However, is it possible to disable this behavior?
Removing both fields in the theme results in those values not being sent and the form failing, and a hand-crafted POST request would defeat this method anyway.
I came across a similar problem and after reading this SO post, came to know that although you can disable/hide fields in ftl, you cannot disable form validation
For e.g I hid firstname field , but still cannot submit. Same was the result with disable as well:
I am not aware about disabling a particular field in some other way. However there is a workaround in which you can disable the entire account modification flow (Password can still be changed by Forgot Password option).
Bu default, account modification is enabled, but you can disable it for a particular realm by going to Realms -> Clients -> Account.
The result of this will be, the account page will be inaccessible:
You can remove the client role 'manage_account' for client 'account'.
In Keycloak, by default, users are able to change their first and last
name in the account manager page. Is it possible to disable this
behavior?
That can be done out-of-the-box (since Keycloak 14) by using the user profile functionality. First, the preview feature declarative-user-profile has to be enabled. For that start the server with:
--features=declarative-user-profile.
for the Quarkus version, or with
-Dkeycloak.profile.feature.declarative_user_profile=enabled
for the Wildfly version.
Bear in mind that:
Declarative User Profile is Technology Preview and is not fully
supported.
After starting the server with the aforementioned option, go to the Keycloak Admin Console and:
Go to the according Realm;
Go to the tab General;
Set User Profile enabled to ON
A new tab named User Profile (top right) will show up; click on it, and a set of configurable attributes will be shown.
Click on firstName, and then go to Permissions
In that section the permissions can be changed, accordingly. For example, if one sets Can user edit? to OFF, then when the user tries to change the firstName field in the account UI, that UI throws the following warning message:
The field First name is read only.
The same configuration can also be applied to the lastName attribute.
For the new Keycloak UI the workflow is exactly the same as the one I have just described. More information about the feature can be found in the official keycloak documentation (link)
You can use readonly property to disable email you can just change the following line:
<input type="text" class="form-control" id="email" name="email" readonly autofocus value="${(account.email!'')}"/>
I've configured several Transactional Templates to be sent from my SendGrid account via their handy Design Tool, which work great!.
However the Address Line and Unsubscribe links on the template footer aren't activated. In an email they display as placeholders, like so
[Sender_Name]
[Sender_Address], [Sender_City], [Sender_State]
[Sender_Zip]
Unsubscribe << (Not a Hyperlink)
I've followed SendGrid's documentation and configured my account address but am unable to find the solution for this.
Any ideas on this? Thanks for any input or guidance!
To get the unsubscribe to function you will need to create one or more unsubscribe groups. If you look under the Marketing menu you will see the sub menu to create those. Once you create one it will be assigned an ID number. When you are generating your email you will need to pass that ID value in as part of the EmailMessage object. If you are using V3 of the API you will be looking for SetAsm.
As for the Sender fields, for transactional templates they do not work correctly, as they are meant for marketing campaigns. Your two options are:
Remove the Sender fields from that block in the template. Add a new text block above it with static values.
Download the template into HTML and convert the sender objects into substitution variables. You will then be able to set them in your code when you are creating the email.
GitHub Bug
The unsubscribe link will only appear if you create an unsubscribe group and specify it while sending using
asm: {
group_id: <the unsubscribe group ID>
}
I'm using Rainlab.User plugin with user activation via e-mail.
By default user receives an email with activation link "http://examples.com/register". So there is no activation code in it. How it is supposed to work at all?
Perhaps you forgot to set the url parameter on the page where the Account component is placed?
The page url needs something like: register/:code?
And the component settings must reflect that with the 'Activation Code Param' set to code as a normal string.
On creation of new external user from ATG BCC, I need to include some logic like encrypting password and sending email to user. Achieved this functionality by extending GSAPropertyDescriptor class and overriding its getPropertyValue(RepositoryItemImpl pItem, Object pValue) method.
Problem is, this method is getting called only when we click on create button from "General" tab present in users section, but not on click of same create button from other tabs like "Commerce", "Orgs & Roles", "User Segments" and "Advanced".
Please suggest!!
It is not a good idea to override getPropertyValue of an item for this implementation. The right way to do this is to work with the formhandler that is responsible for saving the user. It is a bit tricky to find this formhandler. It will be in the atg/web/viewmapping/ViewMappingRepository/ of the BCC instance. In this repository there will be lots of formhandlers configured for different purposes. You have to pick the one relevant for the user edit. Here is an example of what you might find there:
With this, you go to appropriate Formhanlder, like /atg/web/assetmanager/editor/profile/UserFormHandler mentioned here. And override that component in your module with your own implementation. Once that is done, you'll have the control of the action. You can do your work and pass on the control to super class (the original implementation).
Regards,
Jags