How to validate password of a disabled AEM user? - aem

I have the authorizable ID and a password text. In a normal scenario, I can directly get the session using slingRepository.login option. If I am able to do so, that means the credentials are valid. But let's say if the user has been disabled for some reason then how can I validate the password because in that case AEM doesn't validate it and throws the AccountLockedException directly. I don't need the session, but I want to validate that the password I have is correct (programmatically).

Related

Sync user in google admin console without password

Is there any way to create user in google admin console without password?
Users can create a new password with First Time Login
I am using google admin sdk API with service account Bearer token to create user.
Url: https://admin.googleapis.com/admin/directory/v1/users
Payload: {
"primaryEmail":"sampleuser#orgdomain.com",
"name":{
"givenName":"Test",
"familyName":"User"
},
"suspended":false,
"password":"Password1234",
"changePasswordAtNextLogin":true,
"ipWhitelisted":false,
"emails":[
{
"address":"sampleuser#orgdomain.com",
"type":"home",
"customType":"",
"primary":true
}
]
}
The API is failing without the password field. Is there any way to enable or disable any configuration in admin console to achieve same.? Related Answers will be helpful. Thanks
You can't create a user without a password within the API.
The method users.insert requires an instance of the Resource: users on the request body and the Resource: Users states that the password is required when creating a new user:
password:
Stores the password for the user account. The user's password value is required when creating a user account. It's optional when updating a user and should only be provided if the user is updating their account password. The password value is never returned in the API's response body.
A password can contain any combination of ASCII characters, and must be between 8-100 characters.
We recommend sending the password parameter as a hexadecimal-encoded hash value and setting hashFunction accordingly. If hashFunction is specified, the password must be a valid hash key.

How to get a unique key from firebase auth to use as a password alternative for data encryption

I created a password manager in flutter, which stores password encrypted passwords in an db. I access this db via the backend, which is written in python. As a user in the app, you are able to set a master password, which after each login is passed to the backend, to encrypt the data. I now want to add sign in with google functionality (firebase authentication), so that you don't need to type in your master password every time. Is it possible to receive something like a key or a token from firebase after each successful google-login which you can use instead of the master password?
I noticed already that there is this uid in the firebase user class (which i receive from FirebaseAuth.instance.signInWithCredencial(google_sign_in_credencial) in the google registration progress) which is unique for every user, but i dont think that this is secure enough to replace this sensitive master password. I also heard from JWT Authorization, but i am not sure, if it's the right thing for that.

Generate password reset URL

I want to send Keycloak user reset password email from my web app without using Keycloak SMTP configuration. For that I am trying to generate the reset password link but I am not sure how to generate the code in URL. Are there any API call to generate action code or full reset password URL ? Keycloak generate something like below. I need to generate same. That's the objective.
https://server.com/auth/realms/xxx/login-actions/action-token?key=ffdfdfdfd
There is no such API directly exposed in Keycloak.
Keycloak provides action tokens that permits its bearer to perform some actions, e.g. to reset a password or validate e-mail address.
Perhaps you could have a look at the action tokens SPI:
http://www.keycloak.org/docs/3.3/server_development/topics/action-token-spi.html
This way you can handle your use case.

Keycloak: Disable username/password login for external IDP

How to disable username/password login for external IDP ?
I know that I can use custom theme to hide http form, but I want to do it properly.
As far as I know I have to create at least custom First Broker Login and Browser authentication flow, right?
After first login from IDP I have to create user in Keycloak, but do not leverage password option.
Also Browser flow must be updated to not show username/password form, right?
Can anyone provide proper example ?
Thanks
You can use a custom authentication provider to achieve your goal.
Instruct Keycloak to assign a specific user attribute to all users arriving from the IDP.
Build an authentication provider which checks for that user attribute and denies access.
Add the authentication provider to the Browser login flow.
Optionally adjust templates files to hide login fields and show a user-friendly error if the user fails step 2.
Further details here: https://groups.google.com/g/keycloak-user/c/N9cuqXIBrSA/m/sycLxTZbCAAJ
May not be 100% suitable to this case, but found next one working fine for our case without need to compile and deploy "custom authentication provider". In our app we suppress keycloak login form and offer own custom user / password form, and for IdP integration we are using kc_hint to redirect directly to IdP login page. Once user login via IdP we want to disable user name / password login using password grant. There is a trick allows to achieve this in keycloak v15. You can assign "Update User Locale" to "Required User Actions" of the user, from that moments, direct password grant wont let user to login returning "requires action" validation error, which is not supported in our UI, while IdP login still works and skip this "required action" nor reset it after login. Of course you may need some scheduled curl script allows to set this for users automatically via users REST API : read users attributes or IdP link integration, if found specific Idp related user attribute or IdP integration link, and "requires action" array is empty, set it to "Update Locale".
Of course this all works as long as you hide keycloak login form and use your own. for all using keycloak login form, login using name / password will work and can bypass "Update locale" requirement (not sure why, perhaps because realm does not have locales configured)
Try this costum Authentication flow
By Automatically linking brokered account, the user won't have to set a password. as for the username it will be automatically imported from the identity provider.

TYPO3 backend user without password

Is it save to create backend user with an empty password?
For example the _cli_lowlevel backend user or a backend user editor-test, which I only use for testing purposes via the "Switch to user" feature.
usually a cli_* user should have no rights to access anything in the BE (non admin user, with no mount-points). it is used to execute TYPO3 by command line. if anyone can get access to a shell he can execute commands more dangerous than a simple BE-access. e.g. he can open access to the install-tool and create an admin-user. or use mysql-cli to set passwords to any given user.
normally you can not create BE-users without password as the form for BE-users requires a not empty password field. as you probably use salted and hashed passwords even a simple password can not be decrypted (so a brute force attack may find the password quickly). so the best way would be a long random password which you might forget the next moment.