Keycloak - request user to verify email address through api - keycloak

Desired result:
User should be able to register and then he should be able to login thrugh a mobile app (event if the email address isn't verified), the app shows a warning that email isn't verified and some app functionality a disabled
What i have:
native mobile app that has user signup and signin functionality
api server consumed by the app
keycloack instance
signup functionality is done by api server, it is a keycloak confidencial client that can create users
signin is done by the mobile app directly with a post call to keycloak /token endpoind that returns access token
all good, now i have a token that can be consumed by my api server and i know that it is a registered user with unconfirmed email address
The problem is that user don't receive any Welcome/Confirm email, but: if user goes to keycloak LogIn webpage and try to login with newly created user then he receives an email from Keycloak, but for LogIn through api there are no emails. Is there any way so solve this? Am i doing something wrong?
The only way to request user to verify emails is by requesting "Verify Email" action, but if i do this then user can't login with unverified email anymore
Login is done with POST to /auth/realms/realm/protocol/openid-connect/token and with {grant_type: 'password', password: 'string', username: 'string'} body
Calling PUT /{realm}/users/{id}/send-verify-email seems to behaves the same like requesting Verify Email to /execute-actions-email

I know I'm a few years late for this answer, but for anyone who comes here in the future, the devs answered in this thread here
This is a limitation with the execute actions endpoint and it uses a
generic email. It's not a bug, rather a limitation
And that's it. They have a specific endpoint just to send an email of verification but it's only a wrapper to the endpoint execute-actions-email

Related

`node-oidc-provider` with Email verification

I'm creating an OIDC provider with oidc-provider. For now, my Registration flow required email verification step, which is handler outside oidc-provider. This approach works but it leads to an issue that user can not automatically login after setting up their password.
I thinking of creating a new prompt policy name email-verification, something like:
https://<auth-endpoint>?client_id=...&prompt=email-verification
I wonder:
Is this flow acceptable with OpenID Connect specs?
Is there any document, tutorial or example in terms of specs or implementations of this approach?
The case user register in mobile app, but open email link in web (we have a mobile app with different client_id and of course, different redirect_uri. What should we redirect user to the app without error.
Thanks,

Is there a possibility to automatically login by clicking on verify email link triggered by /send-verify-email

If Keycloak's self-registration form is used, once submitted, it will send an email verification link to that newly registered user.
Once the user clicks the link, his email will be verified, and it will redirect him to the redirectUri from his client and provide the authorization code, which is perfect.
The problem arises when I don't want to use Keycloak's registration form, instead I have a custom registration mobile form, which sends the user data. Those data is then sent to the Keycloak by Admin REST create user API.
Once the user is created, by triggering /send-verify-email or /execute-actions-email APIs none of them are returning authorization code in the end. Yes, they do redirect to the redirectUri which you specified, but I need authorization code as well, in order to be logged in automatically upon clicking on the link.

Facebook OAuth security using passport-facebook

I am currently using a client-side React component to have a user login to Facebook via OAuth in my application. On the server-side, I use the npm package passport-facebook-token to validate the authenticity of the accessToken after a successful client-side login.
One practice I do not see often is in addition to asking Facebook if the accessToken is valid, shouldn't the server also check if the email provided by the client's payload matches the e-mail coming back from Facebook? Allow me to use defined client/server technologies to illustrate my question:
1) User uses React component on the client to authenticate with Facebook.
2) React component successfully authenticates with Facebook and fires an HTTP request to the server with an access token and the user's email.
3) The server, running Node.JS and passport-facebook, now needs to verify the authenticity of the access token directly from Facebook. Facebook does not care for an e-mail. It will just verify the access token.
4) Facebook returns a response to Node.js confirming the authenticity of the access token. The response also contains other metadata about the user, including their email and other profile data.
My question is, should Node.js take the email that's also coming back from Facebook's access token verification payload, and verify that it is what came back from the React client? Would this not prevent someone from brute-forcing an accessToken and require them to not only have an accessToken but also know who the accessToken belongs to? This could prevent a user from submitting a bunch of HTTP POST requests to the Node.js server attempting different access tokens. They would not only have to guess an access token assigned to the application's clientID, but also know the e-mail it belongs to. Is this an over-engineered approach?
Really the best way I can think of to make your OAuth accessToken and 'code' value less prone to brute-forcing is using a Cryptographic Number Generator to create a 128-bit length string of random data and encoding it with base 64 to use as your code. It's extremely unlikely that it would be guessed by a computer or by someone redirecting to and from the authorization endpoint and the redirect-uri with query parameters.
Another method of fortification is limiting the rate of authorizations by IP address (which you can do instead of email through Node.js) but that is usually not a problem for most well-equipped hackers. I highly advise the first method for creating a more secure service.
Your approach to validate the email as well as the token is a bit superfluous because Facebook's opaque user access tokens are inherently tied to email.
From Facebook
An access token is an opaque string that identifies a user, app, or Page
"opaque" is defined by Auth0 here
Opaque Access Tokens are tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage
In your case, the identifier is the user's email, and the server belongs to Facebook.
I will elaborate further. Here is your step by step with some edits:
User uses React component on the client to authenticate with Facebook, inputting both their email and password directly to Facebook. React component gets the token from Facebook on login success.
React component successfully authenticates with Facebook and fires an HTTP request to the server with an access token and the user's email.
The server, running Node.JS and passport-facebook, now needs to verify the authenticity of the access token directly from Facebook. Facebook does not care for an e-mail. It will just verify the access token because the access token is already tied to the email.
Facebook returns a response to Node.js confirming the authenticity of the access token. The response also contains other metadata about the user, including their email and other profile data.
This is Facebook's bug bounty program. If their OAuth was really as cracked as to require a second email validation, it would have been patched almost immediately by this incentive.

Keycloak secure user registration

I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs.
Use case:
The registration page for new users shouldn't be public. New user get an invitation email from the admin. The email contains a link to the registration page.
I thought about using an initial access token (like for client registration) and add it to the link to the registration page. Afaik there is nothing like that for user registration?
Are there any other ways to do it?
I think you've got two options to implement it:
First
You know the e-mail of the destination user before sending the invitation, so you would let the admin create a user in keycloak with the e-mail itself as the username. Then the admin should check 'Verify e-mail', 'Update profile' and 'Update password' as required actions, so keycloak will send an activation mail (you can customize the e-mail template) and user will be required to fill his data and set a password.
If you don't want the admin to access keycloak directly, you could do it via the user management API.
Second
Implement this logic in your application. Write a user data form which is publicly accessible using a code (it might be some UUID). When admin sending the invitation mail, link a random code to the address, so when user enters the page, you can verify it. Then you'll need to save the data in keycloak as a new user, using the user management API.

Get messages from Gmail via HTTPS GET call

I'm working on an iOS application and what I'd like to do is have the app ping one universal Gmail account to check for the most recent email.
I went through the guide from Google at https://developers.google.com/gmail/api/quickstart/ios?ver=swift, but the result did not work. After some googling, it appears that some functionality may have been changed, but they haven't updated their documentation yet.
Is there a way to send credentials via https to Gmail and get email messages back? I have an OAuth key via the Gmail API manager, but when I pass it as "access_token", the response says "Login Required".
AFAIK, an error response "Login Required" can be encountered if you try to list the buckets for a project that do not provide an authorization header.
If we check Users.messages: get, it's noted that it requires authorization.
For this, you may want to check Authorizing Your App with Gmail wherein you will find these basic authorization pattern:
During development, register the application in the Google API Console.
When the app launches, request that the user grant access to data in their Google account.
If the user consents, your application requests and receives credentials to access the Gmail API.
Refresh the credentials (if necessary).
Furthermore, if your application needs to access Google APIs on behalf of the user, you should use server-side flow. Please see Implementing Server-Side Authorization for more information.
Sometime back I was involved in writing a sample application to access email from gmail but using C++ on windows. The code is at https://github.com/Panchatcharam/simple_gmail_api. I was able to successfully get emails.