In keycloak web console it's possible to reset password with url like
https://server.url/auth/realms/master/login-actions/reset-credentials. But user always needs to fill the email. When I'm redirecting to this page from another application I already know the email so I'd like to pre-fill it. Is it somehow possible?
I've tried to add parameter ?username=some#email.com but that isn't working, username/email field is still empty.
Related
We have a PHP/MySQL based User Management System and are integrating it with Keycloak version 16 where we will store users credentials.
Our application does not allow users to self register. We create user accounts on the system. When we do this we do NOT specify a password because we want users to set up their own password.
The current system sends 2 separate emails in 2 different circumstances regarding passwords:
If it's a completely new user who does NOT have an existing password, we send them a link to set up a password.
If it's an existing user who already has a password, the system allows them to reset it, e.g. if they forget their password and can't login.
Keycloak seems to cater for scenario (2) because the login forms have a forgotten password link which opens a form where the user can enter their email address and receive a link which lets them do (2).
Unfortunately it doesn't deal with scenario (1) very well and that's where our problem starts. This has been asked a while ago Send password forgotten mail but it seems that Keycloak didn't support this very well in 2020 and perhaps still doesn't now.
Our "workaround" to this was that we added custom email templates and a custom page (reference: Themes on https://www.keycloak.org/docs/latest/server_development/#emails) which includes wording that caters for both scenarios, e.g. "set your password" rather than "reset your (existing) password". The result of this is that our email and form now reads appropriately for both scenarios (1) and (2).
The problem
We want to be able to send a link to the user that allows them to set their initial password to cover scenario (1).
We know that this page exists because on the login page for Keycloak there is a link to the forgotten password form that handles scenario (2). However, the form requires the user to enter their email address and submit the form. The user then receives an email from Keycloak which contains a URL to the page where they can do this. The URL has the following format:
https://example.com/auth/realms/foo/login-actions/action-token?key=...
The key= contains a ~945 character token. Going to the URL above redirects to the form where the user can reset their password. This next URL does not contain a token but a cookie has been set in the browser - by the previous URL - which makes it functional:
https://example.com/auth/realms/foo/login-actions/required-action?execution=UPDATE_PASSWORD
We can't send either of these URLs to the user because the first one (containing key=) has no API method for us to find out what it is - it's only possible to generate this by going through the "forgotten password" step during login, in the browser.
The second URL (/login-actions/required-action...) won't work either because it relies on the previous URL (containing key=) setting the cookie in the browser. If you try and go to this second URL directly (i.e. bypassing the first URL) it will error.
So neither of these URLs will work because we can't find what the first one is programmatically, and we can't use the second one without knowing the first one.
I found https://lists.jboss.org/pipermail/keycloak-user/2018-October/015910.html and the suggestion is using the Keycloak API to trigger a password reset email. This works - sending an HTTP PUT request containing 'UPDATE_PASSWORD' along with the relevant user ID sends the user an email. The request endpoint has the format PUT /{realm}/users/{id}/execute-actions-email which is documented on the link above.
Up to here all is fine - the user gets an email. However, this email does NOT contain a link that goes directly to the "reset password" page! Instead it sends them an email containing the following text:
Your administrator has just requested that you update your account by performing the following action(s): Update Password. Click on the link below to start this process.
Link to account update
When the user clicks "Link to account update" it then shows them a web page like this:
It is only when they click on the link on this page (the one that says "click here to proceed" on the screenshot) that they arrive at the form where they can reset their password.
This is a really poor user experience because the user gets sent a (badly worded) email with a link to... a page with another link! It should just take them to the password reset page directly. What's more frustrating is the fact that Keycloak is clearly capable of generating/sending the exact email we'd like in this scenario: the one which gets sent when a user manually does a password reset via their browser.
So the problem seems that Keycloak's API doesn't support this incredibly important and common use-case of a user being able to set an initial password, in a user-friendly manner.
I am adding the js script in the template to automatically click "click here to proceed". It's ugly but at least the user doesn't see the page
I am using firebase for user authentication in my website. Trying to build a password reset flow where the user receives password reset email, reset's their password and then it is just redirect to the website with the given url.
Problem: I am able to send the password reset email and change the password for that account but when I click the continue button provided by the firebase.It throws following error in browser console.
Uncaught DOMException: Failed to execute 'assign' on 'Location':
'https://?link=http://mywebsite.com/?email%3Duser#example.com' is not a valid URL.
I am also getting the same error for email verification link also.
The url is whitelisted in Firebase's authorized domains.
Please help me!
Are you passing canHandleCodeInApp as true? This means you want the reset link to open in a mobile app if installed. If so, it looks like your FDL domain is not configured (it is resolving to empty string). You should go to the Dynamic links section in the Firebase Console and setup/agree to terms of service. This will update the link to something like: https://example.app.goo.gl/?link=.... You will be able to see that domain in the Console Dynamic links section.
Otherwise you can pass canHandleCodeInApp as false which would open the link via the web action callback URL set up in the email templates section of the Firebase Console. This link will not go through FDL unlike the latter.
As far as I know, on the new Facebook API, there is no way to get the Facebook username. Also, if the user registered to Facebook, his or her account might lack an email address if he or she logged in with a phone number.
However, I am working on a project, where, upon login with Facebook, if the user does not have a user, then the Facebook login is interpreted as a registration. Since, according to my best knowledge, there is no way to get the Facebook username using the API, I am using the email field to generate a username, taking into account only letters.
However, in some cases, the username generated this way is duplicated, or the Facebook account does not have an email address. The best solution I can think about is to redirect the user to a form where he or she can enter the email and/or the username, but that would not help the user-experience.
Is there a way to gather these data without making the user enter them? Or something close to it?
First of all, you should always present the data you want to store to the user BEFORE you store it, and let him change it.
That being said, the (App Scoped) ID is the only thing that is really unique, you can either use the email directly (if the user is already registered, just add the Facebook ID to your database) and present an input field if there is no email - or generate a username with his first and last name. Present the chosen username to the user and let him change it, or tell him that it already exists.
After all, wouldn´t a user WANT to choose his username?
If you want to make it smooth for the user and don´t want to bug him in anyway, you can just store his Facebook ID. Or just use the email directly as username (including the # sign and the domain), as i wrote above. If that´s not good enough, you need to implement your own routine to auto-generate usernames. There´s no general logic from Facebook to do this.
What is the best practice for dealing with a user changing their password and letting their password managers getting the notice of the change?
If a user request a "forget password" link, the user gets often redirected to a specific page where he can set a new password. After filling this info in, the password is being set on the backend and gets redirected to the logged-in homepage.
But this doesn't pops up or updates the in-browser save password dialog/system/keychain/manager. They mostly get triggered when there is also a text field on the form.
I could redirect it to the login page, but that seems a bit stupid since the user just entered their password, and have to do it again.
I notice this with linkedin a lot and google as well, that when I changed my password, some pages still try autofilling my old password and I get a notice that my password is incorrect.
Does anyone knows how exactly cross-browser all these system work? Or isn't there a standard for triggering/updating password managers? And what seems the best practice? If you log a user auto in after a change, there is a quite big change he again forgets it in a few days. It's bizar how many people enter wrong passwords at a login screen.
We have a very old client that is having problems trying to log in to a website. At the moment we think the user is not entering a correct username.
The site is in ASP does any one have any code that I could borrow that would be able to log and write down whats posted and then post that user name and password to the normal submit function.
Send the old client an email asking him what his username is. He'll probably mistype it in his reply the same way he mistypes it in the web form.
Give him a call, and tell him to spell out each letter/keystroke as he tries to log in.