Firestore security rules and custom claims - can uses overwrite them? - google-cloud-firestore

I want to use custom claims in my Firestore security rules but I read that they can apparently be overwritten by users:
However, if the same custom user claims are defined on a user signed
in via custom authentication, the overlapping claims defined in the
custom token have higher priority and always overwrite the custom user
claims defined on a user via this API.
[https://firebase.google.com/docs/auth/admin/custom-claims][1]
Which defeats the purpose, so I guess I must be missing something?
EDIT: moved extra question to another post

A user cannot set custom claims on their own account. The only way to set custom claims on a user profile is through the Admin SDK, which requires that you have access to the project credentials of the Firebase project, something only collaborators on that project do.

Related

Keycloak custom attrbiutes validation on edit

I have added few custom attributes for my org's requirement to registration field. Have customized the theme and added validation as per the documentation. It works fine. I could add these attributes to account management page also by modifying the account template.
However, I want to add capability to edit these custom attributes under account management as well as custom validation logic for this edit action. I can't get any reference to the documentation.
Would appreciate any help. I am using Keycloak 12.0.2 on RHEL 7.9 OS with Java 11.
I know three options for this.
You can overwrite your Keycloak source code according to your needs but i did not suggest that because of if you update source code , Using new version of keycloak will be harder.
You can relocated your custom validations on your modifying the account template.
You can write completely new interface ,which is not using directly keycloak, and you can write new backend which is using admin rest api on keycloak.By the way you can find adaptors for keycloak admin api's for different languages(For Js : keycloak-admin)
I am answering it after long time, but newer version of Keycloak from 14.0 onwards, they have something called declarative user profile which can be enabled to have custom attributes. It allows to define custom attributes from admin console. One can configure permissions for admin and the user, additionally one can configure to use inbuilt basic validators. Keycloak renders registration form and update profile form dynamically based on these attributes. However, as far as I know, as of version 18.0.2, you still need to modify account template for allowing custom attributes visible and modifiable from account management. Same validators works with just modification of template, you need not do anything in code. I am referring to Keycloak WildFly distribution, which is rechristened as legacy distribution now.
Here are the links the same -
Github User Profile
Redhat issue or umbrella task for related work
Keycloak documentation - Defining User Profile

How to map social credentials with custom ones

My company has userbase of course, but I want to allow users to login and use my applications with their social accounts e.g. Outlook, Facebook, Gmail. Something that is usually not clear to me when I read resources on the Internet on the topic is how to map the social credentials with ones in our database? I know we should use an API platform or something like that, but the user identity part is not clear to me.
You basically need to, as you noted, tap into the provided response and transform or link or provision it to existing identities in your own userbase. A lot of this depends on your method of delegating authentication to external provides and things they expose back to you as part of the user profile. You basically need to grab the user profile, parse it and then determine which field can be used to link that profile to an existing account, and then establish the authentication session based on the final result.
Here is a link to a technical walkthrough that describes the same process with an SSO solution: https://apereo.github.io/2018/04/20/cas-delegated-authn-account-linking/

specify user id when creating user in keycloak

I'm investigating a migration process from a legacy system into keycloak. Based on some of the ideas here: https://github.com/Smartling/keycloak-user-migration-provider we're looking to create user accounts in keycloak at the point of login by looking up user credentials from some dedicated endpoints on our legacy system.
As part of this, I need the user ID to remain the same as it was in the legacy system.
Is it possible to create a user with a specified ID rather than relying on keycloak to auto-generate it?
Running into this issue when attempting to create users via the API, I looked into the code for the users service. It looks like it is currently not possible to set the user id due to how the user is created.
From the code in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java specifically on line https://github.com/keycloak/keycloak/blob/7cfe6addf01676939206e034a87c791460031032/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L115 the user is first created using the username, then updated. I believe id is not an updatable field. Thus it is not currently possible.
Checking the api I see it is now possible to add an optional "id" field in the userRepresentation object that you pass to create a new user in keycloak.
Find more information here: https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_userrepresentation

Allowing a user to update their own profile using the REST API

I have been experimenting with the REST API using my logged in user account's token to then make PUT requests on my user record to update some custom attributes.
In order to get to this work I had to grant my user account the manage-users role in Keycloak, prior to this I was getting forbidden responses back.
I can now make the PUT request successfully, and after logging out and logging back in I can see the updated attributes I set in my PUT request.
But I have now allowed my user to be able to manage all users in my realm, which I dont want to allow.
Instead I only want to be able to update my own account details.
I know the user can view their own profile and make changes on the Keycloak provided screens. But for certain custom attributes I want to be able to do this from the client side application they are logged in to, so using the REST API but not granting them a role that could allow them to update other users details.
Is this possible?
According to the User section Keycloak's Admin REST API, this is not possible.
One solution would be for your client app to send the update request to a backend. The backend will verify that the update request is legit (aka the JWT is verified and the update does apply to the user requesting the change).
Another solution would be to theme the User Account Service's screens to add input fields for your custom attributes, as the documentation says that:
This screen can be extended to allow the user to manage additional attributes. See the Server Developer Guide for more details.
The second option seems the more secure. I hope that helps.
This seems to be possible with the Account Management API.
Unfortunately, I didn't find any official documentation about that. However, there's an example in Keycloak that demonstrates how to do it.

Extend user access token in Keycloak with external data

We use the Keycloak service as SSO solution and provide the resulting JWT to different microservices and that works very well.
But now we have the problem that the JWT must be extended with data from an external resource when the user tries to login.
More tangible, a user has access to different markets with an unique ID as identifier, but we didn't see the management which user have access to which market inside the Keycloak service.
What could be the best solution for this problem?
After reading the docs an custom User Storage SPI is an answer, but I think that is a little bit to much..
As information we use Keycloak 3.1.0 as a standalone service with an postgres DB
The way you add extra data/information to your keycloak JWT token payloads, comes by means of adding "client-scopes" configured with the proper protocol mappers within them, that allows you to add any amount of custom extra information to your Id-token and access-token.
One example of this, would be having extra variables in your users, and then in the protocol mappers within the (newly-created) "client-scope", you can add a protocol-mappers of type "User-Attribute", so that your specific user variable will appear in your token the way you configured on your "protocol-mapper". There are many types of "protocol mappers" that'll allow you to map diverse type information to your tokens (is not just for mapping user variables).
This was addressed on this question before:
Keycloak User Storage SPI Implementation
I'm copying here the part which is relevant to you:
Origianl question was:
[How to]"Retrieve some attributes from external datasource, map it to keycloak's id and access token. Need to retrieve users unique id and add it as subject id in the jwt. That's the id, rest of the services can use to retrieve the id, when this token is passed to other services."
[Answer:]
For this, the best you can do is:
Add those user's unique data as users attributes (see them on the Admin console)
Create a "Client scope" on Keycloak, with a corresponding mapper of type "user property" to map each of those values you'd like to add (from your user data) to your Id-token and access-token. You also need to tie your client with your just created "client scope". This may sound a little bit confusing, but this video is great material and I bilieve it'll help you alot: https://www.youtube.com/watch?v=ZxpY_zZ52kU (arround min 6:30 you'll see how to add extra user info to your tokens)