I'm new to keycloak and I thought this would be super easy, but I can't find a solution. If a new user registrate, he should be disabled by default, till an admin enables the user manually. Is there a simple solution for that? Thank you in advance and best wishes!
Create an SPI for RegistrationUserCreation where on processResponse you disable the user.
Then use this registration in the login flow.
if you look at keycloak server page https://www.keycloak.org/docs/6.0/server_admin/
in 4.8. User Registration, if a user is registered, he would not be disabled by default and there is no option for that. The only thing you can do is to require a few actions from user, like changing password or require email verification. Or you can disable the user from admin.
Think about it, if a new user goes through all the process to register just to be disabled y default, what's the point of enabling registration?
Related
Actually the magnificent piece of software called backpack for laravel cannot handle natively the 2fa auth, for now, at may of 2022.
We would like to add to your project this package: https://github.com/thecodework/two-factor-authentication
To be able to integrate with backpack for laravel we must override the login controller of backpack
How can we do it?
As much I would like to have everything integrated with Backpack, unfortunatelly time/money/tech does not allow us to do that. I really hope sometime I can dedicate more of my time to this "goodies" (2fa, graphQL etc etc).
For now, we've just added a simple way for people that don't want to use the default backpack auth to disable it and implemente their own auth mechanism if needed.
https://backpackforlaravel.com/docs/5.x/base-how-to#customizing-the-auth-controllers
Don't stop on this tag (customizing the auth controllers), later down on that page there is more info about auth that could help you here.
If you need my help with something you know where to find me.
Cheers
We reached our goal overriding LoginController and ResetPasswordController of bakcpack.
To be precise: after a succesfull login, we immediately logout, send OTP code via sms and redirected to form we ask for this cde.
Then, posting the code, with an hash in the db, we can check both user, hash, token and validity of token.
If all valid, we actually login the user
For password recovery, after changing password, instead of redirect to home or similar we logout and redirect to login so user can do a login without bypass otp
I have been able to leverage Keycloak's "Default Actions" section in "Authentication" to force new users to setup MFA via Google Authenticator.
However, I've only been able to make this required for all users or not even possible to turn on. I'm looking for a way to allow users to opt in to MFA via OTP if they would like during Sign Up.
I think you need to use the Authentication api, and specifically the one for extending the registration page/form.
See: https://www.keycloak.org/docs/latest/server_development/#modifying-extending-the-registration-form
I will give it a try tonight, and update my answer.
There is no default option out of the box to implement this authentication flow.
You can create a custom authentication flow with a step asking the user to do the MFA.
This can be made using a javascript authenticator (https://www.keycloak.org/docs/latest/server_development/#_script_providers) or a java service provider interface. https://www.keycloak.org/docs/latest/server_development/#_auth_spi
I have an email address of a user. I’d like to create a user and send them an email with a link to set their password and activate their account. Is this kind of flow support in Keycloak ? I think I can provision user in Keycloak and send executeActionsEmail using UserResource. Is that the right way to do ?
Yes keycloak does support this kind of flow. You can use keycloak admin client for this.
UserResource is the right class for this. You are going in correct direction.
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs. The best option for me:
New user register, but his account is unavailable.
When ADMIN accept this new account, user can log in.
Is it possible do it in keycloak ? Or any similar solution ?
Sure you can do it. The easiest way is to give a default role to newly registred users. The default role would give only minimal privileges. Then ADMIN can promote the user to the more appropriate group or role.
Probably to "automate" or smoothen the second part of this flow you might need some flow customization. Cf. https://www.keycloak.org/docs/latest/server_development/#required-action-walkthrough and related.
Another solution is to give to the default minimal role the possibility to request acceptation, or make the request automatically at first logging (eg. mail sent to ADMIN).
EDIT
Programmatically it is also possible to make calls to the Keycloak Admin API (through native Admin Client). For example, you can write some logic (and associated UI or whatever) that will assign or remove groups from a user.
See. Admin REST API
How to disable username/password login for external IDP ?
I know that I can use custom theme to hide http form, but I want to do it properly.
As far as I know I have to create at least custom First Broker Login and Browser authentication flow, right?
After first login from IDP I have to create user in Keycloak, but do not leverage password option.
Also Browser flow must be updated to not show username/password form, right?
Can anyone provide proper example ?
Thanks
You can use a custom authentication provider to achieve your goal.
Instruct Keycloak to assign a specific user attribute to all users arriving from the IDP.
Build an authentication provider which checks for that user attribute and denies access.
Add the authentication provider to the Browser login flow.
Optionally adjust templates files to hide login fields and show a user-friendly error if the user fails step 2.
Further details here: https://groups.google.com/g/keycloak-user/c/N9cuqXIBrSA/m/sycLxTZbCAAJ
May not be 100% suitable to this case, but found next one working fine for our case without need to compile and deploy "custom authentication provider". In our app we suppress keycloak login form and offer own custom user / password form, and for IdP integration we are using kc_hint to redirect directly to IdP login page. Once user login via IdP we want to disable user name / password login using password grant. There is a trick allows to achieve this in keycloak v15. You can assign "Update User Locale" to "Required User Actions" of the user, from that moments, direct password grant wont let user to login returning "requires action" validation error, which is not supported in our UI, while IdP login still works and skip this "required action" nor reset it after login. Of course you may need some scheduled curl script allows to set this for users automatically via users REST API : read users attributes or IdP link integration, if found specific Idp related user attribute or IdP integration link, and "requires action" array is empty, set it to "Update Locale".
Of course this all works as long as you hide keycloak login form and use your own. for all using keycloak login form, login using name / password will work and can bypass "Update locale" requirement (not sure why, perhaps because realm does not have locales configured)
Try this costum Authentication flow
By Automatically linking brokered account, the user won't have to set a password. as for the username it will be automatically imported from the identity provider.