I am using keycloak 7.0.1 and I have enabled the Resigtration link in the login page. My use case is the following:
Upon Registration a User should be created as disabled.
Admin user verifies the account then enables the user manually
The problem is that the user is automatically logged in after finishing registration. Any idea how to prevent this? (I also don’t need to enable any further steps e.g. verify email)
In keycloak mailing lists and also in the following post, it is said that automatic login is the default behavior, so is there anyway to change this?
Keycloak automatic login after email confirmation with disabled user
Related
The use case is that a user logs in on a private website and after sometime we want to offer the user to setup login with biometrics (for example, FaceID/TouchID) to replace the password login.
Is it possible to do that with Keycloak?
I've already setup the "Creating a password-less browser login flow" and "W3C Web Authentication (WebAuthn)" examples from the official documentation but all of them requires to setup everything as part of the login, instead of something that the user could do later.
Perhaps another way to ask would be: Does Keycloak provide a url to redirect the user to activate biometrics outside and after a login?
Thanks in advance for any information, perhaps I'm not understanding how this works.
In the keycloak administration, if I set the "Required User Action" of a user to "Update Password". The user is asked for a new password after a successful login, calling:
https://SERVER/auth/realms/REALM/login-actions/required-action?execution=UPDATE_PASSWORD&client_id=CLIENT_ID&tab_id=TAB_ID
Calling this URL with a user logged-in but not configured "Update Password" I get a message "User is already logged in".
What would be the correct URL to call from an external application, e.g. from a menu with actions edit-profile, change-password...
Edit: In our application we authenticate users managed in keycloak. We would like to be able to link a keycloak page (similar as the one posted) where the user can update/change his password (e.g. old-pw, new-pw, confirm-pw).
This answer is based on Keycloak 12 (latest version at the time of writing the answer)
You can ask users to change their profile details or passwords from the manage account section. You can get the URL of that screen and direct users to that.
"manage account" link location
Account management screen
I have a website and I want users to register and login via Facebook connect. What I can't find out is how to FORCE a registration before logging in. I need all users in my database but it's possible to click the Facebook Login button without registering... I just don't get it, how do I FORCE a registration? Is there any good example on this?
Thanks for your help.
When you say you need all users in your database, what exactly do you mean?
With the facebook login button, you can still supply a redirect url after they authenticate for the first time and you can then capture their user_id, or potentially forward them to another page that has your own registration form. You could then have a flag in your database that indicates if they are a confirmed user (much like when you send email confirmations) that only gets set to true once they have submitted your extra form.
Check this flag on page load and forward them to your form if they haven't entered those details. Then control access to your site based on that flag.
Or are you saying you're trying to use the registration plugin https://developers.facebook.com/docs/plugins/registration/ but that isn't working correctly?
Is it possible to login to facebook directly (facebook.com) using the test user account created using the Facebook Developer app feature (Roles / Create test users)? What password should I use? I understand we can use the "Switch to " option after logging in as myself to facebook, but I want to be able to login directly using the test user accounts, so that I can provide these user details for other testers who do need to use their personal facebook account in any way related to the testing of the application.
Yes, we can login directly facebook(facebook.com) with test user accounts.
Step 1
Create test user by clicking Add button
Step 2
Click Edit button where have all option
Change name
Set Password
Generate access token etc.
You can simply change the password of the Test User by issuing a POST request to this URL
https://graph.facebook.com/TEST_USER_ID?password=NEW_PASSWORD&name=NEW_NAME&method=post&access_token=APP_ACCESS_TOKEN
Then you can give other people the account info of that user with the newly set password and they can log in to Facebook as that user.
I have a mysql membership database run by a Perl script. Account creation or login requires an email address and password. The Perl script then sets cookies (password cookie has encrypted value) which allow users to create, own and modify records. A members table contains user information. I've gone through the FacebookConnect information as well as the forum. Maybe I cannot see the forest for the trees, or maybe this is not possible. In order to use FacebookConnect for logins/account creation, I need to be able to send the user email and password to the the Perl script so that the proper cookies are set. If it were an http it would look like this:
http://domain.com/cgi-bin/perlscript.pl?_cgifunction=login&email=ddd#somedomain.com&password=somepassword.
Any hints or advice would be greatly appreciated.
What you are trying to do isn't really possible in the way that you're describing it.
Facebook Connect basically provides you with a single piece of information: whether your visitor is logged in to their Facebook account or not. If they are, you can get their Facebook ID, if not, you can show them a button (or whatever) and ask them to log into Facebook.
Generally a good approach when using Facebook Connect as an authentication method for your site is to have an internal id for the user's member account, and store a user's Facebook ID alongside that. When a user comes to your site, and they are already logged in to Facebook, you just use their Facebook ID to retrieve the local account. Otherwise you show them your login form to log in locally, and/or a Facebook login button.
The problem you're running into here is that you cannot get someone's email address from Facebook, as it is purposely hidden to protect privacy. If your membership scripts provide only the email/password log-in method, then what you need to do is modify these scripts to create the authentication cookie when given a properly authenticated Facebook ID.
Essentially you'll have two login functions... one for a Facebook login, and one for a regular login. Either function should properly created the local authentication cookie.