Let's assume I have several types of users in one application in fusionauth. One of them with role A can register/login by fusionauth standard login mechanism. Another one with role 'B' can login via facebook.
The user with role B receives the role A. Now he has both roles.
Is it possible to somehow allow him login both ways ? Is it possible to add a registration to this user so he can set a password a login the standard way ?
If I understand your use case correctly, this is definitely possible in FusionAuth. Here's a diagram that illustrates the relationships in FusionAuth:
User <--- UserRegistration ---> Application <--- ApplicationRole
| ^
\--------------------------------------/
Let's say your user is joe#example.com. Joe can login through Facebook initially and FusionAuth can be configured to create a User object for him. This is called "Create Registration" and is part of Identity Provider configuration.
Later, if Joe clicks the "Forgot Password" link, FusionAuth will send him an email and he can then set a new password.
This means that at anytime, Joe can now login using Facebook or using his email address and password.
In addition, Joe can have multiple UserRegistration objects. Let's say that you have two Applications, one called A and one called B. When Joe logged in using Facebook the first time, if he was signing into Application A, FusionAuth would have created a UserRegistration object for him for Application A and this UserRegistration would be granted all of the default ApplicationRoles for Application A.
Later, if Joe did the "Forgot Password" workflow and then logged into Application B, FusionAuth can be configured to create a UserRegistration object for Joe in Application B and this would have also granted Joe all of the default roles for Application B. This configuration is under the Application on the Registration tab. If you enable registrations for an Application then FusionAuth will create UserRegistration objects for Users that exist but don't have a UserRegistration for the Application they are logging into.
Lastly, you can grant Joe any additional roles for any Application using the /api/user/registration API (https://fusionauth.io/docs/v1/tech/apis/registrations).
Related
I am building a SPA with a spring on the backend. I am working on signing in with Google, most of it is working already: got the id_token with the implicit flow in the frontend and I sent it and verified it on the backend.
I want to have users with roles and manage that locally (so, no adding info in the oidc provider). What are the options to go from the id_token to having an authenticated user in spring? I did not find any example doing that link manually (id_token-spring_sec_user).
I have checked several sources like the Spring Security 5 presentation at SpringOne https://www.youtube.com/watch?v=WhrOCurxFWU, several SO questions and posts on okta's and auth0's blogs but I am still missing the link.
You will have to create your own (application) specific roles.
Use these steps :
Get authenticated from Google
Access the profile section from google (username, name etc )
Use your own user table to store this info
Create admin APIs in your own system and assign your app-specific roles to the user.
When you login again you will authenticate against google login/password and roles specific to your application .
Create an account or session with the id_token
Check if the user is already in your user database. If so, establish an authenticated session for the user. If the user isn't yet in your user database, create a new user record with default role from the information in the ID token payload, and establish a session for the user. You can prompt the user for any additional profile information you require when you detect a newly created user in your app.
I have an app secured by keycloak. Going to a secured page brings up a keycloak login page and the correct user/password gives the expected results.
Within the client, I have switched on user registation. So now the login page shows a register link, which displays another keycloak page allowing the user to register with name, username, email.
This "works" in that the user is added to the keycloak user database. But the application displays the error page because a role is not mapped to that user in keycloak.
What I would like to happen is to be able to add the new user to the apps own user database, associate a role with the user, perhaps do some verification of the user.
So I don't really know what keycloak is sending back to the app except that it eventually leads to /error. Is there a way to tell keycloak after a new registration contact this url where things can happen within the app?
I came across similar scenario and the way I solved it was by enabling a default role to the newly added user.
This role can be changed later on but with a default role in place, your flow will complete.
There are 2 ways to assign a default role in keycloak. With both these configs, whenever a new user is registered even from external service providers, they will be assigned this default role:
Assign a default role directly to user:
Assign a default group to user & map a role to that default group
Please note that Default Group & Role names in above are my own and they are not predefined in keycloak.
After logging in to Keycloak admin console --> roles -> go to 'Default Roles' tab and add the role from available section to default realm roles section and save...Now when a user is registered, it will have the role assigned .
I'm using Keycloak for Identity Brokering through Google, Microsoft, etc. But Keycloak only allows one email per user. So the user can be authenticated only through one of the social login options (Google if gmail is added as user's email address, etc.). Is there any way to include more than one email per user, or any other workaround?
EDIT: (Editing based on comments to make scenario more clear)
In my scenario, I'm using a federated user store which contains a large number of users and and I need Keycloak to access all the emails linked to a user when that user is logging in using Google,Azure,etc. because Keycloak is using the email as the unique identifier for the authentication response from the social login provider. Without having the required email as the main email, Keycloak won't allow that user to log in through social IdP
Although, Keycloak emphasises on keeping a unique email,but there are certain scenarios where you may want to keep , say, secondary email.
This can be achieved in a couple of steps:
1. Add a custom attribute for secondary email in user like this:
2. Next , in your client create attribute mapper like this:
When I generated the token after above configuration, the new attribute was avialble in token. You can use this attribute in your app as you desire.
Parsed JWT:
I figured out the best way to deal with this is through the custom user provider (federated user store). Even though we can't add multiple emails per user through the Keycloak admin console, we can write the user provider in such a way that it can get all the emails linked to a user from our database and assign them to the email attribute of each user. Once this is done, all the emails will appear on the admin console as well.
For the social login to recognize those emails, we have to get all the emails linked to a user in the provider to an array and iterate through it until the authentication is complete. This would help to create the social login link to the user through First Login Broker authentication flow.
This is a crude way to approach this, but nevertheless it works!
Im familiar with the OOTB registration page that comes with Keycloak, that is described on https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/user-registration.html.
Is it possible to have more than one registration page, each with their own associated role?
For example, /registration/artist.html registers a user with an "artist" role and /registration/user.html registers a user with the "user" role.
I'm doing a Scala - Play application and I want to disconnect an user when an admin change his right. For exemple, is an user is logged and an admin upgrade his account to the admin type, I want disconnect this user.How can I do that ?
If you stored the userId in the Session you will need to add the rights of the user in the Session.
So that when the user connects, you can check his rights from the session to the ones in your database. If they don't match you can redirect the user to the login page.
just to cover all the bases since the answer here depends specifically on how your application determines if a user is logged in:
if user auth is done with a token generated by a secret that is stored on your user model and checked for validity on every request, you can generate a new secret for the user and all existing tokens will become invalid.