Triggering user required action from user self service panel - keycloak

Is it possible to trigger user required action from keycloak user self service panel ( -/auth/realms/REALM/account ) ?
I've added the step for configuring mobile number (Actuall, taking ready project https://github.com/gwallet/keycloak-sms-authenticator and adding SMS code check step) and the phone number is configured first time the user logs in, but it is failing the possibility for user to change his number afterwards.
I can't simply add phone number to account panel, because the flow forces user to enter code sent with SMS, and then saves the number to user account. Without the flow defined by required action the user could make a typo and not be able to log in ever again.
Is it possible to add button / link with custom action triggering UserRequiredAction?

Related

Firebase: Standard User Registration/Activation Workflow

I need to implement a standard user registration/activation workflow with Firebase. There doesn't seem to be an obvious way to implement this. When I say "standard", I mean how most email/password accounts work - not necessarily specific to Firebase. I'm sure you're familiar with this. This is the workflow:
User enters their username/password on a form with some validation and submits details
The back-end creates the user record in the database, but the account remains deactivated (i.e. user cannot authenticate - the activated flag is set to false)
The back-end sends an email to the user with a link to activate the account
The user clicks the link in their email which triggers activation. This is probably a Web API of some description.
At this point, the user record's activated flag ticks over to true, and the user can now authenticate
The link probably also has a deep link that opens the app or navigates to a web page
The user can now log into the app
How do I configure Firebase to do all this?
Currently, the app allows the user to register. I am using the Flutterfire SDK. I call createUserWithEmailAndPassword, which successfully creates the user in Firebase. But, the user is already activated. The user should have a state of "disabled" in firebase until the account becomes activated. I can't find any settings to default the user to disabled when the account is first created.
I also managed to get Firebase to send out an activation email by calling sendSignInLinkToEmail, but this call is really designed for email authentication - not email activation. Opening the link should activate the account, but I have not figured out how to do this. This documentation makes it sound like it is possible. Perhaps, the Flutterfire SDK is missing this? I don't want to allow people to log in without a password. I only want to use this call to send out an email.
What am I missing here? Is this non-standard behavior for Firebase? If so, why? If the user is allowed to use an app with an email address that is not activated, they can impersonate someone else. We need to confirm at least that they are custodians of the email address that they are claiming to have.
Do other Firebase people just not worry about this?
Lastly, I know I can achieve this by creating a collection for users in Firebase and putting an "activated" flag there. But, if I do that, I've got to write a cloud function that accepts the link and then updates the user in the collection based on the received link. But I thought this would be automatic in Firebase. If Firebase doesn't have this built-in, I have to put all the security over the top to stop users from authenticating when they have not yet activated their account.
This is a pretty valid concern. I suppose the way around this is to check whether the signed-in user is verified whenever the app is launched. The User object that is returned from Firebase Auth has an emailVerified flag. Check this page for more details.
Using this flag you can choose to show a different screen or pop-up that has a button to send a verification link to the registered email address. Until the user verifies this address, you can limit access to some of the app's screens if you want.
Please note that I have not checked if this emailVerified flag is true for sign ups using Federated login providers like Google Sign-in and Apple Sign In. You might want to check that out.

How to customize alert schemas for Azure Logic Apps

I have this Logic App that usually runs once the same time everyday. I need an email to be sent to a set of recipients every time the app runs. For this, I created an action group and added the email addresses of the recipients with the Notification type Email/SMS/Push/Voice. Here, there's an option called "Enable the common alert schema."
I then saved that Action Group. Then I created an alert rule for the condition "Triggers Fired" so that the alert would be activated whenever the trigger is fired, and added that action group to this alert rule.
I am now getting the alert as an email, but I need only a set of information to be received when the trigger fires. When I Enable the common alert schema option, it sends an alert with a template. When I Disable it, I still cannot edit the alert schema there. How should I edit the alert schema to contain only the information I need?
Using logic app compose action you can customize alert schema.
I have reproduced issue from my side and below are steps I followed,
Created Logic app as shown below,
Configured this logic app to an action group.
In logic app, Using compose action formed a customized schema as shown below,
Without compose action the schema is in below format,
With Compose action the schema is in below format,

Can you send a link to the specific page where a user resets their password via Keycloak's API?

We have a PHP/MySQL based User Management System and are integrating it with Keycloak version 16 where we will store users credentials.
Our application does not allow users to self register. We create user accounts on the system. When we do this we do NOT specify a password because we want users to set up their own password.
The current system sends 2 separate emails in 2 different circumstances regarding passwords:
If it's a completely new user who does NOT have an existing password, we send them a link to set up a password.
If it's an existing user who already has a password, the system allows them to reset it, e.g. if they forget their password and can't login.
Keycloak seems to cater for scenario (2) because the login forms have a forgotten password link which opens a form where the user can enter their email address and receive a link which lets them do (2).
Unfortunately it doesn't deal with scenario (1) very well and that's where our problem starts. This has been asked a while ago Send password forgotten mail but it seems that Keycloak didn't support this very well in 2020 and perhaps still doesn't now.
Our "workaround" to this was that we added custom email templates and a custom page (reference: Themes on https://www.keycloak.org/docs/latest/server_development/#emails) which includes wording that caters for both scenarios, e.g. "set your password" rather than "reset your (existing) password". The result of this is that our email and form now reads appropriately for both scenarios (1) and (2).
The problem
We want to be able to send a link to the user that allows them to set their initial password to cover scenario (1).
We know that this page exists because on the login page for Keycloak there is a link to the forgotten password form that handles scenario (2). However, the form requires the user to enter their email address and submit the form. The user then receives an email from Keycloak which contains a URL to the page where they can do this. The URL has the following format:
https://example.com/auth/realms/foo/login-actions/action-token?key=...
The key= contains a ~945 character token. Going to the URL above redirects to the form where the user can reset their password. This next URL does not contain a token but a cookie has been set in the browser - by the previous URL - which makes it functional:
https://example.com/auth/realms/foo/login-actions/required-action?execution=UPDATE_PASSWORD
We can't send either of these URLs to the user because the first one (containing key=) has no API method for us to find out what it is - it's only possible to generate this by going through the "forgotten password" step during login, in the browser.
The second URL (/login-actions/required-action...) won't work either because it relies on the previous URL (containing key=) setting the cookie in the browser. If you try and go to this second URL directly (i.e. bypassing the first URL) it will error.
So neither of these URLs will work because we can't find what the first one is programmatically, and we can't use the second one without knowing the first one.
I found https://lists.jboss.org/pipermail/keycloak-user/2018-October/015910.html and the suggestion is using the Keycloak API to trigger a password reset email. This works - sending an HTTP PUT request containing 'UPDATE_PASSWORD' along with the relevant user ID sends the user an email. The request endpoint has the format PUT /{realm}/users/{id}/execute-actions-email which is documented on the link above.
Up to here all is fine - the user gets an email. However, this email does NOT contain a link that goes directly to the "reset password" page! Instead it sends them an email containing the following text:
Your administrator has just requested that you update your account by performing the following action(s): Update Password. Click on the link below to start this process.
Link to account update
When the user clicks "Link to account update" it then shows them a web page like this:
It is only when they click on the link on this page (the one that says "click here to proceed" on the screenshot) that they arrive at the form where they can reset their password.
This is a really poor user experience because the user gets sent a (badly worded) email with a link to... a page with another link! It should just take them to the password reset page directly. What's more frustrating is the fact that Keycloak is clearly capable of generating/sending the exact email we'd like in this scenario: the one which gets sent when a user manually does a password reset via their browser.
So the problem seems that Keycloak's API doesn't support this incredibly important and common use-case of a user being able to set an initial password, in a user-friendly manner.
I am adding the js script in the template to automatically click "click here to proceed". It's ugly but at least the user doesn't see the page

How can I set up a webhook or subscription from Presence Insights?

I have been using IBM's Presence Insights to gather indoor location based information. How can I get Presence Insights to send me updates about location events that are important to me? I would like to perform some action when, for example, a mobile devices enters my "entrance" zone.
You can set up Subscriptions to get an HTTPS POST every time a certain exit/enter/dwell event happens in a zone, group of zones, tag, or group of tags. You will need to provide a callback URL to Presence Insights that will be the endpoint that receives the POST.
You can create a subscription pretty easily within the Presence Insights UI:
Ensure you have a site configured with a floor map, zones, and beacons/sensors in place.
Click on "Management" heading
Click on "Subscriptions" subheading
Click on the blue "Create Subscription" button on the right. Fill in the popup:
The "Webhook URL" is the HTTP endpoint owned by you that will receive the POSTed event from PI. (More on this later.)
Check the boxes for the different events you are interested in (Enter, Dwell, Exit, Timeout)
Username and Password are BASIC AUTH credentials for your "Webhook URL" above.
Select the site name/tag that you are interested in with the dropdowns.
Select a zone tag. You can tag multiple zones with the same tag, or have unique tags for each zone, or a combination of both.
Ensure that "Active" is checked. If you want to disable this Subscription at any point, you can simple uncheck the Active button.
Regarding a Webhook URL - this generally requires a server. You can mock up an endpoint very quickly using Node.js, or my personal favorite, NodeRED. We have example NodeRED flows out there already, see this tutorial: https://github.com/presence-insights/pi-sample-NodeRED/tree/master/Eventing
The idea of Subscriptions is to allow any events that are detected and passed into Presence Insights, to also be shared with additional applications, i.e. A marketing / offer engine, or system to create Mobile Push marketing messages as examples. The data that get passed out of Presence Insights includes the device id, location, and any additional device information that has been included in the device registration document. Again, this could include a phone number, loyalty card number, or any info you wish, which can be both encrypted or not. The Doc' s detail how to set up a Subscription event; Management -> Subscriptions -> Create a Subscription via button -> Set the URL you wish the info to be passed on to { this would be your application } -> then select the location you wish to trigger Subscription event, and event type. ( i.e. You select a complete floor or site, and when an event happens at that site or floor, and subscription event gets created and forwarded out of PI). You can then also focus the event, so may be only when in a zone or such.
Its hard to show an example, but when we do demos, one of the applications that very easy to setup and configure to receive these Subscription events, and then perform some action is the Open Source package 'Node-Red' (nodered.org) which is also available in Bluemix (https://console.ng.bluemix.net/catalog/starters/node-red-starter/). You then create a flow such as ..
Picture of Node-red flow

DNN 7 Verification Code and Email - How To Resend, Verify Programmatically When Code Is Available?

When a user completes registration and logs in for the first time, they are forwarded to some page and are told to go to their email and click the verification link.
We're using DNN 7 and Up.
Sometimes, users don't get the verification email, and as administrators, we'll have to manually verify them via the admin/host UI.
What DNN functions are there to resend the verification email to the user logged in? (I don't want to rebuild the entire verification email body from scratch getting into tabs, skins, and other DNN entities.)
What page/module do I go to to add a button to resend the email verification (and add the verification code textbox and submit button for it)?
Suppose they want to enter the verification code in a text box on the same page (their preference instead of clicking the verification link in their email) - what function[s] do I need to call to do this? (What happened to this verification code textbox that showed up on the login control/module when the user tries to log in for the first time?)