I've written a custom OIDC-Provider and connected it to keycloak.
After the first login in via my provider, the user gets asked to enter a username, email, first name and last name (first-broker-login-flow).
Usually the username is prefilled with what is in the 'sub' claim.
But when sending an 'email' claim, the username is prefilled with the email.
How can I prefill the username with something else than my email, while also sending an 'email' claim?
So far I've tried sending a 'name', a 'username' and a 'preferred_username' claim - no success.
I figured out that the IdpReviewProfileAuthenticator checks for isRegistrationEmailAsUsername().
So I've deactivated "Login with email" in my realm settings - no success.
Is there any way for keycloak to not use the 'email' claim for the username?
I figured out a work around. In keycloak I created an "Username Template Importer"-mapper for my oidc provider and set the template-value to ${CLAIM.sub}.
Not the nicest solution in my humble opinion.
But it works until i figured out a better way to do it...
Related
I have read keycloak docs and could not find if it is possible to allow users to login just with their email address.
No password, just an email code with each login.
Any advice is appreciated.
Is there any way to create user in google admin console without password?
Users can create a new password with First Time Login
I am using google admin sdk API with service account Bearer token to create user.
Url: https://admin.googleapis.com/admin/directory/v1/users
Payload: {
"primaryEmail":"sampleuser#orgdomain.com",
"name":{
"givenName":"Test",
"familyName":"User"
},
"suspended":false,
"password":"Password1234",
"changePasswordAtNextLogin":true,
"ipWhitelisted":false,
"emails":[
{
"address":"sampleuser#orgdomain.com",
"type":"home",
"customType":"",
"primary":true
}
]
}
The API is failing without the password field. Is there any way to enable or disable any configuration in admin console to achieve same.? Related Answers will be helpful. Thanks
You can't create a user without a password within the API.
The method users.insert requires an instance of the Resource: users on the request body and the Resource: Users states that the password is required when creating a new user:
password:
Stores the password for the user account. The user's password value is required when creating a user account. It's optional when updating a user and should only be provided if the user is updating their account password. The password value is never returned in the API's response body.
A password can contain any combination of ASCII characters, and must be between 8-100 characters.
We recommend sending the password parameter as a hexadecimal-encoded hash value and setting hashFunction accordingly. If hashFunction is specified, the password must be a valid hash key.
I have an email address of a user. I’d like to create a user and send them an email with a link to set their password and activate their account. Is this kind of flow support in Keycloak ? I think I can provision user in Keycloak and send executeActionsEmail using UserResource. Is that the right way to do ?
Yes keycloak does support this kind of flow. You can use keycloak admin client for this.
UserResource is the right class for this. You are going in correct direction.
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs.
Use case:
The registration page for new users shouldn't be public. New user get an invitation email from the admin. The email contains a link to the registration page.
I thought about using an initial access token (like for client registration) and add it to the link to the registration page. Afaik there is nothing like that for user registration?
Are there any other ways to do it?
I think you've got two options to implement it:
First
You know the e-mail of the destination user before sending the invitation, so you would let the admin create a user in keycloak with the e-mail itself as the username. Then the admin should check 'Verify e-mail', 'Update profile' and 'Update password' as required actions, so keycloak will send an activation mail (you can customize the e-mail template) and user will be required to fill his data and set a password.
If you don't want the admin to access keycloak directly, you could do it via the user management API.
Second
Implement this logic in your application. Write a user data form which is publicly accessible using a code (it might be some UUID). When admin sending the invitation mail, link a random code to the address, so when user enters the page, you can verify it. Then you'll need to save the data in keycloak as a new user, using the user management API.
As an admin, I need to set user passwords through SOAP API but I could not find a service addresses my need. The closest service to mine is SetPassword that enables setting passwords through ZimbraID. Are there any ways to set passwords through usernames? Or how can I retrieve ZimbraIDs for existing accounts?
That's the only method available. However, you can get the zimbra id using GetAccount and using username.