I am new to Keycloak, my project is having keycloak as authentication server.
Currently I am developing User maintenance in my project so When new user gets created in keycloak using WEB-API, I wan to send an email to the newly created user, saying welcome to the application and please update your password.
End point: /admin/realms/{realm}/users/{id}/execute-actions-email
I am using the above endpoint to send an update password email and I am passing UPDATE_PASSWORD action to this endpoint.
And it is sending email correctly but I want to add Welcome to Application text in email template and want remove some default text from that template.
Is there any way to change keycloak template content?
Yes this this possible you have to make the changes in the couple of files in the location /opt/keycloak/theme and list of files name are
executeActions.ftl(/opt/keycloak/themes/base/email/html)
executeActions.ftl(/opt/keycloak/themes/base/email/text)
messages_en.properties(/opt/keycloak/themes/base/email/messages)
Remember you have to change these files if you are using keycloak default theme ,if you added some other theme please change accordingly .
If you want your changes to persist to Keycloak upgrades I suggest you creating a new theme that extends the theme you are using (keycloak is the default theme).
You have detailed instructions in Keycloak's Server Development Guide.
Do not forget selecting the new theme in realm's settings.
Related
I have added few custom attributes for my org's requirement to registration field. Have customized the theme and added validation as per the documentation. It works fine. I could add these attributes to account management page also by modifying the account template.
However, I want to add capability to edit these custom attributes under account management as well as custom validation logic for this edit action. I can't get any reference to the documentation.
Would appreciate any help. I am using Keycloak 12.0.2 on RHEL 7.9 OS with Java 11.
I know three options for this.
You can overwrite your Keycloak source code according to your needs but i did not suggest that because of if you update source code , Using new version of keycloak will be harder.
You can relocated your custom validations on your modifying the account template.
You can write completely new interface ,which is not using directly keycloak, and you can write new backend which is using admin rest api on keycloak.By the way you can find adaptors for keycloak admin api's for different languages(For Js : keycloak-admin)
I am answering it after long time, but newer version of Keycloak from 14.0 onwards, they have something called declarative user profile which can be enabled to have custom attributes. It allows to define custom attributes from admin console. One can configure permissions for admin and the user, additionally one can configure to use inbuilt basic validators. Keycloak renders registration form and update profile form dynamically based on these attributes. However, as far as I know, as of version 18.0.2, you still need to modify account template for allowing custom attributes visible and modifiable from account management. Same validators works with just modification of template, you need not do anything in code. I am referring to Keycloak WildFly distribution, which is rechristened as legacy distribution now.
Here are the links the same -
Github User Profile
Redhat issue or umbrella task for related work
Keycloak documentation - Defining User Profile
I have made all setting from magneto backend that is "Session Validation Settings ->Use SID on Storefront :no", clear all cache also. But still not able to remove SID from URL.
It's showing like this:
https://www.exapmle.com/?SID=fpej05jr1fhoi3p083m72fj062
How to remove the SID?
I think you have not selected store or storeview.
and follow bellow step.
Go to the Store > Configuration > General > Web > Session Validation Settings > Use SID on Storefront and set its value to No
Or
Isn't ?SID automatically added by PHP if PHP is configured to not store sessions on the server or the browser doesn't accept cookies?
Note:
The SID is a "session ID". Magento uses this to track a user's activity within the same Magento installation. Normally, Magento powers one website and one store from one installation (database).
Magento could power multiple websites with multiple stores from one installation though. The SID allows users to stay logged in while navigating across these websites/stores.
I think if you have the function enabled, the SID is sent when accessing catalog URLs so Magento can update the session with the user's location/state for the current website/store.
If you're not running a multi-website or multi-store environment, it's safe to disable the SID on the frontend.
If i am creating an user using addUser.bat in jboss. Is it possible to view the details of the user in jboss and where it will be stored and how it will authenticated. Can we edit the user details using configuration.xml or without using browser
You will find the user and encrypted password in mgmt/application-users.properties and their respective groups/roles in mgmt-groups.properties or in application-roles.properties present in $JBOSS_HOME/standalone/configuration for standalone mode and JBOSS_HOME/domain/configuration for domain mode.
To edit user, run add-user.bat again and pass same user. It will ask if you want to override the user password/roles.
I need help to make one change on gralis spring security facebook plugin. Default configuration allows to set an appId and secret facebook credentials in Config.groovy.
I need read it from my database because I need to login with many facebook apps from the same grails app.
What is the best way to do it?
Basically you need to make custom facebookAuthUtils. You can extend default FacebookAuthUtils class, and define it as a new Spring bean, that will replace default one.
I think all you need is to override refreshAccessToken, getAccessToken and prepareRedirectUrl methods. Maybe getAuthCookie also, if you're using cookie based auth. Current methods are using applicationId and secret from config file, but you can get them from db.
A customer of ours has just purchased CQ5 and would like to externalize all of its security. We'd like to use an STS server for SSO and then leverage a custom authorization/attribute provider instead of the CQ5 repository. Ultimately, we do not want to use LDAP in any way.
Here is how we envision this (some pieces already working):
User browses to CQ5 Dispatcher running in Apache
Apache filter redirects user to STS site where login is completed.
User is redirected back to Apache with SAML Claims.
User ID token is placed as cookie into browser. (everything is working up to here)
CQ5 captures that cookie based on the SSO configuration (working)
Problem starts here: From here, we want to call a custom authorization provider for the user's attributes, roles, groups etc...
We have tried to figure out how to do this and can't seem to find the missing link.
Do we need to create a custom login module? Do we need to create a custom principal provider? Do we somehow use the existing LDAP capability in CQ5 but have it call a custom class which leverages the external auth source?
If anyone here has any idea how to do this, their karma quotient would be full for the year if they could share it. I'm not sure if this is a basic thing you do with JAAS or even where to put my classes after I've created them.
We've worked really hard on this so far and seem to be close, but we keep hitting dead-ends.
Thanks so much if you have an idea where to begin!!
-joe
Recent versions of AEM now include the SAMLAuthenticationHandler which allows you to:
Redirect users to SSO to simulate IDP initiated login, or
Allow AEM to perform SP initiated login with IDP
Specify attributes to take from the SAML Assertion and add to the user's profile node (not sure if you can use this for groups)
Specify which groups users should be added to
Set a cookie called request-path that will store the URL the user arrived at, and then redirect them to that location when they're authenticated (ie. deep linking)
This makes relying on the SAMLAuthenticationHandler better than using Apache to redirect. The current version of the handler bundled with AEM 6.2 does not properly set the cookie when using the redirect method, but Adobe does have an updated version that they can provide that will fix that problem.
I normally recommend that clients do not have their own authentication handlers developed inside AEM.
When not using LDAP, this does create an issue where users will not exist until they've logged in. Additionally, when your architecture includes more than one load balanced publisher, it is possible that a user may exist on one server user synchronization.
Try searching the google group for SSO details. Here's one useful post:
http://groups.google.com/group/day-communique/browse_thread/thread/72c235c83a501252/fba4d08a90487156?lnk=gst&q=SSO#fba4d08a90487156
It seems that you will have to implement a custom LoginModule, more information here: http://dev.day.com/docs/en/crx/current/deploying/custom-login-modules.html