I want to find out if there is any option in Identity Server 3 apart from LockOut
that can be programmatically used to disable / enable users for Log-in and Forgot-password functionality.
Related
I need to implement a login flow with KeyCloak where a user will be prompted to reauthenticate with an existing account (by email/password or via social IdP) after authentication with a non-existing socialĀ account OR choose to create a new KeyCloak account.
Something like on the picture below:
Is it possible to implement such a flow with KeyCloak?
It is possible that flow with regular Identity Providers feature in Keycloak
Overview Steps
detail information here
1. IDP URL
{keyclaok URL}/realms/{realm}/broker/{idp name}/endpoint
example:
http://localhost:8180/auth/realms/test/broker/stackoverflow/endpoint
2. Register Application at Social App
example: StackOverflow https://stackapps.com/
3. Get Client Information from Social App
example: StackOverflow
4. Set IDP at Keycloak
5. Test
5.1 Before add user
5.2 login by Social
5.3 Update user account (set password and e-mail)
5.4 check added user
5.5 Test added user login by username/password OR
Social Icon Click without credential
5.6 logged in test by both ways
5.7 Picked up e-mail from Facebook and detect e-mail already exists.
5.8 I select "Add to existing account" then filled out e-mail and password from Keycloak.
The authentication flows within Keycloak can be customized (virtually all of the flows can be customized or extended). I believe you'll need to implement a custom Authentication SPI (Service Provider Interface). This will be a JAR that you can add custom logic upon account creation.
Here's the Keycloak documentation for SPIs.
I have been able to leverage Keycloak's "Default Actions" section in "Authentication" to force new users to setup MFA via Google Authenticator.
However, I've only been able to make this required for all users or not even possible to turn on. I'm looking for a way to allow users to opt in to MFA via OTP if they would like during Sign Up.
I think you need to use the Authentication api, and specifically the one for extending the registration page/form.
See: https://www.keycloak.org/docs/latest/server_development/#modifying-extending-the-registration-form
I will give it a try tonight, and update my answer.
There is no default option out of the box to implement this authentication flow.
You can create a custom authentication flow with a step asking the user to do the MFA.
This can be made using a javascript authenticator (https://www.keycloak.org/docs/latest/server_development/#_script_providers) or a java service provider interface. https://www.keycloak.org/docs/latest/server_development/#_auth_spi
I have a use case where user should be disabled when he enter wrong password 5 consecutive times.
I cant find any keycloak password policy to disable user when he enter wrong password 5 consecutive times.
To enable Consecutive Failed Login Defence you need to enable "Max Login Failures" from Brute Force Detection.
Steps:
Login to Keycloak Admin Console
Select Realms from List
Go To Realm Settings >> Security Defenses >> Brute Force Detection
Enable Brute Force Detection
Set Max Login Failures to 5
Refer screenshot for steps
Go to Your Realm > Realm Settings > Security Defenses > Brute Force Detection and enable it. Inside the Brute Force Detection page you will find many options, the ones you are interested in are "Max Login Failures" and "Permanent Lockout"
How to disable username/password login for external IDP ?
I know that I can use custom theme to hide http form, but I want to do it properly.
As far as I know I have to create at least custom First Broker Login and Browser authentication flow, right?
After first login from IDP I have to create user in Keycloak, but do not leverage password option.
Also Browser flow must be updated to not show username/password form, right?
Can anyone provide proper example ?
Thanks
You can use a custom authentication provider to achieve your goal.
Instruct Keycloak to assign a specific user attribute to all users arriving from the IDP.
Build an authentication provider which checks for that user attribute and denies access.
Add the authentication provider to the Browser login flow.
Optionally adjust templates files to hide login fields and show a user-friendly error if the user fails step 2.
Further details here: https://groups.google.com/g/keycloak-user/c/N9cuqXIBrSA/m/sycLxTZbCAAJ
May not be 100% suitable to this case, but found next one working fine for our case without need to compile and deploy "custom authentication provider". In our app we suppress keycloak login form and offer own custom user / password form, and for IdP integration we are using kc_hint to redirect directly to IdP login page. Once user login via IdP we want to disable user name / password login using password grant. There is a trick allows to achieve this in keycloak v15. You can assign "Update User Locale" to "Required User Actions" of the user, from that moments, direct password grant wont let user to login returning "requires action" validation error, which is not supported in our UI, while IdP login still works and skip this "required action" nor reset it after login. Of course you may need some scheduled curl script allows to set this for users automatically via users REST API : read users attributes or IdP link integration, if found specific Idp related user attribute or IdP integration link, and "requires action" array is empty, set it to "Update Locale".
Of course this all works as long as you hide keycloak login form and use your own. for all using keycloak login form, login using name / password will work and can bypass "Update locale" requirement (not sure why, perhaps because realm does not have locales configured)
Try this costum Authentication flow
By Automatically linking brokered account, the user won't have to set a password. as for the username it will be automatically imported from the identity provider.
I'd like to know if its worth investing time into developing an IdentityServer3 implementation that would work similarly to how Sharepoint allows for an initial Login using Integrated Windows Authentication, but then allow user to login as a different user with a prompt for credentials. Our hospital has many users where their primary workstation is set up as generic login. I'd like to use integrated Authentication, but allow these users on generic workstations to re-login as themselves.
From my research I think a logout page that actually invalidates the original token along with a secondary external Identity provider running without integrated Authentication is where I'm heading, but would like some validation that its feasible.
You would approach that problem differently with IdentityServer - on the login page you would give the user a choice. Either use integrated authentication or specify some username/password explicitly.
Logging out of identityserver would then also allow to switch identity if needed.
So yes this is possible.
We have an example that does built-in Windows authN (username/password is disabled - but you can re-enable by setting EnableLocalLogin to true here https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/WebHost%20(Windows%20Auth%20All-in-One)/WebHost/Startup.cs#L36).