Is it possible to customize the login page / authentication logic within identity server in order to allow a user to authenticate without there username and password but instead using a customer number and say a postcode.
I have implemented a custom view service that uses the username and password properties but I was hoping on a slightly better solution. Any ideas?
Yes, you can customize it.
You would have to create your own implementation of IUserService to validate whatever values you want and IViewService to render and submit the desired markup.
See more here:
https://identityserver.github.io/Documentation/docsv2/advanced/userService.html
https://identityserver.github.io/Documentation/docsv2/advanced/customViewService.html
Related
I would like to let my users have a choice which authentication method to use. For example, they could be presented with a menu to pick an option (username/pass, username/pass+OTP, etc).
Then, Keycloak should, based on their choice, assign specific scope to the token.
Is this possible to do with Keycloak (probably by somehow utilizing auth methods chaining) and how? I couldn’t find this in the documentation but it seems as a reasonable use-case to me.
Here is my solution:
Circled authenticators are custom ones for which I provided a custom implementation.
I used the fall-through mechanism, which means I that first authenticator implements a custom form:
which lets the user choose authenticator and captures user's choice in a variable.
Later, this variable is used in the following authenticators to decide whether to do the authentication or to pass on control to the next authenticator.
You can read more about Authentication SPI in the following page: https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
And here you can see how to implement custom authenticator.
Here is what i did and it works,
'My goal was give ability to client to choose authentication flow, choose between otp based email and sms.'
I created a new authentication flow, see screenshot :
select 'Alternative' on both flows.
On login form new link will appear 'try another way'
Now the client can choose between flows. see screenshot :
When using Azure AD for authentication, does anyone know if it's possible to send the username as a parameter in the request to https://login.microsoftonline.com/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee so that this field is populated already in the login prompt?
Yes. You can specify the login_hint parameter.
For example:
https://login.microsoftonline.com/tenant-id/oauth2/authorize?login_hint=test.guy#company.com
Of course you need to include the other standard parameters as well.
I dont think it is possible but you can customize your Login page with your own html UI. Once you customize the page you may try to add some javascript block to add the username in the field. (When doing UI customizations we cannot control the username/password fields).
I want to use IdentityServer3 in my solution, but one of my requirements is to connect to multiple databases for users, clients and scopes.
So, I want to customize the Login page and add a database selector. I’m doing this with a custom view service.
Then, when the user click on login button, my custom user service is called, but I don’t know how to send the database selector value to my AuthenticateLocal implementation on custom user service.
I need to know the database selector value in custom client and scope services as well.
I saw this post: http://forums.asp.net/t/2032044.aspx?Custom+User+Service+for+Thinktecture+Identity+Server+V3 where Brock said it isn’t possible.
Does the latest version of IdentityServer3 have any way to archive what I need?
Thanks!
Best regards.
You can add custom form elements to the submit on the login page. In your custom IUserService add the OwinEnvironmentService as a ctor dependency to get access to the incoming OWIN environment. You can then wrap that with an OwinContext for convenience. Then in your AuthenticateLocal you can read the posted custom form elements to do whatever you need in your logic.
We are using identityserver3 and membership reboot for authentication in our application.
We now have a requirement to change the UserName Email and Reset Users Passwords form an Admin area in our application. I have seen Identity Manager but that seems to not be what I'm looking for. From reading Membership Reboot Wiki it seems to support everything that I would want to do. I just don't have a clue what the implementation for this would look like.
My thought is that we would call into our API where we know that the user is authenticated and then just call into the MembershipReboot API to take care of the task at hand be it changing UserName or Email or Reset Password.
But like I said I'm not sure. Should we be using Identity Manager middleware? It feels like that isn't the answer as we are writing our own admin interface and from what I could see it is't supporting a password reset via email and the MembershipReboot API says that it does.
Or should we be calling back into our Identity server and making the change? It feels like no because that is for logging into the applications.
Yes, you need to create your own code to allow users to update their demographic info including email and password.
You need to use the UserAccountService -> This code I am using my own CustomUser where I store all the information that would normally be stored in the UserAccount Table
_userAccountService = new UserAccountService<CustomUser>(new CustomUserRepository(new CustomDatabase()));
Then use:
_userAccountService.ChangeEmailRequest();
_userAccountService.ChangeUsername();
_userAccountService.ChangePassword();
If you prefer to have users do this from an email (use when they are not logged in)
_userAccountService.ChangePasswordFromResetKey()
I'm looking at this too but haven't actually implemented it yet. Yes I think you are right that you need to call into the MembershipReboot API yourself. There are methods on the UserAccountService class to perform these functions. See the sample SingleTenantOwinSystemWeb in the MembershipReboot source code.
The IdentityManager functionality is limited but useful for developers to set up users with roles & claims etc for testing, or as a basic Admin tool.
I'm building a Multi-Tenant application and I'm struggling incorporating a Facebook Login into the web application.
The tenants are using a sub-domain for example
http://tenant-1.domain.com/
http://tenant-2.domain.com/
http://tenant-3.domain.com/
So, I have created an application and when it comes to add the Website, how can I make it to be available in all tenants? Something like:
But of course, that does not work, and if I add just http://domain.com/ it does not work either on http://tenant-1.domain.com/ as soon I click in the <fb:button-login> I get:
How do I do this, without creating a specific FB App for each tenant?
I'm using this to help persons to subscribe their account, I just want the login to get name and email, or they need to fell that up in the name and email boxes...
This is not possible, but there are options to workaround. I think probably the best would be to use a single domain to perform the authentication, specified as the redirect_uri. On this redirect_uri you can append some query parameters, for example your redirect_uri could be:
http://auth.domain.com/auth.php?tenant=tenant-1
Then in the code for auth.php you would grab this tenant parameter from the query string, authenticate the user, store their access token and then immediately redirect them back to tenant-1.domain.com
I'm not sure if this solution will be something you prefer, but it is currently not possible to specify subdomains for authentication, so this or a similar workaround is necessary.