Im familiar with the OOTB registration page that comes with Keycloak, that is described on https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/user-registration.html.
Is it possible to have more than one registration page, each with their own associated role?
For example, /registration/artist.html registers a user with an "artist" role and /registration/user.html registers a user with the "user" role.
Related
We want to integrate Keycloak 18 in our platform to replace a self-implemented solution in the future. The first step was to implement an own user provider to keep our existing tables where users, roles and permissions are stored. This was pretty easy. So the old and new way can co-exist for a step-by-step replacement.
Now we also want to provide integrations for other user providers, like LDAP, Kerberos etc.
Is there a way to load the roles from our external db table after a user was authenticated by a random user provider?
e.g.:
User sends auth request to keycloak
User has been successfully authenticated by the ldap user provider
lookup external db to get the roles for the username and add them to the user model
thank you for your help
On registration, Keycloak provides the ability to add custom user attributes via the Keycloak theme's registration page template via "input" elements that look something like:
<input id="user.attributes.[the_custom_attribute]" name="user.attributes.[the_custom_attribute]" />
However, this only seems to work if the user creates an account and submits the form.
If the user were to login via a Social Identity Provider (google, microsoft, github, etc...) how do we go about adding custom user attributes?
If you are using Social Identity Provider to login into application then the customer_attribute won't be available to you.
But if you still want that attribute to be set for that user before he/she logs in, then you can add custom required action to implement this feature. You can create new RequiredCustomAttribute action and enable it from Admin console.
Implement your own required action, similar to that of org.keycloak.authentication.requiredactions.UpdateProfile class provided by keycloak. You can mark your customer_attribute as required in this new required action flow.
When you do all above things, next time when user logs in using Social Identity Provider, he/she will be asked to enter custom_attribute on next page.
I am building a SPA with a spring on the backend. I am working on signing in with Google, most of it is working already: got the id_token with the implicit flow in the frontend and I sent it and verified it on the backend.
I want to have users with roles and manage that locally (so, no adding info in the oidc provider). What are the options to go from the id_token to having an authenticated user in spring? I did not find any example doing that link manually (id_token-spring_sec_user).
I have checked several sources like the Spring Security 5 presentation at SpringOne https://www.youtube.com/watch?v=WhrOCurxFWU, several SO questions and posts on okta's and auth0's blogs but I am still missing the link.
You will have to create your own (application) specific roles.
Use these steps :
Get authenticated from Google
Access the profile section from google (username, name etc )
Use your own user table to store this info
Create admin APIs in your own system and assign your app-specific roles to the user.
When you login again you will authenticate against google login/password and roles specific to your application .
Create an account or session with the id_token
Check if the user is already in your user database. If so, establish an authenticated session for the user. If the user isn't yet in your user database, create a new user record with default role from the information in the ID token payload, and establish a session for the user. You can prompt the user for any additional profile information you require when you detect a newly created user in your app.
I have an app secured by keycloak. Going to a secured page brings up a keycloak login page and the correct user/password gives the expected results.
Within the client, I have switched on user registation. So now the login page shows a register link, which displays another keycloak page allowing the user to register with name, username, email.
This "works" in that the user is added to the keycloak user database. But the application displays the error page because a role is not mapped to that user in keycloak.
What I would like to happen is to be able to add the new user to the apps own user database, associate a role with the user, perhaps do some verification of the user.
So I don't really know what keycloak is sending back to the app except that it eventually leads to /error. Is there a way to tell keycloak after a new registration contact this url where things can happen within the app?
I came across similar scenario and the way I solved it was by enabling a default role to the newly added user.
This role can be changed later on but with a default role in place, your flow will complete.
There are 2 ways to assign a default role in keycloak. With both these configs, whenever a new user is registered even from external service providers, they will be assigned this default role:
Assign a default role directly to user:
Assign a default group to user & map a role to that default group
Please note that Default Group & Role names in above are my own and they are not predefined in keycloak.
After logging in to Keycloak admin console --> roles -> go to 'Default Roles' tab and add the role from available section to default realm roles section and save...Now when a user is registered, it will have the role assigned .
Let's assume I have several types of users in one application in fusionauth. One of them with role A can register/login by fusionauth standard login mechanism. Another one with role 'B' can login via facebook.
The user with role B receives the role A. Now he has both roles.
Is it possible to somehow allow him login both ways ? Is it possible to add a registration to this user so he can set a password a login the standard way ?
If I understand your use case correctly, this is definitely possible in FusionAuth. Here's a diagram that illustrates the relationships in FusionAuth:
User <--- UserRegistration ---> Application <--- ApplicationRole
| ^
\--------------------------------------/
Let's say your user is joe#example.com. Joe can login through Facebook initially and FusionAuth can be configured to create a User object for him. This is called "Create Registration" and is part of Identity Provider configuration.
Later, if Joe clicks the "Forgot Password" link, FusionAuth will send him an email and he can then set a new password.
This means that at anytime, Joe can now login using Facebook or using his email address and password.
In addition, Joe can have multiple UserRegistration objects. Let's say that you have two Applications, one called A and one called B. When Joe logged in using Facebook the first time, if he was signing into Application A, FusionAuth would have created a UserRegistration object for him for Application A and this UserRegistration would be granted all of the default ApplicationRoles for Application A.
Later, if Joe did the "Forgot Password" workflow and then logged into Application B, FusionAuth can be configured to create a UserRegistration object for Joe in Application B and this would have also granted Joe all of the default roles for Application B. This configuration is under the Application on the Registration tab. If you enable registrations for an Application then FusionAuth will create UserRegistration objects for Users that exist but don't have a UserRegistration for the Application they are logging into.
Lastly, you can grant Joe any additional roles for any Application using the /api/user/registration API (https://fusionauth.io/docs/v1/tech/apis/registrations).