I am now using organization api og jboss to create user.
Now I want to have set the password expiry date. Is there any way to do it by just calling api provided by jobss.
or
we should add our own logic like cron job.
You will have to use an LDAP and configure it:
http://docs.exoplatform.com/public/index.jsp?topic=%2FPLF40%2Fsec-Reference_Guide-Authentication_And_Identity-LDAP_Integration-LDAP_Default_Store.html
or if you don't have an LDAP server (or don't want to), you can implement your own logic by:
1/ Redefine the Service OrganizationAuthenticator and Implement the authenticate method
Or
1/ Add a new LoginModule
2/ Add in the UserProfile of each user a field holding the date of password expiration.
3/ In the authentication method, you can test on this field in addition to the username/password check.
Hope this helps you.
Related
I have keycloak instance (version 16) with one realm and two different clients.
The first client works with Open ID Connect Identity provider. It also works with public Access Type and with SSO and 2FA.
The second client works with a Custom module added from User Federation where 2FA is not possible to be used because the calls for authentication are mainly programmatically. Also, this client works with confidential Access Type.
The problem is that each client has a different external database with users, but the usernames in these databases are not unique.
And if I try to log in with the second client it works but after that, if I try to log in with the first client I can't, and vice versa. (in both clients username "notUniqueUser#email.com" is used)
The error message in this case is:
User with username notUniqueUser#email.com already exists. How do you want to continue?
“Review profile”
“Add to existing account”
Is it possible for these two clients to work both properly at the same time, when I do not have unique usernames and how should I configure it? (I find that is possible to have same email addresses but I can't find anything for usernames)
Maybe some kind of force authentication will be OK, and when the user "notUniqueUser#email.com" is already logged with the first client and I try to log in with the second, the session from the first one to be deleted and vice versa.
Depending on how your IDPs are configured you can try the following:
go to your realm
then to the IDP configuration in question
switch to Mappers
Click on Create
As a mapper type select Username teamplate Importer
in the template field and something that will make the username unique for example ${CLAIM.preferred_username}_<The Name of the IDP>
For example, if a username named 'user' logins from both 'IDP1' and 'IDP2' it will be imported into the Keycloak DB as 'user_IDP1' and 'user_IDP2', respectively.
As the title suggests, I'm trying to implement the mechanism of retyping the password again before proceeding any critical action, e.g. change email, deactivate an account, invites a new user, ... etc.
The problem is, I'm confused about how it should be done in the REST world.
Should it be like, first, use the password to authenticate the user, but with a different backing authentication made especially for this action and use the resulted token to access this protected resource later? E.g. a JWT token with a specific claim for this action and guard that endpoint with this custom authentication to authenticate for this custom token?
Or should it be done in one request providing the password and based on password check the action will be proceeded or denied?
Or should it be something else?
Thanks in advance for your help, I really appreciate it.
Note: I'm using DRF that's why I added it's the tag to the question, but as this is a general question
I'm moving out of Liferray 6.1, to a custom application. I want existing users to be able to login in the new application with existing Liferay credentials. When user logs in for the first time (not yet having an account on the new system), I want to be able to check his passwords against the Liferay's user_ table and on success create an account in the new system. There will be no Liferay running nowhere so I cannot use Liferay's services for that purpose.
The question is how can I compare the user provided password to the encrypted password stored in user_ table?
I have tried to add the portal-service.jar in my new application but some errors happens like :
com.liferay.portal.kernel.log.Jdk14LogImpl error
SEVERE: BeanLocator is null
First you need to check how is(was) your Liferay 6.1 configured. In the portal.properties there are few setting related to passwords. Check the value of passwords.encryption.algorithm. It is by default SHA (SHA-1) in Liferay Portal 6.1
When your users log in, you will have to encrypt the password they provide using the same algorithm that your Liferay Portal instance was using and then compare the encrypted strings.
Depending on the algorithm you may or may not need Liferay Portal's API/utils for that. Have a look at PwdEncryptor class to see what was used to encrypt the password and follow the same approach.
Keep in mind you will not be able to decrypt the password. But you will have it unencrypted from your user's input. So once you confirm the user's credentials you can store the password in your new system using any encryption algorithm you wish.
In KeyCloak, I want to add a new attribute for User, say Phone Number or MSISDN.
MSISDN will be added as a Custom attribute for a User.
Can I use this custom attribute as username to authenticate user on Login page? If it is possible, how can this be done?
Appreciate the response!
I think you'll probably have to write your own authentication SPI or user provider SPI to achieve this.
Once you have done this, you can configure the login function to take the custom attribute as of the username.
I have a web application that I would like to use authenticate using MembershipReboot for a subset of users but internally I would also like to use Active Directory.
What's the best practice of authenticating a single web application with two different authentication models? Any code samples would be great.
For this scenario you'll need a UserService for Membership Reboot. This will mean when users log in to Identity Server using the local username & password fields they will use Membership Reebot. You can find this UserService here.
To also use Active Directory you need to configure it as an external identity provider. This will then provide users with the option to log in using their AD credentials.
If you want to specify in your requests which provider to log the user into, check out the acr_values parameter of the Authorization endpoint or the IdentityProviderRestrictions property of the Client class.