I am trying to ByPass Login credentials in JasperReports Server 4.5, so user can login directly without entering any username and password, this I have done by passing username and password directly in URL:
http://localhost:8080/jasperserver/flow.html?_flowId=searchFlow
&j_username=jasperadmin&j_password=jasperadmin
Now I want to hide these user credentials, so nobody can see the username and password.
How can I hide these credentials?
The best way is to use Token Based Authentication and to encrypt the token. This video covers the entire process.
Related
I now using Keycloak 18.0.1.
When the user log in my system by Keycloak, I want to know exactly when the password will be expired.
For your information, I'm using keycloak-angular and keycloak-js
I have searched on https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_passwordpolicytyperepresentation but it doesn't have an API that suit my need
I've configured Keycloak authentication for the following behaviour:
The user inputs its userid
Keycloak should try to authenticate it with the passwordless flow
As an alternative the user could switch to password authentication
NOTE: The user already has a registered passwordless device:
The authentication flow has been configured as follows:
I access localhost:8080/realms/myrealm/account and click on Sign in:
I input the userid:
But, instead of being offered to sign up with the security device, I'm asked for the password:
If I select Try another way and click on Security Key:
I am now offered to login with the device:
Which I can do successfully.
The problem here is that I need the passwordless login to be offered directly, not the password form. Passwordless is actually configured as the first alternative option so why isn't it working as expected?
Looking at the code of AuthenticationSelectionResolver this seems to be intended behaviour.
Try to change the order/position of credentials for your user from within the admin console.
The order of credentials should affect the order in which alternative authenticators will be executed.
In my project, I need to get current user password from Rest API.
I searched keycloak 4.8.3 final documentation but I could not find it. With admin user I can change password without knowing the current password. But my logged in user can be admin or not. I found that keycloak does not give me permission to that because of security. Wrap up is there any way to active that settings or is there a way to get password with Rest API ?
Thank you.
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
Via the Rest API, one cannot get the password for obvious reasons. Ideally, in a secure setting, even if one is the admin one should not have access to the users' passwords.
From the comments you wrote:
I could use method like boolean isPasswordCorrect(username,password)
An approach is to create a client on your Realm as follows:
Go to your Realm;
Clients;
Create Client;
Set Access Type to public;
Set Direct Access Grants Enabled to ON;
Save;
Now request from the newly created client a token on behalf of the user that you want to check if the password is correct:
As you can see the endpoint is:
<KEYCLOAK_HOST>/auth/realms/<REALM_NAME/protocol/openid-connect/token
and the body is:
client_id : <The client ID of the newly create client>
username : <The username>
password : <The password to be tested>
grant_type : password
If the password is correct you will get back a token object, otherwise you will get the following response:
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}
I'm using the Rocket.Chat REST API for some automated user management. This was working great after I installed Rocket.Chat and my admin user had a username/password combo. Then, I activated the "iframe authentication" system in the admin panel. Now, when I try to use the REST API "login" endpoint, I get the error "User has no password set". Any ideas why this is happening? When I look at the user document in the MongoDB for Rocket.Chat, there is no "password" field (seems to have been deleted when I activated the iframe authentication).
UPDATE: I disabled the "iframe authentication" system and set a new password on my account. Looking at the DB now, that user has a "password" entry, so the password is there. But, now I can't log in because it says my password is incorrect. In summary, this software has a lot of bugs, it seems.
According to https://docs.wso2.org/display/IS460/Enabling+IWA+in+WSO2+Identity+Server IS seems to be configured to use WAFFLE which can be used only on Windows.
Did anyone have a chance to successfully install using http://spnego.sourceforge.net/ framework?
It would be appreciated to not limit the environment to Windows only.
If you use Tomcat, you can simply use my library: http://tomcatspnegoad.sourceforge.net/
We have managed to create a custom authenticator where
the authenticator redirects user to a page hosted in Tomcat (Custom logon page
the logon page doesn't display any logon form, but using the Tomcat SPNEGO user is authenticated with SPNEGO / Kerberos and a JWT ticket is posted back to the authenticator (commonAuthId) instead of username and password
the authenticator assumes identity of the user (set the username in the authentication context)
This is de facto a custom claim authentication, do not forget to sign / validate the posted ticket.