How to do forgot password in keycloak via API - oauth

We are creating an app that has a feature to reset their password respectively, since we are using keycloak so that thing will be featured via keycloak page itself, but our client need the forgot password will be provided in the app, so i need to hit the forgot password api like below flow.
App Forgot Password Page > Fill email only and proceed > User receive reset password link > Open link > Keycloak reset password page
But seems that api is not existed in the keycloak.
As far i only found below apis
PUT /{realm}/users/{id}/reset-password (need bearer, not possible since we are unable to use realm account user)
PUT /{realm}/users/{id}/execute-actions-email (don't know how to use it and need bearer, not possible since we are unable to use realm account user)
Any suggestion?
Thank you in advance
Hi there, this is 2021, my solution at this time was by using keycloak library in java service, so the service working as aggregator between my web app to keycloak, and still we are using above apis mentioned that need realm access. Good luck.

You can set required action for the user to UPDATE_PASSWORD and when user tries to log in, they will be prompted with Setting up their password.
Keycloak Admin APIs - UserResource
You can update the user and in the UserRepresentation you can set that required action.

Related

How to create an anonymous user account using the users Apple-ID like Day-One does?

A new iOS app should be able to connect to a web service to sync data across devices.
I like the way the diary app Day One solved this:
On registration the user can choose to use mail address to setup a "real" account or to sign in with his Apple ID
When using the "real" account the mail address has to confirmed and a username and password has to be chosen
When using the Apple ID Sign In no additional steps are needed. The app is connected to the web services using some random user ID
When being installed on a new devices it is no problem to re-connect using the Apple-ID method.
Problem 1: How to access the Apple ID?
As far as I know it is not possible for the app to really to access the Apple-ID. Or is there some undocumented way to do this? How is this possible?
I suspect that the app instead might use iCloud to store some token? The iCloud storage is linked to the Apple-ID, thus when installing on a new devices it would be possible to recover the token from iCloud and use it to reconnect.
Or are there other / better methods?
Problem 2: How to handle the authentication?
Let's set Problem 1 aside and assume that we have solved the problem of creating some cross-device username. How could be handle the authentication?
Solution 1: Only the token (Apple ID / iCloud stored username / etc.) is used for authentication. If a request from the app to the server contains a valid username token access is granted.
Solution 2: In addition to the username token a random password is generated when creating the anonymous account. This could be done on the device or on the server. But since the password has to be known on both ends, it need to be transferred from one end to the other at some point.
2a: Trust in the HTTPS connection and transfer the plain password
2b: Use some other method (e.g. Diffie-Hellman) to agree on a common password
On first sight 2b seems to be the most secure solution but is the really the case? The sync data is not encrypted but "only" trusts in the HTTPS connection. Would it add extra security to transfer the password using another method?
Additionally, does it add extra security to use a "password" at all? This is not a password the user selects for his user selected username but a automatically generated password for a automatically generated username / token.
Would it not be the same to just use the generated username token? Only who has access to the token / Apple ID / iCloud account, etc. can access the web service.
So, which solution is the best? Am I missing something and there are better solutions?
As of iOS 12, Apple provide a SDK for developer to access user Apple ID - with user's consent, obviously. Developer can use AuthenticationService SDK to achieve this. Please read more at the documentation. I'm sure this is how Day One app does what you describe.

JHipster OAuth2 + Keycloak user related use case

From various googling and reading https://www.jhipster.tech/security/#oauth2 , I gathered that in order to have mobile/social integration with JHipster generated app I should use OAuth2. Am I right to think this way? (I can't seem to find a clear cut answer to this)
I created a new application with JHipster v5.1.0 with OAuth2 enabled. I noticed a couple of features missing with regards to user management. Below are my questions.
How does a new user register a new account?
How does a user change password / reset forgotten password?
Hopefully someone with experience on the above can help clarify.
Thank you in advance.
For social login, yes your best option is OAuth 2.0. You can use JWT for mobile development with React Native (via JHipster Ignite) and Ionic (via Ionic for JHipster), so it's not necessarily required for mobile.
For user registration and change password, you'll need to enable those options in Keycloak or Okta. This blog post shows you how.
To summarize:
For Keycloak, you can enable registration by navigating to http://localhost:9080 and click on Administration Console. Login with admin/admin and click on the Login tab. This screen allows you to enable forgot password, remember me, and verify by email as well.
To enable self-service registration in Okta, you’ll need to navigate to the Classic UI from the Okta Developer Dashboard. There’s a link to toggle between the two in the top left corner of your screen.
Then navigate to Directory > Self-Registration and click Enable Registration. Set the default group to ROLE_USER, the Default redirect to a Custom URL with http://localhost:8080 as its value, and click Save.
NOTE: If you get an error that says 'http://localhost:8080' is not a valid redirect URI, it’s because you need to add http://localhost:8080 as a trusted redirect under Security > API > Trusted Origins. After making this change, navigate to Directory > Self-Service Registration and edit the settings to configure the custom URL again. It should work this time.

Salesforce OAUTH implementation

I'm developing Salesforce iOS application.
From application frequently the user has to modify data which is available on Salesforce.com.
When user tap on edit I'm launching salesforce login screen and prompt to enter username and password all the time.
So I have decided to implement SSO using Salesforce Oauth. I have done everything I'm able to receive a access_token once user authenticate with Salesforce.com.
My question is lets say "If the user want to edit a lead with id as 0097hjy7" , URL to edit this lead will be "https://sales.mysalesforce.com/0097hjy7" when this URL launch on browser it prompt to enter username and password again.
How can I navigate the user to "https://sales.mysalesforce.com/0097hjy7" this URL without asking username and password all the time by using the access_token available with me.
Thanks in advance.
I resolved this issue by adding Salesforce iOS SDK to my project and using some classes like SFOauthCoordinator and SFOauthCredentials. At the end we need to prepare a frontDoorUrlWithReturnUrl which is available on "SFAuthenticationManager" class.

Is it possible to be able to correctly select any available Google account to use when using authorisation via the JS client library for Drive?

I've got an existing Google Drive enabled application that's using the Google Java client library and server flow auth.
If you're not logged into the application and navigate to the URL AND you have logged into more than one google account on that browser (only one personal Google account is possible, any additional ones have to be Google business accounts) the OAuth callback offers the options to select which Google Account to use.
However, whilst testing a switch to using the JavaScript client library I'm not able to activate the multiple account selection screen using gapi.auth.authorize. Is it possible to handle multiple accounts using the JS library?
Update : I tried with the immediate parameter false. I can log in as long as I don't change account in the popup. If I do change account, I get to:
https://accounts.google.com/o/oauth2/auth?client_id=433863057149.apps.googleusercontent.com&scope=https://www.googleapis.com/auth/drive.file+https://www.googleapis.com/auth/drive.install+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile&immediate=false&redirect_uri=postmessage&origin=https://drivedrawio.appspot.com&proxy=oauth2relay593063763&response_type=token&state=701344514&authuser=1
in a new tab and nothing happens. I've made a video to demonstrate.
Update 2 : This bug against the JS client library for the need for double selection of mulitple account has been accepted.
You are not getting the multi user selection screen because of the following parameter: authuser=0
This automatically selects the first account you are signed-in with (authuser=1 would select the second etc...).
It's currently not possible to remove that param using the client library because the client library sets it automatically to 0 (this is why it claims not to handle multi-accounts) if there is no value so one way is to override it to -1 for example, this will show the multi-account chooser. Then you could also ask to access the user's profile or email at the same time you ask access to other APIs and fetch either the email of the user or its ID. Then on subsequent auth you can specify the user_id param which wil bypass the user-selection screen.
So in practice, first authorize like this:
gapi.auth.authorize({client_id: <Your Client ID>,
scope: 'https://www.googleapis.com/auth/drive openid', // That requires access to Google Drive and to the UserInfo API
authuser: -1});
The only problem with the above is that the auto-refresh of the client library will not work because every auth will by blocked at the multi-account selection screen.
The trick is to get the ID of the user using the UserInfo API, save that ID in a session cookie and use it on subsequent auth like that:
gapi.auth.authorize({client_id: <Your Client ID>,
scope: 'https://www.googleapis.com/auth/drive openid',
user_id: <The User ID>,
authuser: -1});
Specifying the User's ID will make sure the multi-account chooser is bypass and will allow the auto-refresh of the token from the client lib to work again.
For reference, other URL param that impact the User flow are:
user_id: similar than authuser (bypasses the multi-account selection screen) but you can use email address (e.g. bob#gmail.com) or the User ID you get from our Open ID Connect endpoint/Google+ API/UserInfo API
approval_prompt: default is auto, can be set to force to make sure that the approval/grant screen gets shown. This makes sure that the gant screen is not bypassed on subsequent auth (after first time).
immediate: immediate is a bit tricky, when set to true it will bypass the grant screen (kinda like approval_prompt=auto) if the user already granted approval previously, but if the user has not granted approval previously you will get redirected with an error: error=immediate_failed. If set to false it won't add special behavior and therefore fallback on the behavior setup by the approval_prompt value.
Note: immediate=true and approval_prompt=force is an invalid combination.
I think the client library is using the immediate param so that if he gets the error=immediate_failed it will restart an auth flow without the authuser param, but that's only speculations :)
The OAuth grant access page is only shown when not in immediate mode, does it work as expected if you set the immediate parameter to false?
According to http://code.google.com/p/google-api-javascript-client/issues/detail?id=11
multi-login isn't supported by the Javascript client
Pay attention to authuser parameter. Set this to "2" for example and you will be prompted for login even if you are authenticated already.

How to log into a salesforce.com sandbox?

I took over a Rails app and am trying to get the Salesforce.com API credentials set up for my user account.
I'm set as a system admin with "Developer Mode" on (though I have no clue what that does, I just saw it set on the previous account.)
We have a sandbox. I click the login link on it, enter my sandbox username (email#domain.com.sandbox), enter my password, and get "Login attempt has failed".
I know my password is okay since I've logged into the production site several times. Using different domains (test.salesforce.com, etc) doesn't help either.
Edit to clarify where I'm stuck:
I'm logged into the production site and under "my sandboxes" there's a login link next to each sandbox which takes you to the correct server and pre-fills your sandbox username.
So, my issues are with that, getting logged into the sandbox web interface.
I do understand the security tokens and have my production API stuff set up, but I'd rather try my changes out on the sandbox first! From the examples I've seen, the sandbox security tokens are different, so I'm trying to log into the sandbox web interface for that.
My user account was created after the sandbox. So, it wasn't in the sandbox.
A sandbox refresh added my account into the sandbox.
Pretty basic mistake.
You won't be able to login from https://login.salesforce.com that's only for production.
You're correct to use the sandbox instance https://test.salesforce.com (or https://cs1.salesforce.com, https://cs2.salesforce.com, etc.)
I'm sure you figured out email#domain.com is your regular username, but the "sandbox" part is the actual name of your sandbox. So if you named your sandbox as "sbx" you would login as joe#example.com.sbx
If that doesn't work, go to your production organization where you can login. Navigate to Setup -> Data Management -> Sandbox and then click the Login button next to the sandbox you wish you login to.
Firstly - having developer mode on just offers you a subtly different view of Pages, making it easier to write your force.com solutions (it splits the View with the Controller) but this is not affecting your login issues:
I'm not 100% clear whether you are failing to log into your sandbox's website, or whether you are failing to connect via the API.
If you cannot use your production password on the sandbox, you will need to get someone who is an admin on that sandbox to reset your password for you.
If you can use your production password to log into the sandbox, but cannot use it to hook up to the API, then this is the problem:
Salesforce.com trusts users that come through the web UI; However, in order to log in to the API, you need to append an extra bit of user information to your password - this is your Security token.
You can reset this in Setup...My Personal Information... Reset MY Security Token
the token will get emailed to you - it will be some obscure alpha-numeric token. Copy this and paste it to the end of your password. For example if your password was 'arthur', and the token was ABC123def, the credentials to pass through would be:
login: email#domain.com.sandbox
password: arthurABC123def

Resources