Thank you for making these videos on keycloak, it helped me a lot. I was struggling with the "addRequiredAction" and I didn't know that the method addRequiredAction(string) took the ID as an argument. I wish I had known about your channel before. And by the way, your explanations are great. I hope you will continue to provide keycloak related guides as there are not many of them, if you have the time. Thank you again !
Hi Niko: This is some what related to a custom Required Action sequence. We have a requirement to display a consent screen to review the client scopes being requested by a 3rd party application that is registered within keycloak (as a separate client). Our main portal application that is developed by us (separate client within the same realm) does not require this consent. It's only when a 3rd party application request is being processed (irrespective of the state of authenticated session, even if authenticated) that we need to display this consent form with client scopes. Work done so far: I created a new browser flow and assigned it to the 3r party app. I also implemented a custom authenticator where I'm processing the state of requested client scopes in order to display them in the UI as checkboxes. (checkboxes are needed because we have a requirement that a user can de-select from a list of client scopes being requested by the 3rd party application). During the initial authentication from the 3rd party application, it works great and an authentication session is created. But within the same authentication session, when a new request is processed, I do not see this consent screen. My question is.. what should I do to allow this consent form to show all the time even within the same authenticated session? Should it be a required action? If so, can I enable a required action for a specific client?
Another complication in the scenario I described above is that the user is in an external database. But I was able to answer my own question. I ended up creating a required action, extended the abstract user adapter, check for a particular client scope that enables the required action behavior. With these steps, I was able to enable the custom consent form with requested client scopes, and also provide the ability to reduce the scopes. I verified that the token endpoint will only include scopes that were granted by the user. Also, user account management console displays the expected scopes granted by the user for this client.
Thanks for the video. I have created my own custom required action for Updating the password and it works great But what I am trying to achieve is slightly different and havn't been successful yet. I want to call my custom action when trying to Update password from account management console - 'signing in' option..If you could share your thoughts on how to achieve that it will be really helpful.
Hi Niko, thanks for the video and valuable explanations. In the video you are suggesting to "register" the newly created required action within the authentication menu. I am experimenting with keycloak v.22 and the administration pages have changed in design and functionality. On the admin page for Authentication, within the tab "required actions", there are some predefined required actions, but no "register" button. I did not package my extension yet and did not upload and build it into my keycloak application. Is this the reason, why it doesnt show the "register" button or is the registration process implicitly activated in the new KC22?
Hi Niko. Nice video, appreciate it. Though I have a question. What is the difference between using required actions and authenticators? I have a requirement to implement custom consent page after successful authentication. which one to use?
@@dasniko I mean I have a requirement a user must consent on something after each login. That is I have to display a screen to a user after each login with some checkboxes where he chooses several and presses button. Under the hood a rest endpoint is called with user choices. How would you implement it? Using required action or authenticator?
@@BlindVirtuoso Depends on how you implement it (method evaluateTriggers). Please understand that I can't give support through RUclips comments, thanks.
@@BlindVirtuoso I believe you will need authenticator if they must do this on every login. Reason being I've found that the RequiredActionProvider MUST call "context.success()" otherwise there is exception And calling "context.success()" removes the required action from the user. Therefore, only way that I can see to do this with RequiredAction is to programmatically re-add the action elsewhere (outside of the RequiredAction flow)
Thank you! Please I have just 1 confusion and doubt tho if you have a second: Your github contains a parent pom adding this particular provider factory application as a module. Do we need this parent pom for this RequiredActionFactory to work ? Or can we use the pom.xml of this particular project as a standalone? I tried using the standalone pom.xml in a Spring boot project instead of a standard maven project, and on keycloak startup i get warning about missing Jakarta classes in Quarkus I was also wondering on the same token what the use of your "keycloak-spi-bom" is in the parent pom.xml here, just because a lot of the same keycloak dependencies appear to be in the individual applications (such as our required actions application here)
@dasniko if there are particular dependencies required to get the keycloak factory to work, (which is what my question is centric to) then it is objectively related to the keycloak project. Fair question when you have several layers of pom files and dependencies and don't discuss them at all in the tutorial......
Hi Niko, Hope you are fine Many thanks for your efforts in clarification of keycloak (adding functionalities & features) which are not that available online. I am using your phone number required action repository with keycloak on a docker container but there's a problem (We're sorry - internal server error)unknown method getHttpRequest() in logs - I tried : 1) copy jar files instead of persisting volume 2) rebuild using a tool rather than Netbeans 3) changing permissions of jar files 4) change image jboss/keycloak version => 16 5) checked the code over and over but everything is fine only a Javadoc was missing and I downloaded it. but still can't update the phone number through this form thanks in advance.
Thank you for the video. The pattern that I've seen being used is that, at the time of updating the phone number, there is also a verification step by sending a code to the entered phone number before saving it to the backend. Could the flow here be interrupted to include the verification code?
Good question, thank you for asking! The mobile number was just an example how to use the RA. It should be possible to include the whole logic into one RA, so that the RA is only removed from the user if both is fulfilled: the mobile number and a verification code entered. It might also be possible to this with two separate RAs. Another way, if you want to use it during authentication, is to implement such a flow as a configuration for a custom credential. See the code for the OTP config as a credential type, which is contained in KC ootb. As always, there are multiple ways to achieve this, depending on how you want to use the data later on.
It's late but in case for anyone else who comes across... Personally was not able to do this via a single RA, ran into exceptions rendering more than 1 FTL file for a single RA. I will preface this with I think it makes more sense to do with in a Registration flow, but... In order to achieve this, I used 2 RA's (UpdateMobile && VerifyCode) with the below logic. VerifyCode RA of course needs its own additional ftl file: In evaluateTriggers, UpdateMobile checks that PHONE_NUMBER_VERIFIED attribute is "true" if so it returns and doesn't render form. (This would cause VerifyCode to invoke next) Otherwise if PHONE_NUMBER attribute null it renders its own form. Once phone # entered into form, it adds PHONE_NUMBER attribute, removes its own required action, and adds VerifyCode RA to the user, calls context.success() VerifyCode checks if either attributes for the 2 RAs are null and if so, renders its own form Form has a button for "Restart mobile verification" that when clicked, causes VerifyCode RA to remove the PHONE_NUMBER attribute, add UpdateMobile RA and returns, process restarts. This is needed because user might have either entered typo for number first time and/or code expired. Otherwise once code entered correctly, VerifyCode RA sets the PHONE_NUMBER_VERIFIED attribute to "true' as expected, removes its own RA from user , calls context.success
Hey Niko, please make video on forgot password flow and how to customize message. I am not able to get message that your password successfully reset after reset password. And in that message I want to customize sing in url how to do it. Thanks
Hi Niko, first thanks for the great video ! I have a question, is it possible to implement a custom Required Action ( an SPI ) in nodeJS ? or we need to use Java to do it ? using keycloak 19.0.1 ?
hello niko : ) I have a question. When the password expires after logging in, will a function to change it next time be provided instead of updating the password? let me know if there is any possible way
Hi Niko, I have a problem with configure required action. Our system communicate with Keycloak via api. In "requiredActionChallenge" method, I want to send some params for front-end site to know and redirect to update phone screen, because we have a lot of cases use require action. But the API only response { "error": "invalid_grant", "error_description": "Account is not fully set up" } And font-end site don't know exactly what is error. => How we can pass the error type to front-end. Example: { "error": "invalid_grant", "error_type": "update_phone_number", "error_description": "Account is not fully set up" }
If you rely on JWT, you must update the user and add his mobile to become in attribute because it is invalid to grant the user authentication or generate the token without updating the new required action. It's late, but the problem with this code is that he forces any user-even those with administrative roles-to update the phone number.
Hey Niko! Do you know of a way or have any insight into how a user could complete required actions through the Direct Grant flow in a mobile app (without browser)?
RA's are not coupled to the ROPC Grant. Don't use ROPC Grant at all, it's considered harmful and is marked as MUST NOT be used! datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.4 Use the AuthCode Grant with public client and PKCE enabled in your mobile app!
@@dasniko Thank you for the insight. I'm new to the OIDC spec. Is there a way to authenticate a user through the standard flow while using a native UI login screen (not in a browser)?
If you're using OAuth2/OIDC, the recommended way is to use the browser flows. That's what they're here for, that's why they exist: it's proven to be secure. Everything else (with OAuth2/OIDC) it is NOT! If you're using OAuth2/OIDC and want to be secure, use the browser flows. Period. Or do something else, implement it on your own and deal with all the risks which come to you because you are not a security specialist... Just because somebody else is doing it, is not a reason and most probably they're doing not OIDC but something else. Some more links: www.identityserver.com/articles/fact-sheet-the-dangers-of-using-the-password-grant-type-with-mobile-applications and www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications
That does not make sense. The QR-code is the config info for the authenticator app, which has to be set-up and confirmed by entering a generated otp. It‘s not a link! So, having it asynchronously by email is useless. One have to fulfill the process online.
Sir How can I add the resources in the keycloak user token payload? I have created the resources, scopes, policies and permissions in the keycloak now i want to add the resources according to the user roles in the user token. please ans
@@dasniko I just want to draw your attention to this, and my intention was not to make you feel bad. I will not do this again; I just wanted to ask you: I have created the resources, scopes, policies, and permissions. Now I want to add the resources of the roles in the user token payload according to the users' specific roles. To achieve this I tried creating user attributes for it, and I am able to add the resources while creating a user using the POST API of Keycloak. But I don't want to add the resources from there; I have already created the resources, scopes with permission. Somehow, I want to add all those resources in the user payload according to their role. For that, I tried the custom script mapper as well, but it is not working. I am using the keycloak 24version.
Hello niko . I am using your "update mobile number" required action example . I noticed that when this addon is enabled and I also enable and use user federation with ldap , an error occurs at login screen "Unexpected error when handling authentication request to identity provider." There are no keycloak logs when this happens . It can be overcomed by refresing many times the browser or by creating a new private browser session. But it is a bug . I am not sure if this is a bug in this addon or a keycloak bug. Are you able to reproduce it in your environment ?
If we need to open codes to add simple form , keycloak is meaningless. We chose kc because its supposed to simplify thing, not the other way. This should and must be easily be done via UI
Required actions are not just a "simple form", there is quite some logic behind this. And Keycloak was never made to support each and every usecase anyone can think about. It was always designed and developed with the SPI approach, so that everyone can extend Keycloak with these interfaces which are useful for the current approach.
Finde ich ganz toll welche Mühe Du Dir gibst. Toll solche Menschen.
Thank you for making these videos on keycloak, it helped me a lot. I was struggling with the "addRequiredAction" and I didn't know that the method addRequiredAction(string) took the ID as an argument. I wish I had known about your channel before. And by the way, your explanations are great. I hope you will continue to provide keycloak related guides as there are not many of them, if you have the time. Thank you again !
thanks for this very useful demo
thank you Niko
Hi Niko:
This is some what related to a custom Required Action sequence.
We have a requirement to display a consent screen to review the client scopes being requested by a 3rd party application that is registered within keycloak (as a separate client).
Our main portal application that is developed by us (separate client within the same realm) does not require this consent. It's only when a 3rd party application request is being processed (irrespective of the state of authenticated session, even if authenticated) that we need to display this consent form with client scopes.
Work done so far:
I created a new browser flow and assigned it to the 3r party app. I also implemented a custom authenticator where I'm processing the state of requested client scopes in order to display them in the UI as checkboxes. (checkboxes are needed because we have a requirement that a user can de-select from a list of client scopes being requested by the 3rd party application). During the initial authentication from the 3rd party application, it works great and an authentication session is created. But within the same authentication session, when a new request is processed, I do not see this consent screen.
My question is.. what should I do to allow this consent form to show all the time even within the same authenticated session? Should it be a required action? If so, can I enable a required action for a specific client?
Another complication in the scenario I described above is that the user is in an external database.
But I was able to answer my own question. I ended up creating a required action, extended the abstract user adapter, check for a particular client scope that enables the required action behavior. With these steps, I was able to enable the custom consent form with requested client scopes, and also provide the ability to reduce the scopes. I verified that the token endpoint will only include scopes that were granted by the user. Also, user account management console displays the expected scopes granted by the user for this client.
Thank you, that really helpful :)
How do I add a required action in the latest versions? I implemented the source but I can't find the button to add a new required action.
Thanks for the video. I have created my own custom required action for Updating the password and it works great But what I am trying to achieve is slightly different and havn't been successful yet. I want to call my custom action when trying to Update password from account management console - 'signing in' option..If you could share your thoughts on how to achieve that it will be really helpful.
Hi Niko, thanks for the video and valuable explanations.
In the video you are suggesting to "register" the newly created required action within the authentication menu. I am experimenting with keycloak v.22 and the administration pages have changed in design and functionality. On the admin page for Authentication, within the tab "required actions", there are some predefined required actions, but no "register" button. I did not package my extension yet and did not upload and build it into my keycloak application. Is this the reason, why it doesnt show the "register" button or is the registration process implicitly activated in the new KC22?
In the new admin UI there is no "register" button, you just enable/disable the required action in the list.
Hi Niko. Nice video, appreciate it. Though I have a question. What is the difference between using required actions and authenticators? I have a requirement to implement custom consent page after successful authentication. which one to use?
Authenticators are for verifying a users credentials, RequiredActions are for requiring the user to configure/do something.
@@dasniko Can we use a required action to force user do something after each login? Or is it only one-time action?
@@dasniko I mean I have a requirement a user must consent on something after each login. That is I have to display a screen to a user after each login with some checkboxes where he chooses several and presses button. Under the hood a rest endpoint is called with user choices. How would you implement it? Using required action or authenticator?
@@BlindVirtuoso Depends on how you implement it (method evaluateTriggers).
Please understand that I can't give support through RUclips comments, thanks.
@@BlindVirtuoso I believe you will need authenticator if they must do this on every login.
Reason being I've found that the RequiredActionProvider MUST call "context.success()" otherwise there is exception
And calling "context.success()" removes the required action from the user. Therefore, only way that I can see to do this with RequiredAction is to programmatically re-add the action elsewhere (outside of the RequiredAction flow)
Hello dasniko, I did exaclty like you. But i don't know why I got error "Template not found". Help me pls.
Thank you! Please I have just 1 confusion and doubt tho if you have a second: Your github contains a parent pom adding this particular provider factory application as a module. Do we need this parent pom for this RequiredActionFactory to work ? Or can we use the pom.xml of this particular project as a standalone?
I tried using the standalone pom.xml in a Spring boot project instead of a standard maven project, and on keycloak startup i get warning about missing Jakarta classes in Quarkus
I was also wondering on the same token what the use of your "keycloak-spi-bom" is in the parent pom.xml here, just because a lot of the same keycloak dependencies appear to be in the individual applications (such as our required actions application here)
All your questions are totally unrelated to Keycloak, sorry. Please learn about proper handling with Maven and its artifacts.
@dasniko if there are particular dependencies required to get the keycloak factory to work, (which is what my question is centric to) then it is objectively related to the keycloak project. Fair question when you have several layers of pom files and dependencies and don't discuss them at all in the tutorial......
@@bluex217 If you would know Maven, you wouldn't ask your question. That's the point! 🤷♂
@@dasniko Ok fine maybe this is fair enough I apologize I will study the maven files more and look up what I don't understand
Hi Niko, Hope you are fine
Many thanks for your efforts in clarification of keycloak (adding functionalities & features) which are not that available online.
I am using your phone number required action repository with keycloak on a docker container but there's a problem (We're sorry - internal server error)unknown method getHttpRequest() in logs - I tried :
1) copy jar files instead of persisting volume
2) rebuild using a tool rather than Netbeans
3) changing permissions of jar files
4) change image jboss/keycloak version => 16
5) checked the code over and over but everything is fine only a Javadoc was missing and I downloaded it.
but still can't update the phone number through this form
thanks in advance.
Thank you for the video. The pattern that I've seen being used is that, at the time of updating the phone number, there is also a verification step by sending a code to the entered phone number before saving it to the backend. Could the flow here be interrupted to include the verification code?
Good question, thank you for asking!
The mobile number was just an example how to use the RA. It should be possible to include the whole logic into one RA, so that the RA is only removed from the user if both is fulfilled: the mobile number and a verification code entered. It might also be possible to this with two separate RAs.
Another way, if you want to use it during authentication, is to implement such a flow as a configuration for a custom credential. See the code for the OTP config as a credential type, which is contained in KC ootb.
As always, there are multiple ways to achieve this, depending on how you want to use the data later on.
It's late but in case for anyone else who comes across...
Personally was not able to do this via a single RA, ran into exceptions rendering more than 1 FTL file for a single RA.
I will preface this with I think it makes more sense to do with in a Registration flow, but...
In order to achieve this, I used 2 RA's (UpdateMobile && VerifyCode) with the below logic.
VerifyCode RA of course needs its own additional ftl file:
In evaluateTriggers, UpdateMobile checks that PHONE_NUMBER_VERIFIED attribute is "true" if so it returns and doesn't render form. (This would cause VerifyCode to invoke next)
Otherwise if PHONE_NUMBER attribute null it renders its own form.
Once phone # entered into form, it adds PHONE_NUMBER attribute, removes its own required action, and adds VerifyCode RA to the user, calls context.success()
VerifyCode checks if either attributes for the 2 RAs are null and if so, renders its own form
Form has a button for "Restart mobile verification" that when clicked, causes VerifyCode RA to remove the PHONE_NUMBER attribute, add UpdateMobile RA and returns, process restarts. This is needed because user might have either entered typo for number first time and/or code expired.
Otherwise once code entered correctly, VerifyCode RA sets the PHONE_NUMBER_VERIFIED attribute to "true' as expected, removes its own RA from user , calls context.success
Hey Niko, please make video on forgot password flow and how to customize message. I am not able to get message that your password successfully reset after reset password. And in that message I want to customize sing in url how to do it. Thanks
Hi Niko, first thanks for the great video !
I have a question, is it possible to implement a custom Required Action ( an SPI ) in nodeJS ? or we need to use Java to do it ? using keycloak 19.0.1 ?
Keycloak currently only supports Java.
hello niko : )
I have a question. When the password expires after logging in, will a function to change it next time be provided instead of updating the password?
let me know if there is any possible way
Hello Niko, Is there any way to configure the search for other fields besides the client id?
I’m sorry but I would like to create an Authenticator for the registration flow, is that possible?
use FormAction and FormActionFactory interfaces
@@dasniko Yes, thank you. I will apply it.
@@dasniko Excuse me. Do I need to create a challenge to serve for the phone number verification in the registration flow?
Hi Niko, I have a problem with configure required action. Our system communicate with Keycloak via api. In "requiredActionChallenge" method, I want to send some params for front-end site to know and redirect to update phone screen, because we have a lot of cases use require action. But the API only response
{
"error": "invalid_grant",
"error_description": "Account is not fully set up"
}
And font-end site don't know exactly what is error.
=> How we can pass the error type to front-end. Example:
{
"error": "invalid_grant",
"error_type": "update_phone_number",
"error_description": "Account is not fully set up"
}
If you rely on JWT, you must update the user and add his mobile to become in attribute because it is invalid to grant the user authentication or generate the token without updating the new required action. It's late, but the problem with this code is that he forces any user-even those with administrative roles-to update the phone number.
Hey Niko! Do you know of a way or have any insight into how a user could complete required actions through the Direct Grant flow in a mobile app (without browser)?
RA's are not coupled to the ROPC Grant.
Don't use ROPC Grant at all, it's considered harmful and is marked as MUST NOT be used!
datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.4
Use the AuthCode Grant with public client and PKCE enabled in your mobile app!
@@dasniko Thank you for the insight. I'm new to the OIDC spec. Is there a way to authenticate a user through the standard flow while using a native UI login screen (not in a browser)?
If you're using OAuth2/OIDC, the recommended way is to use the browser flows. That's what they're here for, that's why they exist: it's proven to be secure. Everything else (with OAuth2/OIDC) it is NOT! If you're using OAuth2/OIDC and want to be secure, use the browser flows. Period.
Or do something else, implement it on your own and deal with all the risks which come to you because you are not a security specialist...
Just because somebody else is doing it, is not a reason and most probably they're doing not OIDC but something else.
Some more links: www.identityserver.com/articles/fact-sheet-the-dangers-of-using-the-password-grant-type-with-mobile-applications and www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications
Great Videos. i have a question, when we use OTP, is that possible that the barcode send via email?
That does not make sense. The QR-code is the config info for the authenticator app, which has to be set-up and confirmed by entering a generated otp. It‘s not a link! So, having it asynchronously by email is useless. One have to fulfill the process online.
Sir How can I add the resources in the keycloak user token payload? I have created the resources, scopes, policies and permissions in the keycloak now i want to add the resources according to the user roles in the user token. please ans
Asking the same question randomly on multiple videos is a very bad behavior... I won't answer to such requests.
@@dasniko I just want to draw your attention to this, and my intention was not to make you feel bad. I will not do this again; I just wanted to ask you:
I have created the resources, scopes, policies, and permissions. Now I want to add the resources of the roles in the user token payload according to the users' specific roles.
To achieve this I tried creating user attributes for it, and I am able to add the resources while creating a user using the POST API of Keycloak. But I don't want to add the resources from there; I have already created the resources, scopes with permission. Somehow, I want to add all those resources in the user payload according to their role. For that, I tried the custom script mapper as well, but it is not working. I am using the keycloak 24version.
Hello niko . I am using your "update mobile number" required action example . I noticed that when this addon is enabled and I also enable and use user federation with ldap , an error occurs at login screen "Unexpected error when handling authentication request to identity provider." There are no keycloak logs when this happens . It can be overcomed by refresing many times the browser or by creating a new private browser session. But it is a bug . I am not sure if this is a bug in this addon or a keycloak bug. Are you able to reproduce it in your environment ?
As you already wrote - it is an example! So no warranties that it works everywhere and under all circumstances.
If we need to open codes to add simple form , keycloak is meaningless. We chose kc because its supposed to simplify thing, not the other way. This should and must be easily be done via UI
Required actions are not just a "simple form", there is quite some logic behind this. And Keycloak was never made to support each and every usecase anyone can think about. It was always designed and developed with the SPI approach, so that everyone can extend Keycloak with these interfaces which are useful for the current approach.