We are using Auth0 as the Identity Provider. We want to support both Individual Users and Enterprise users (Users who are part of an Organization).
By looking at the user profile, could not find any distinct field which can help me identify the type of user. Although Auth0 has extensive documentation, isn't helpful either for this area.
How can we identify the type of user from the User Profile of the User. I have tried GET /<user_id>/organizations but it won't help if the user logs in before the Organization is registered in the Auth0.
Thanks in advance
Related
I am implementing a functionality of removing a user account (the user will have the possibility to delete its account).
I am using Auth0 as authentication provider. If I log in the app using a Gmail account, Auth0 will create the account with user ID value of XXXXX. After I delete the user (through API or from users management section), if I try to access the app again with the same Gmail account then the user ID will still be XXXXX.
This is a problem in my case because I need to anonynimize the data and the other details should never be visible.
I can solve the problem by changing the the ID in my database but for the moment I would like to keep it.
Is this the normal behavior of auth0?
Good morning tzortzik! I work with the Auth0 Community team and after confirming with one of our senior engineer, some connections the user ID is built based on details originating from the external IDP (Google in this case). That being said, if you remove a user in Auth0 for this instance, the very next time the user logs in/signs up they will receive the same ID that originated from the external IDP. I hope this helps clear some things up. Thanks!
I'm trying to analyse FusionAuth as possible Identity manager for our current solution.
Our current solution is deployed at customer premisses or cloud, and helps them manage their processes (with their company users).
Our current solution is in early-transformation for micro-service solution, and we're trying to extract the user + authentication flow first. We thought maybe using some JWT solution for authentication could be a thing.
We have the use case that companies may have different root-level departments, and an user may belong to more than one department (or its children departments)
How currently is solved, is that at login time if such an user is making the login then it has to choose which root-level department he wants to login into.
We would expect that our new solution with JWT would contain such high-level department on the token information
Users logged-in for a root-level department can't access all data from other departments (only some base data)
I'm trying to understand if such use case could be acomplished by tenants / applications / groups, but I don't see how the same user could belong to many of them and have the possibility to choose one of them at login time
Would anyone suggest an approach to the problem, and if Fusion Auth could solve it?
Also some of our customers do use LDAP, and ask us to integrate the login through their AD (we make the login with AD, and import / synchronize the users). I've seen an open issue for AD integration, but not sure if that is going to be adopted?
One way to handle this is to present the user with a Department Select Screen prior to sending them to FusionAuth. This screen would list out the Departments and the user would select one. Once they select the Department, they would be redirected to FusionAuth's OAuth where the Department is the client_id. This also means that you need a FusionAuth Application for each Department.
Once the user has logged into FusionAuth, the JWT that FusionAuth creates will contain the Application id. This will allow you to identify the Department that they logged into.
I'm trying to work out how to structure a database schema that allows me to have multiple authentication sources for the same end-user.
For example, my web app would require users to sign in to utilize many of the functionality of features of the app. However, I do not want to be responsible for storing and authenticating user passwords.
I would like to outsource this responsibility to Google, Facebook, Twitter and similar identity providers.
So I would still need a database table of users, but no column for a password. However, these are authenticated would not be my concern. But I would still need to somehow associate my user with the identity providers user id. For example, if my user signs up with Google, I would store the users Google ID and associate this with my user. Meaning next time the user makes an attempt to login and is successfully authenticated at Google, I would make an attempt to find any user in my system that has this associated user id.
I've been trying to look for some common and recommended database structures, with no luck. Maybe I'm searching for the wrong terms for this because I cannot imagine that this is an uncommon way to do it. StackOverflow seems to do something similar.
The way I imagine it, it would allow me to associated multiple authentication sources for one app user. Meaning once I've signed up with Google, I can go to my settings and associate another account, for example, a Facebook account.
How should I go about achieving this in a flexible and clean way?
Thanks.
You need to know what data you have to save in your db to authenticate a user with a third party login.
For example, once I used Google to login users in my app, I save Google user id first time a user logs in and get data the next time.
You could have an entity with third party providers, so you will create a table with 2 values, user_id (your user data) and provider_id (Google, facebook, twitter...).
If you are going to use just one provider then you could add provider_id field to your users table.
I am new to Keycloak and I try to use it as authentication server in my solution.
I have the following entity's model: the devices are owned by a particular company to which some users belong. User with role admin can grant permission for viewing some set of devices to a regular user but only those devices that belong to the admin's company. Thus all users except admins can view only a subset of all devices in company.
Based on these requirements, I decided to make companies as groups and devices as Keycloak's resources. To evaluate permissions, I chose rule based policy.
The question is -- Can I set group as an owner of resource to check this relation in policy?
If someone is more experienced in keycloak and knows how to better represent such model, please help.
Thank you in advance.
As working on keycloak, I didn't find any way to set the multiple owners for particular resources.
I'm having the alternate option to give the access permission, that owners have for their resources.
Let say Resource A owner is OWNER A, now there are two more user USER A and USER B. If suppose OWNER A already share the access permission to USER A and USER A wants to share Resource A to USER B on behalf of the Resource owner, then how should USER A can share the resource scopes to USER B?
Answer
Keycloak provides the facility of token exchanging or impersonation feature. With the help of this USER A can able to share the resources to USER B on behalf of the OWNER A (Owner of Resource A).
Reference: You just need to follow this Keycloak Impersonation
Add comments if you still face the problem
In Keycloak, you may represent a particular company (or any organization or organizational unit) as a realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
Create a new realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm
Then represent the company's users as users in the company's Keycloak realm
https://www.keycloak.org/docs/latest/server_admin/index.html#user-management
... and devices as Keycloak Clients (any kind of resource you want enforce permissions on is a Client in Keycloak model):
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
An admin role is already defined by default for each role (Roles menu).
Instructions tested on Keycloak 4.0.0.
For each device, create the corresponding Client in Keycloak (Clients menu). Switch on Permissions Enabled on the Permissions tab of the new client. A list of admin console permissions will appear just below the switch button, such as the view permission.
Then, in order to assign the permission to view the device to some user, the admin should click on the view permission (link) just mentioned, create a User Policy (Create Policy... listbox) and select the users (assignees) in the Users field.
In order to assign the permission on multiple devices to the same group of people, use a Group or Role Policy instead (put the users in the same group before).
In order to assign the permission to groups of devices, use one Group/Role per group of device, then assign users to the Group/Role.
So I am having some trouble figuring out how to implement a sign-in for my app using google oauth. Every example I see shows how to authentication the user, get their permissions and then start using the Google APIs.
I do not care about permission or using Google APIs. All I want to do is have the user sign-in to my app using google oauth instead of having to implement my own authentication system with user and passwords in the database.
After the user authenticates with their google account, then they can change settings associated with their account for my app. What is the flow i need to implement to achieve this?
How would I associated a google user with certain data defined in my own app's database? I have successfully implemented the authentication part but then what would I need to store in my DB to associate them with their actions and data. Would I need to use sessions? and then retrieve their Google+ ID, save it in the database and then use that to identify them in the database for later when they log in again?
any help is appreciated
Once the the server validates the access token, a user account can be created in the database, saving the Google ID along other user details (ID, email, name etc).
If your application also supports normal registration, and an account is already present for that user (matching email), then you can just fill in the (nullable) Google ID column in order to link the account(s).