Hello,
Is there a way to pass username/sub/OIDC/any information to the register URI? This is so an automated process can run that takes the user UUID from Keycloak and generates an account for the user. It would be really helpful to pass this information over so we don’t have to get the user to try and log into another web app.
Thank you,
Will.
Sorry, I don’t quite follow your use case. You’re saying a user exists already in Keycloak so you want to pass that information to the /register page?
If the user exists in Keycloak, why would they need to register? They should be able to just login.
If you’re trying to bypass the login entirely, assuming they’re logged in somewhere else, that would just work as you expect if Keycloak also backs the other site that they’re currently logged in. If they’re logged into another site with another id, then your users would have to federate that id.
I do that at OSC with my OSU credentials, so that I can login to an OSU site and pretty much use those credentials wherever I go.
Hope that helps. An automated process may be able to do stuff on the backend - but ultimately it’s the client’s browser that needs this info. Meaning at some point, they have to login somewhere. I assume you’re looking for an SSO experience, but I’m not sure where you anticipate that first sign on to be.
Unfortunately the user won’t be able to directly access Open On Demand, as although their account exists within Keycloak, it does not yet have a uid/gid assigned and the username needs to be changed to something that matches our naming convention (as it will be set from the IdP hooked up to Keycloak), and they need to be added to the appropriate SLURM account.
So my thinking was to pass the Keycloak username or UUID over to the register page, where there is then a script which will do the account setup completely automatically for them - so as long as they are in a specific group we can provision an account automatically from scratch using our current LDAP system.
OK thinking about this, you may be able to, but I’d highly advise against it. Also, you’d have to do everything. Build out the /register page to extract the information and then build another API to do all the work (some javascript in the register page to connect the two). But you’ve got a fairly big security risk in such an API.The /register page is currently unauthenticated - so you may even have to hack our code to require authentication here.
Seems to me that you’ rather want to handle all of this entirely on the backend when the records are created in Keycloak so that you don’t risk exposing user creation to potential bad actors. KeyCloak seems to be extendable so that you can set something up:
@tdockendorf do you have any other advice?
Keycloak can be setup to write out records to LDAP. We don’t do that, but it’s possible. I believe you’d have to create the appropriate mappers and what not so Keycloak knows how to map Keycloak data to LDAP attributes. Keycloak has the ability to also allow registration so you could redirect /register to Keycloak’s registration which could then feed the registration into LDAP. I have no experience with these things, just know they exist.
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.