In Keycloak we have a created a custom ftl registration theme that has removed the optional first name and last name fields. Our system only requires the user to have an email address and password.
However when the user hits enter an error is displayed indicating that the first name and last name need to be entered.
In the Keycloak UserModel these fields are optional, and it is also possible to create users via the admin console / api without firstname and lastname.
How do we remove these fields from the keycloak form validation on the registration screen?
Profile Validation can be disabled from the Authentication -> Flows area in the Admin Console.
Changing the dropdown option to 'Registration' will display the actions used on the Registration Form. Setting 'Profile Validation' to DISABLED will prevent the RegistrationProfile Form Action from being used.
This will prevent all 3 fields (First Name, Last Name & Email) from being checked, you would probably need to implement your own validation action if you wanted more control over which fields to check.
Related
I am working on a Laravel 4.2 project.
I already have implemented an email activation module for new user registration. Whenever a new user registers, I provide an activation link to him in an email and clicking on link, I compare the token (a random string with 30 characters) I have provided with link and user's email address with database records. If found to be matching, I just set is_active field of users table to true and redirect him to login page with a Congratulations message for successful activation.
But now, I DON'T want him to redirect to login page, but if successful activation, I want him logged in directly to his account.
But I believe that authenticate an user with just a string token and email address is not a secure way.
There must be something that I can trust on. Many sites do this including stackoverflow itself but I am not sure how?
Can you please guide me how to do this?
I'm just trying to understand the "Validation" within Spring MVC. I set up a small validation form, which is working just fine. However I got a couple of questions all those Tutorials don't answer
As far as I understood the Validator just gets every form-element altered and checks if it is valid or not. What if I want a user to only be able to alter specific form-elements.
Let's say I have an Admin and a regular User on my webpage, they both are allowed to edit their profiles. The admin however is allowed to alter his username, the regular isn't allowed to do that. They both use the "edit-profile.jsp" and therefore the same Validator. I could just grey out the username field in my regular user's view, but let's assume he's not a total BDU and adds a form-field via debugger of his webbrowser, overriding the actual username input-field. He then alters his username and sends the request to MVC. The validator assumes the username altered came from the original input-field and updates the user's nickname in the db accordingly, since both, the admin and the regular user just use the same Validator and the same "updateAllAltered"-DAO method. The same goes for select option-lists. Let's say the Admin is allowed to set a status of a profile to active AND inactive. The user however is only allowed to set it's own profile to inactive but can't reactivate it by himself. I could do the same as above, just altering the option-panel in the frontend to only show "INACTIVE" in the regular user's dropdown box. But we could repeat the same scenario, where the user just adds a debug form-field containing also the option "ACTIVE". This can get out of hand if e.g. the Admin is allowed to change Roles to "admin, member, moderator", while a user, who's i.e. a moderator within a forum can change roles to "member or moderator". He could just again add another field and plugin "admin" and gain total control of the forum.
How is this handled in Spring?
Basically you have to handle by spring security for your use case, design your application security, you will find basic spring security examples easily.
Example you can block your HTML code in JSP by spring security tags by user roles.
<sec:authorize access="hasAnyRole('ROLE_ADMIN')">
Delete
</sec:authorize>
You can annotate any of your methods by roles to block access.
#Secured({ "ROLE_ADMIN" })
Is there something similar to the email verifcation feature where a system admin could validate user sign-up/registration requests?
Background: We're building a system with a closed community, where new users can join only if an admin has verified their sing-up data.
Ideally the admin should just receive an email that there's a new registration request and validate the request directly from the email.
The emailVerified column is protected - it can only be updated by the system in response to the target user clicking the link in the validation email.
An admin can not "tick" this field on behalf of another user.
However. From your brief description of the background I would suggest that you want the users to click the link - after all it serves to validate their email address. If you are creating your own app there is nothing to stop you adding your own column to the user model (or preferably a related table) and implement code in your sign up that also checks this extra column. Of course this is more work - but likely not excessive - and you get the desired workflow.
I want to add a feature to my spring roo project. I have an user entity that logs into the application and adds additional users.
When I add those users there is an email adress(field) on which I want to send the validation with additional link to activating the account. Also the user has a field that represents if he or she has an active profile in a way is it possible to log in or not - this field needs to change after I click the provided link in the email.
I already have an velocity templates and everything set up, I just need the process of forming that link and assuring that the user will have an active account after clicking on it.
I solved this using a REST call and Spring Security. When the user first signs up, you create the UserDetails object (mine was in a DB table), but set it as not enabled before you save it (there are 4 booleans in the UserDetails object you can manipulate to enable/disable the user in various ways that Spring Security checks). I also stored a UUID code I generated off the user id in a table, and then generated an email which included a link to the REST service to validate the account.
The REST service was simple. The user clicks the link, which would include the UUID code I generated. You could optionally require them to enter some number or do something here as another authentication step, but in my case I simply looked up the UUID to get the associated UserDetails, flipped the bit to enabled and saved it, and sent them to a page saying their account was now active. I then did something like in this post to auto-login the user.
I tried to check each of these, and I still see VM registration/login page..I disabled all cache and I have no login modules in the site. You can see it in action: www.webtasty.com ..try to purchase smth and you will be redirected to login page after clicking checkout... How to remove registration/login page? I want to use just paypal payments, so dont need registration. Thank you
ps. it's tpvmcheckoutlogin module on the page, which displays that login block...
I have latest VM version (and patch)
What is it set to right now? From the looks of the page it is set to normal now. In any case, changing that setting doesn't remove the registration page, it only changes what is displayed. VM will always want you to fill out the registration form so it knows who is placing an order. Here is what the different options mean -
Normal Registration - checkout page displays a login form and a new user registration form. Users are required to pick a username and password. VM creates a user account.
Optional Registration - checkout page displays a login form and a new user registration form. Users have the option of selecting a username and password to create an account. VM only creates a user account if the option is selected
Silent Registration - checkout page displays a login for and a new user registration form. There are no form fields for username or password, VM assigns those to the user and sends them via email. A user account is created with the assigned credentials.
No regisration - checkout page displays registration form only, no username or password fields, no account login form. VM does not create a user account but still requires the form to be filled out for billing/shipping purposes.