Keycloak Advent Calendar Day 10 This time, let's take a look at the Keycloak management console.
Keycloak management console
--Administrator functions --User functions (user account service)
there is.
Today, let's take a look at the latter "functions for users (user account services)".
Prepare the following as per Day 2 "Keycloak Setup".
--Keycloak environment --Create Keycloak admin and regular users
The User Account Service is the ability for users to manage their own accounts. Open a browser, access http: // localhost: 8080 / auth / realms / realm name / account /
, and log in as the user user. (If you log in as a user of the realm "demo", access http: // localhost: 8080 / auth / realms / demo / account /
)
The user account service consists of settings for the menu on the left side of the screen and the selection menu on the right side.
If you have enabled the internationalization setting for the realm, you can change the language setting in the upper right corner of the screen. You can also sign out of Keycloak by clicking "Sign Out" at the top right of the screen.
Now let's look at the user account service settings.
This screen is for setting account information.
item name | Description |
---|---|
username | usernameを指定する。 レルム設定で「usernameの編集」を無効にしている場合は編集できない。 レルム設定で「Eメールをusernameとする」を有効にしている場合は表示されない。 |
Emailアドレスを指定する。 | |
Name | Nameを指定する。 |
Surname | Surnameを指定する。 |
This is the screen to change the password.
item name | Description |
---|---|
password | 現在のpasswordを指定する。 |
new password | new passwordを指定する。 |
New password (confirmation) | Specify a new password. |
Authenticator This is the setting screen for two-factor authentication. You can enhance security by changing from one-element authentication of "ID and password" to two-element authentication of "ID and password" and "one-time password".
Time-based (TOTP)
and counter-based (HOTP)
can be used as the one-time password method, and FreeOTP
and Google Authenticator (Google Authenticator)
can be used as the one-time password generator. I can do it.
@Naokiiiii will write about the specific usage on the 12th day!
Federated Identities This is the screen for linking an account with an external ID provider. It can be used when "Identity Provider" is set in the realm settings.
@ Tamura__246 will write about the "identity provider" settings on the 15th day!
This screen manages your own session. Click the "Log out from all sessions" link to clear all sessions and log out.
This is the screen to browse the applications available to the user. An application is a client defined in the realm settings. The displayed application name will have a link to the "base URL" if the "base URL" is set in the client settings.
This screen is for viewing the user's event log. It is available when "Save login event" is enabled in the realm settings. By checking the log, you can check if there is any unauthorized operation by a third party.
When providing an authentication function, it is generally required to have a function to refer to the user's own login history as a security requirement, so it is nice to have this function from the beginning: smile:
Unlike the management console, the user account service is a screen for general users who are users of the application. In the case of screens for general users, I think that they are often customized according to the color and style of the user company. Keycloak makes it easy to customize these screens.
If you want to change the look, you can customize the theme. See the Keycloak documentation (http://www.keycloak.org/docs/latest/server_development/#_themes) for more information.
Also, as a customization requirement other than appearance, you may want to increase user attributes, but you can easily do it as follows.
** Example of adding user attribute "TEL" **
Copy the template file (KEYCLOAK_HOME) /themes/base/account/account.ftl
to your theme's directory. For example, if the theme you are using is keycloak, the destination will be (KEYCLOAK_HOME) /themes/keycloak/account/account.ftl
.
Add the following code to the copied ʻaccount.ftl`.
<div class="form-group">
<div class="col-sm-2 col-md-2">
<label for="user.attributes.tel" class="control-label">TEL</label>
</div>
<div class="col-sm-10 col-md-10">
<input type="text" class="form-control" id="user.attributes.tel" name="user.attributes.tel" value="${(account.attributes.tel!'')?html}"/>
</div>
</div>
After restarting Keycloak, if you display the account screen, you can see that the custom attribute "TEL" has been added.
For more information on customizing attributes, see the Keycloak documentation (http://www.keycloak.org/docs/latest/server_development/index.html#custom-user-attributes).
Roughly, I took a look at "User Account Services". I think that every screen is easy to understand and can be operated intuitively.
Recommended Posts