Write announcement and documentation for Account Console v3 (#26318)

Closes #26122

Signed-off-by: Jon Koops <jonkoops@gmail.com>
This commit is contained in:
Jon Koops 2024-02-21 19:42:33 +01:00 committed by GitHub
parent 01d66a662b
commit 89af9e3ffd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 63 additions and 43 deletions

View file

@ -51,8 +51,8 @@ public class Profile {
ACCOUNT_API("Account Management REST API", Type.DEFAULT), ACCOUNT_API("Account Management REST API", Type.DEFAULT),
@Deprecated @Deprecated
ACCOUNT2("Account Management Console 2", Type.DEPRECATED, Feature.ACCOUNT_API), ACCOUNT2("Account Console version 2", Type.DEPRECATED, Feature.ACCOUNT_API),
ACCOUNT3("Account Management Console 3", Type.DEFAULT, Feature.ACCOUNT_API), ACCOUNT3("Account Console version 3", Type.DEFAULT, Feature.ACCOUNT_API),
ADMIN_FINE_GRAINED_AUTHZ("Fine-Grained Admin Permissions", Type.PREVIEW), ADMIN_FINE_GRAINED_AUTHZ("Fine-Grained Admin Permissions", Type.PREVIEW),

Binary file not shown.

After

Width:  |  Height:  |  Size: 214 KiB

View file

@ -91,7 +91,17 @@ The 'welcome' page that is shown when a user starts Keycloak for the first time,
image::images/new-welcome-screen.png["A screenshot of the new welcome page, showing a simplified layout with a user registration form."] image::images/new-welcome-screen.png["A screenshot of the new welcome page, showing a simplified layout with a user registration form."]
If you are using a custom theme, you may need to update it to support the new welcome page. For more details consult the link:{upgradingguide_link}[{upgradingguide_name}]. If you are using a custom theme, you may need to update it to support the new welcome page. For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
= New Account Console now the default
We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.
This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in:
.New Account Console with custom attributes
image::images/new-account-console.png["New Account Console with custom attributes"]
If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the link:{upgradingguide_link}[{upgradingguide_name}].
= Keycloak JS = Keycloak JS
@ -201,8 +211,8 @@ As a result, you can use the CR to configure build time options also when a cust
= Enhanced reverse proxy settings = Enhanced reverse proxy settings
It is now possible to separately enable parsing of either `Forwarded` or `X-Forwarded-*` headers via the new `--proxy-headers` option. It is now possible to separately enable parsing of either `Forwarded` or `X-Forwarded-*` headers via the new `--proxy-headers` option.
For details consult the https://www.keycloak.org/server/reverseproxy[Reverse Proxy Guide]. For details, see the https://www.keycloak.org/server/reverseproxy[Reverse Proxy Guide].
The original `--proxy` option is now deprecated and will be removed in a future release. For migration instructions consult the link:{upgradingguide_link}[{upgradingguide_name}]. The original `--proxy` option is now deprecated and will be removed in a future release. For migration instructions, see the link:{upgradingguide_link}[{upgradingguide_name}].
= Changes to the user representation in both Admin API and Account contexts = Changes to the user representation in both Admin API and Account contexts

View file

@ -438,11 +438,11 @@ Options are same as for the createLoginUrl method but 'action' is set to 'regist
*accountManagement()* *accountManagement()*
Redirects to the Account Management Console. Redirects to the Account Console.
*createAccountUrl(options)* *createAccountUrl(options)*
Returns the URL to the Account Management Console. Returns the URL to the Account Console.
Options is an Object, where: Options is an Object, where:

Binary file not shown.

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 169 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 33 KiB

After

Width:  |  Height:  |  Size: 225 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 174 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 195 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 200 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 59 KiB

After

Width:  |  Height:  |  Size: 259 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 64 KiB

After

Width:  |  Height:  |  Size: 248 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 249 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 11 KiB

View file

@ -2,23 +2,19 @@
== Account Console == Account Console
{project_name} users can manage their accounts through the Account Console. Users can configure their profiles, add two-factor authentication, include identity provider accounts, and oversee device activity. {project_name} users can manage their accounts through the Account Console. They can configure their profiles, add two-factor authentication, include identity provider accounts, and oversee device activity.
[role="_additional-resources"] [role="_additional-resources"]
.Additional resources .Additional resources
* The Account Console can be configured in terms of appearance and language preferences. An example is adding attributes to the *Personal info* page by clicking *Personal info* link and completing and saving details. For more information, see the {developerguide_link}[{developerguide_name}]. * The Account Console can be configured in terms of appearance and language preferences. An example is adding additional attributes to the *Personal info* page. For more information, see the {developerguide_link}[{developerguide_name}].
=== Accessing the Account Console === Accessing the Account Console
Any user can access the Account Console.
.Procedure .Procedure
. Make note of the realm name and IP address for the {project_name} server where your account exists. . Make note of the realm name and IP address for the {project_name} server where your account exists.
. In a web browser, enter a URL in this format: _server-root_{kc_realms_path}/{realm-name}/account. . In a web browser, enter a URL in this format: _server-root_{kc_realms_path}/{realm-name}/account.
. Enter your login name and password. . Enter your login name and password.
.Account Console .Account Console
@ -37,21 +33,15 @@ You can sign in to this console using basic authentication (a login name and pas
.Procedure .Procedure
. Click *Account security* in the menu. . Click *Account security* in the menu.
. Click *Signing in*. . Click *Signing in*.
. Click *Set up Authenticator application*.
. Click *Set up authenticator application*.
+ +
.Signing in .Signing in
image:images/account-console-signing-in.png[Signing in] image:images/account-console-signing-in.png[Signing in]
. Follow the directions that appear on the screen to use either . Follow the directions that appear on the screen to use your mobile device as your OTP generator.
https://freeotp.github.io/[FreeOTP] or https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2[Google Authenticator] on your mobile device as your OTP generator.
. Scan the QR code in the screen shot into the OTP generator on your mobile device. . Scan the QR code in the screen shot into the OTP generator on your mobile device.
. Log out and log in again. . Log out and log in again.
. Respond to the prompt by entering an OTP that is provided on your mobile device. . Respond to the prompt by entering an OTP that is provided on your mobile device.
==== Two-factor authentication with WebAuthn ==== Two-factor authentication with WebAuthn
@ -63,20 +53,15 @@ image:images/account-console-signing-in.png[Signing in]
.Procedure .Procedure
. Click *Account Security* in the menu. . Click *Account Security* in the menu.
. Click *Signing in*.
. Click *Signing In*.
. Click *Set up Security Key*. . Click *Set up Security Key*.
+ +
.Signing In .Signing In
image:images/account-console-signing-in-webauthn-2factor.png[Signing In With Security Key] image:images/account-console-signing-in-webauthn-2factor.png[Signing In With Security Key]
. Prepare your WebAuthn Security Key. How you prepare this key depends on the type of WebAuthn security key you use. For example, for a USB based Yubikey, you may need to put your key into the USB port on your laptop. . Prepare your WebAuthn Security Key. How you prepare this key depends on the type of WebAuthn security key you use. For example, for a USB based Yubikey, you may need to put your key into the USB port on your laptop.
. Click *Register* to register your security key. . Click *Register* to register your security key.
. Log out and log in again. . Log out and log in again.
. Assuming authentication flow was correctly set, a message appears asking you to authenticate with your Security Key as second factor. . Assuming authentication flow was correctly set, a message appears asking you to authenticate with your Security Key as second factor.
==== Passwordless authentication with WebAuthn ==== Passwordless authentication with WebAuthn
@ -88,9 +73,7 @@ image:images/account-console-signing-in-webauthn-2factor.png[Signing In With Sec
.Procedure .Procedure
. Click *Account Security* in the menu. . Click *Account Security* in the menu.
. Click *Signing In*. . Click *Signing In*.
. Click *Set up Security Key* in the *Passwordless* section. . Click *Set up Security Key* in the *Passwordless* section.
+ +
.Signing In .Signing In
@ -99,9 +82,7 @@ image:images/account-console-signing-in-webauthn-passwordless.png[Signing In Wit
. Prepare your WebAuthn Security Key. How you prepare this key depends on the type of WebAuthn security key you use. For example, for a USB based Yubikey, you may need to put your key into the USB port on your laptop. . Prepare your WebAuthn Security Key. How you prepare this key depends on the type of WebAuthn security key you use. For example, for a USB based Yubikey, you may need to put your key into the USB port on your laptop.
. Click *Register* to register your security key. . Click *Register* to register your security key.
. Log out and log in again. . Log out and log in again.
. Assuming authentication flow was correctly set, a message appears asking you to authenticate with your Security Key as second factor. You no longer need to provide your password to log in. . Assuming authentication flow was correctly set, a message appears asking you to authenticate with your Security Key as second factor. You no longer need to provide your password to log in.
=== Viewing device activity === Viewing device activity
@ -124,15 +105,10 @@ You can link your account with an <<_identity_broker, identity broker>>. This op
.Procedure .Procedure
. Log into the Admin Console. . Log into the Admin Console.
. Click *Identity providers* in the menu. . Click *Identity providers* in the menu.
. Select a provider and complete the fields. . Select a provider and complete the fields.
. Return to the Account Console. . Return to the Account Console.
. Click *Account security* in the menu. . Click *Account security* in the menu.
. Click *Linked accounts*. . Click *Linked accounts*.
The identity provider you added appears in this page. The identity provider you added appears in this page.
@ -158,4 +134,5 @@ If you select *Direct membership* checkbox, you will see only the groups you are
* You need to have the *view-groups* account role for being able to view *Groups* menu. * You need to have the *view-groups* account role for being able to view *Groups* menu.
.View group memberships .View group memberships
image:images/groups_account_console.png[View group memberships] .View group memberships
image:images/account-console-groups.png[View group memberships]

View file

@ -12,7 +12,7 @@
* User Federation - Sync users from LDAP and Active Directory servers. * User Federation - Sync users from LDAP and Active Directory servers.
* Kerberos bridge - Automatically authenticate users that are logged-in to a Kerberos server. * Kerberos bridge - Automatically authenticate users that are logged-in to a Kerberos server.
* Admin Console for central management of users, roles, role mappings, clients and configuration. * Admin Console for central management of users, roles, role mappings, clients and configuration.
* Account Management console that allows users to centrally manage their account. * Account Console that allows users to centrally manage their account.
* Theme support - Customize all user facing pages to integrate with your applications and branding. * Theme support - Customize all user facing pages to integrate with your applications and branding.
* Two-factor Authentication - Support for TOTP/HOTP via Google Authenticator or FreeOTP. * Two-factor Authentication - Support for TOTP/HOTP via Google Authenticator or FreeOTP.
* Login flows - optional user self-registration, recover password, verify email, require password update, etc. * Login flows - optional user self-registration, recover password, verify email, require password update, etc.

View file

@ -17,7 +17,7 @@ Login theme::
Username password entry, OTP entry, new user registration, and other similar screens related to login. Username password entry, OTP entry, new user registration, and other similar screens related to login.
Account theme:: Account theme::
Each user has a User Account Management UI. The console used by the user to manage his or her account.
Admin console theme:: Admin console theme::
The skin of the {project_name} Admin Console. The skin of the {project_name} Admin Console.

View file

@ -7,4 +7,4 @@ The OAuth 2.0 login specification requires that a state cookie matches against a
The {project_name} Admin Console is a JavaScript/HTML5 application that makes REST calls to the backend {project_name} admin REST API. These calls all require bearer token authentication and consist of JavaScript Ajax calls, so CSRF is impossible. You can configure the admin REST API to validate the CORS origins. The {project_name} Admin Console is a JavaScript/HTML5 application that makes REST calls to the backend {project_name} admin REST API. These calls all require bearer token authentication and consist of JavaScript Ajax calls, so CSRF is impossible. You can configure the admin REST API to validate the CORS origins.
The user account management section in {project_name} can be vulnerable to CSRF. To prevent CSRF attacks, {project_name} sets a state cookie and embeds the value of this cookie in hidden form fields or query parameters within action links. {project_name} checks the query/form parameter against the state cookie to verify that the user makes the call. The Account Console in {project_name} can be vulnerable to CSRF. To prevent CSRF attacks, {project_name} sets a state cookie and embeds the value of this cookie in hidden form fields or query parameters within action links. {project_name} checks the query/form parameter against the state cookie to verify that the same user made the call.

View file

@ -19,7 +19,7 @@ image:images/user-impersonate-action.png[]
* If the administrator and the user are in the same realm, then the administrator will be logged out and automatically logged in as the user being impersonated. * If the administrator and the user are in the same realm, then the administrator will be logged out and automatically logged in as the user being impersonated.
* If the administrator and user are in different realms, the administrator will remain logged in, and additionally will be logged in as the user in that user's realm. * If the administrator and user are in different realms, the administrator will remain logged in, and additionally will be logged in as the user in that user's realm.
In both instances, the *User Account Management* page of the impersonated user is displayed. In both instances, the *Account Console* of the impersonated user is displayed.
.Additional resources .Additional resources
* For more information on assigning administration permissions, see the <<_admin_permissions,Admin Console Access Control>> chapter. * For more information on assigning administration permissions, see the <<_admin_permissions,Admin Console Access Control>> chapter.

View file

@ -11,7 +11,7 @@ image::images/login-sunrise.png[caption="",title="Login page with sunrise exampl
A theme can provide one or more types to customize different aspects of {project_name}. The types available are: A theme can provide one or more types to customize different aspects of {project_name}. The types available are:
* Account - Account management * Account - Account Console
* Admin - Admin Console * Admin - Admin Console
* Email - Emails * Email - Emails
* Login - Login forms * Login - Login forms
@ -105,7 +105,7 @@ You have now created a theme with support for the login type.
. For *Login Theme* select *mytheme* and click *Save*. . For *Login Theme* select *mytheme* and click *Save*.
. Open the login page for the realm. . Open the login page for the realm.
+ +
You can do this either by logging in through your application or by opening the Account Management console (`/realms/{realm name}/account`). You can do this either by logging in through your application or by opening the Account Console (`/realms/{realm name}/account`).
. To see the effect of changing the parent theme, set `parent=keycloak` in `theme.properties` and refresh the login page. . To see the effect of changing the parent theme, set `parent=keycloak` in `theme.properties` and refresh the login page.

View file

@ -43,3 +43,4 @@ https://github.com/apache/felix-dev/tree/master/http#using-the-osgi-http-whitebo
https://github.com/keycloak/keycloak/blob/025778fe9c745316f80b53fe3052aeb314e868ef/js/apps/admin-ui/public/locales/en/dashboard.json#L3 https://github.com/keycloak/keycloak/blob/025778fe9c745316f80b53fe3052aeb314e868ef/js/apps/admin-ui/public/locales/en/dashboard.json#L3
https://github.com/keycloak/keycloak/issues/new?* https://github.com/keycloak/keycloak/issues/new?*
https://stackapps.com/apps/oauth/register https://stackapps.com/apps/oauth/register
https://github.com/keycloak/keycloak-quickstarts/tree/release/24.0/extension/extend-account-console

View file

@ -26,6 +26,38 @@ Images such as the background, logo and favicon are now loaded from the 'common'
import=common/your-theme-name import=common/your-theme-name
---- ----
= Changes to the Account Console theme customization
If you were previously extending the now deprecated version 2 of the Account Console theme, you will need to update your theme to use the new version 3 of the Account Console theme. The new version of the Account Console theme comes with some changes in regards to how it is customized. To start with a clean slate, you can follow the new https://github.com/keycloak/keycloak-quickstarts/tree/release/24.0/extension/extend-account-console[customization quickstart].
To move your custom theme start by changing the `parent` to the new theme:
[source,properties]
----
# Before
parent=keycloak.v2
# After
parent=keycloak.v3
----
If you have any custom React components, you will import React directly, rather than using a relative path:
[source,js]
----
// Before
import * as React from "../../../../common/keycloak/web_modules/react.js";
// After
import React from "react";
----
If you are using `content.json` to customize the theme there are some changes to the structure of the file, specifically:
* The `content` property has been renamed to `children`.
* The `id`, `icon` and `componentName` properties have been removed, as `modulePath` provides the same functionality.
= Keycloak JS imports might need to be updated = Keycloak JS imports might need to be updated
If you are loading Keycloak JS directly from the Keycloak server, this section can be safely ignored. If you are loading Keycloak JS from the NPM package and are using a bundler like Webpack, Vite, and so on, you might need to make some changes to your code. The Keycloak JS package now uses the https://webpack.js.org/guides/package-exports/[`exports` field] in the package.json file. This means that you might have to change your imports: If you are loading Keycloak JS directly from the Keycloak server, this section can be safely ignored. If you are loading Keycloak JS from the NPM package and are using a bundler like Webpack, Vite, and so on, you might need to make some changes to your code. The Keycloak JS package now uses the https://webpack.js.org/guides/package-exports/[`exports` field] in the package.json file. This means that you might have to change your imports: