I have an email address of a user. I’d like to create a user and send them an email with a link to set their password and activate their account. Is this kind of flow support in Keycloak ? I think I can provision user in Keycloak and send executeActionsEmail using UserResource. Is that the right way to do ?
Yes keycloak does support this kind of flow. You can use keycloak admin client for this.
UserResource is the right class for this. You are going in correct direction.
Related
I have read keycloak docs and could not find if it is possible to allow users to login just with their email address.
No password, just an email code with each login.
Any advice is appreciated.
We are using keycloak as auth provider by utilizing the OAuth Code Flow. The user logs in with their normal email and password on the keycloak login page. Is there a way to mask/hide or even map email adresses? Apple is doing this by saving the real email but using fake mails like j24hj21h4#apple.com for the "outer world". The reason I need this feature is to hide the real email adresses of our users for SSO.
From my point of view, your best bet would be extend the Authentication SPI of keycloak and implement your logic, it's is totally achievable.
This is not something you get out of keycloak by default, but it provides flexibility to plug our extensions.
Here you can find more details on this https://www.keycloak.org/docs/latest/server_development/#_auth_spi
I am using Keycloak to authenticate a user for a Vaadin application. The Vaadin application creates its own user session after successful authentication with Keycloak. I need the user to be able to change the password and email address.
Now I do not quite understand how to implement it correctly. There is a user Keycloak console that has this kind of functionality. But, for example, when a user changes their email address, the user is not prompted to confirm that new email address until a new login. Should I disable the Keycloak user console and e.g. use the Keycloak REST API directly from the Vaadin app to perform email/password changes? Or should I keep using Keycloak's custom console and configure it there?
What is the proper way to deal with such things with Keycloak? In case of Keycloak API I'd really appreciate the examples of API calls which should I perform in order to change the user password and email.
I'm new to keycloak and I thought this would be super easy, but I can't find a solution. If a new user registrate, he should be disabled by default, till an admin enables the user manually. Is there a simple solution for that? Thank you in advance and best wishes!
Create an SPI for RegistrationUserCreation where on processResponse you disable the user.
Then use this registration in the login flow.
if you look at keycloak server page https://www.keycloak.org/docs/6.0/server_admin/
in 4.8. User Registration, if a user is registered, he would not be disabled by default and there is no option for that. The only thing you can do is to require a few actions from user, like changing password or require email verification. Or you can disable the user from admin.
Think about it, if a new user goes through all the process to register just to be disabled y default, what's the point of enabling registration?
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs.
Use case:
The registration page for new users shouldn't be public. New user get an invitation email from the admin. The email contains a link to the registration page.
I thought about using an initial access token (like for client registration) and add it to the link to the registration page. Afaik there is nothing like that for user registration?
Are there any other ways to do it?
I think you've got two options to implement it:
First
You know the e-mail of the destination user before sending the invitation, so you would let the admin create a user in keycloak with the e-mail itself as the username. Then the admin should check 'Verify e-mail', 'Update profile' and 'Update password' as required actions, so keycloak will send an activation mail (you can customize the e-mail template) and user will be required to fill his data and set a password.
If you don't want the admin to access keycloak directly, you could do it via the user management API.
Second
Implement this logic in your application. Write a user data form which is publicly accessible using a code (it might be some UUID). When admin sending the invitation mail, link a random code to the address, so when user enters the page, you can verify it. Then you'll need to save the data in keycloak as a new user, using the user management API.