Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Work nicely with Keycloak registration flow #115

Open
1 task done
frasern opened this issue Nov 10, 2022 · 6 comments
Open
1 task done

[Feature] Work nicely with Keycloak registration flow #115

frasern opened this issue Nov 10, 2022 · 6 comments
Assignees
@sventorben
Labels
documentation Improvements or additions to documentation enhancement New feature or request

Comments

@frasern
Copy link

frasern commented Nov 10, 2022
edited
Loading

Is there an existing feature request for this?

  • I have searched the existing issues

Is your feature related to a problem? Please describe.

When user registration is enabled in Keycloak, a user can create an account using a email address whose domain is associated with an IdP for discovery.

This means they set a Keycloak password during registration, but when they try to login using their email address in the future, they will be redirected to the IdP.

Describe the solution you'd like

The current experience is something like this:

image

It would be nice to support something like this:

image

In particular:

  • The user must enter their email address before being able to register, so that it can be checked for IdP discovery
  • The user cannot amend their email address during registration

Describe alternatives you've considered

No response

Anything else?

I am fairly new to Keycloak, so am unsure how much of this can be achieved already by configuring existing flows and editing templates.

There are probably some related complexities if a user can edit their profile in Keycloak and change their email address to/from one with a domain associated with an IdP.
@frasern frasern changed the title [Feature] Work nicely with KeyCloak registration flow [Feature] Work nicely with Keycloak registration flow Nov 10, 2022
@sventorben
Copy link
Owner

Hello @frasern,

thanks for this feature request.

I think most parts of your suggested flow can be achived out of the box. You would have to change your login flow like this:
image

To prevent registering email with configured domains, one could implement another authenticator that could be added to the registration flow, if needed.
And yes, there may be a lot of complexities. Email addresses may be changed in a lot of ways - changed in LDAP, changed in a user federation, changed via REST API, changed by other extension. I do not think that its possible to prevent all of them.

Regards
Sven-Torben

@sventorben sventorben self-assigned this Nov 10, 2022
@sventorben sventorben added documentation Improvements or additions to documentation enhancement New feature or request labels Nov 10, 2022
sventorben added a commit that referenced this issue Nov 16, 2022
@sventorben
feat: Set login hint parameter
7f919b1 
This helps to prefill the username/email field in registration forms

Relates to #115
@sventorben sventorben mentioned this issue Nov 16, 2022
Merged
sventorben added a commit that referenced this issue Nov 16, 2022
@sventorben
feat: Set login hint parameter
945a3eb 
This helps to prefill the username/email field in registration forms

Relates to #115
@nitin-vavdiya
Copy link

nitin-vavdiya commented Feb 20, 2023
edited
Loading

Dear @sventorben,
In this answer you added a step with the name 'Registration User Creation' just below the user registration flow.

I am not able to find the step with the name 'Registration User Creation'

ref:
image

Can you guide me here?

@sventorben
Copy link
Owner

sventorben commented Feb 21, 2023
edited
Loading

@nitin-vavdiya When you add the subflow, make sure the flow type is Form and not Generic.

image

@sventorben
Copy link
Owner

sventorben commented Apr 26, 2023
edited
Loading

Hello @frasern and @nitin-vavdiya!
Does this work for you now or do you still feel there is something missing here?

@nitin-vavdiya
Copy link

nitin-vavdiya commented May 10, 2023
edited
Loading

Hey @sventorben
Sorry for the late reply.
Yes, it is working as expected after configuring the authentication flow.
Now, I do not want to allow new user creation while the user does login with IDP.
Let's say, our application is not open to the public, so only invited users can do login(via password or IDP).
Now I added Google as an IDP provider, so any Google user can log in using Google IDP. I want to prevent this if a user does not exist in Keycloak then login should not be allowed.

Or alternatively, we can check first wether the user exists and then we redirect the user to the IDP of password form.

like this:

image

@sventorben
Copy link
Owner

@nitin-vavdiya You can implement this with Keycloak ootb. Simply make sure that your First Login Flow is configured accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sventorben sventorben

Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@frasern @sventorben @nitin-vavdiya