[Feature] Work nicely with Keycloak registration flow

Question

[Feature] Work nicely with Keycloak registration flow

frasern opened this issue 2 years ago · 6 comments

Is there an existing feature request for this?

I have searched the existing issues

Is your feature related to a problem? Please describe.

When user registration is enabled in Keycloak, a user can create an account using a email address whose domain is associated with an IdP for discovery.

This means they set a Keycloak password during registration, but when they try to login using their email address in the future, they will be redirected to the IdP.

Describe the solution you'd like

The current experience is something like this:

It would be nice to support something like this:

In particular:

The user must enter their email address before being able to register, so that it can be checked for IdP discovery
The user cannot amend their email address during registration

Describe alternatives you've considered

No response

Anything else?

I am fairly new to Keycloak, so am unsure how much of this can be achieved already by configuring existing flows and editing templates.

There are probably some related complexities if a user can edit their profile in Keycloak and change their email address to/from one with a domain associated with an IdP.

Answer 1 · 2022-11-10T23:23:13.000Z

Hello @frasern,

thanks for this feature request.

I think most parts of your suggested flow can be achived out of the box. You would have to change your login flow like this:

To prevent registering email with configured domains, one could implement another authenticator that could be added to the registration flow, if needed.
And yes, there may be a lot of complexities. Email addresses may be changed in a lot of ways - changed in LDAP, changed in a user federation, changed via REST API, changed by other extension. I do not think that its possible to prevent all of them.

Regards
Sven-Torben

Answer 2 · 2023-02-20T12:04:12.000Z

Dear @sventorben,
In this answer you added a step with the name 'Registration User Creation' just below the user registration flow.

I am not able to find the step with the name 'Registration User Creation'

ref:

Can you guide me here?

Answer 3 · 2023-02-21T07:55:32.000Z

@nitin-vavdiya When you add the subflow, make sure the flow type is Form and not Generic.

Answer 4 · 2023-04-26T05:28:05.000Z

Hello @frasern and @nitin-vavdiya!
Does this work for you now or do you still feel there is something missing here?

Answer 5 · 2023-05-10T07:51:00.000Z

Hey @sventorben
Sorry for the late reply.
Yes, it is working as expected after configuring the authentication flow.
Now, I do not want to allow new user creation while the user does login with IDP.
Let's say, our application is not open to the public, so only invited users can do login(via password or IDP).
Now I added Google as an IDP provider, so any Google user can log in using Google IDP. I want to prevent this if a user does not exist in Keycloak then login should not be allowed.

Or alternatively, we can check first wether the user exists and then we redirect the user to the IDP of password form.

like this:

Answer 6 · 2023-05-10T10:09:38.000Z

@nitin-vavdiya You can implement this with Keycloak ootb. Simply make sure that your First Login Flow is configured accordingly.