Can registering users stay disabled first?


For a client that wanted to replace Okta for an undisclosed reason, we have proposed Keycloak. Upon configuration we now bump into an issue that when self registration is allowed, the users are by default active/enabled.

Okta has the option to define registration flows (e.g. to set up validation of the user registration). Is there a way to achieve something similar with Keycloak? If not, we might have made the wrong choice.

Ideal scenario: how can we setup self registration to keep users disabled and have a mail sent to an administrator who can enable the user after verification?

worst case I think we might need to set up an additional service end point that collects the user registration, and creates the user by means of the REST AP + sends a notification to the administrator to invite him for account approval. I hope that won’t be needed.

Thx for any advice.


1 Like

Hi Pieter,

seems similar to this one on the mailinglist:!topic/keycloak-user/NRnThOL-iiw

thanks. I was thinking that I could maybe let the users register and assign a default group, which still cannot access the content. Then the admins could add the user to another group that has access to the content. Would that be a possible scenario?

This might be a viable way.
I did something similar at one customer of mine - without a role, a user can login, but sees nothing but a “hi, nice to see you” page. After the user gets a role, he can access the application.

1 Like

do you happen to know how a default role could be given to a user based on the client on which he initiated his registration?

I don’t know any functionality of keycloak supporting this.
But you can try to use an EventListener SPI to achieve something like that, don’t know if it’ll work.