Direct registration page link?

Is there a direct link available to the user self-registration page? It seems that it’s only accessible through the login page.

The workflow i’m trying to solve for is a “Register” or “Signup” button on a web page that then directs the user directly to the Keycloak registration page, without hitting the login page first.

Is that possible?

Are you using the js adapter? There is a createRegisterUrl method that allows you to create the registration URL that will link you directly to the registration page. If not, it looks like (from the js adapter code) that the base registration URL is /protocol/openid-connect/registrations.

In early versions of Keycloak (last one I tried where this worked was v13), the following URL worked to pop the registration page :

http://<domain.com>/auth/realms/<realm-name>/protocol/openid-connect/registrations?client_id=<client_id>&response_type=code&scope=openid email&redirect_uri=http://<domain.com>/<redirect-path>&kc_locale=<two-digit-lang-code>

However, this was never really documented and could have been an internal URL. I also noticed it’s no longer working in recent versions of Keycloak.

I would suggest using the JS adapter and looking at what the createRegisterUrl produces. If there have been changes that break your URL, they should be reflected in the updates to the adapters.

Just looking for a clean / supported way of programmatically signing up a user from a backend system.
Not sure if relying on the output of that createRegisterUrl JS adapter is the way to go ? (if it can break in future versions)

We are currently using the Keycloak Java Admin API to create the user programmatically and trigger the UPDATE_PASSWORD action.

With this setup we can do the onboard because KeyCloak sends out an email that contains the URL below where a JWT is embedded containing the actions that are required for that particular user

http://localhost:8080/realms/custom-realm/login-actions/action-token?key=jwt_token

But didn’t find a Java API to generate such a URL for a user. That way we could handle sending the email ourselves. Is there such an API or should I look at a different solution (a custom authentication / registration flow perhaps ?)

AFAIK the JS adapter is always going to be updated and kept in sync with the current release. Reference docs are here: Securing Applications and Services Guide

The Java adapter was deprecated, so I don’t know a way to do it programmatically, unless you are doing it from a Keycloak extension.

The Java adapter you are referring to is probably the Keycloak Java adapter that covers the OIDC specific logic. (authenticating users, interacting with OIDC clients). As all of that is now covered by the OIDC spec and lots of frameworks have good OIDC support there probably was no longer a need for that keycloak specific adapter.

However certain realm-admin aspects like creating and onboarding users is not covered by the OIDC spec and as such still needs an api.

The Keycloak Admin REST Client still has a java library that is still supported for 19.x releases (keycloak-admin-client). That one can be used to create resources like users and trigger actions (that end up sending emails). That’s what I am using now but might look into other extension points.

Turns out that if you enable registration on your realm you can still generate a URL like this

Direct registration url

http://<domain.com>/realms/<realm-name>/protocol/openid-connect/registrations?client_id=<client_id>&response_type=code&scope=openid email&redirect_uri=http://<domain.com>/<redirect-path>&kc_locale=<two-digit-lang-code>

(notice how the /auth part is no longer present where it was present in earlier versions of keycloak).

It’s a simple way to pop a registration page but there are some drawbacks :

• This doesn’t seem to be a documented / supported feature but rather just some internal url that is used. I know the JS adapter generates it, but if you rely on a backend to generate such a URL things can break with future keycloak releases if they decide to change this url
• You need to open up registrations completelty to all users (you cannot limit the invitation / registration to a specific user

execute-actions-email REST call

An alternative is to use the execute-actions-email REST call, that allows you to have keycloak send out an email for a particular keycloak user containing a link allowing him/her to perform the signup / registration

Advantages with that :

• You don’t need to open up the registration completely. (on the realm settings you can disable registration).
• You can target specific users and put expirations on the signup link.

Disadvantage

• Keycloak becomes responsible for sending out the email. If you want to have more control this endpoint is not for you

Other ways ?

If you look at the code behind the execute-actions-email endpoint, the following is done to build that unique / user specific / time limited registration url

KeycloakSession session; // retrieve the session somewhere.
RealmModel realm; // retrieve the realm model somewhere.
ExecuteActionsActionToken token = new ExecuteActionsActionToken(user.getId(), user.getEmail(), expiration, actions, redirectUri, clientId);
UriBuilder builder = LoginActionsService.actionTokenProcessor(session.getContext().getUri());
builder.queryParam("key", token.serialize(session, realm, session.getContext().getUri()));
String link = builder.build(realm.getName()).toString();

It might be possible to create a custom REST resource on keycloak that you can call (using some kind of client credentials flow) that would allow you to return such a URL for a particular user. (that’s what I am currently investigating).

Were you able to make any progress on this? It sounds like a possible solution for us. We want to create the user in our app and assign permissions. Then we send out an email with a magic link for them to register for a Keycloak account. We don’t want to pre-create them in Keycloak.