Is there a direct link available to the user self-registration page? It seems that it’s only accessible through the login page.
The workflow i’m trying to solve for is a “Register” or “Signup” button on a web page that then directs the user directly to the Keycloak registration page, without hitting the login page first.
Are you using the js adapter? There is a createRegisterUrl method that allows you to create the registration URL that will link you directly to the registration page. If not, it looks like (from the js adapter code) that the base registration URL is /protocol/openid-connect/registrations.
I would suggest using the JS adapter and looking at what the createRegisterUrl produces. If there have been changes that break your URL, they should be reflected in the updates to the adapters.
Just looking for a clean / supported way of programmatically signing up a user from a backend system.
Not sure if relying on the output of that createRegisterUrl JS adapter is the way to go ? (if it can break in future versions)
We are currently using the Keycloak Java Admin API to create the user programmatically and trigger the UPDATE_PASSWORD action.
With this setup we can do the onboard because KeyCloak sends out an email that contains the URL below where a JWT is embedded containing the actions that are required for that particular user
But didn’t find a Java API to generate such a URL for a user. That way we could handle sending the email ourselves. Is there such an API or should I look at a different solution (a custom authentication / registration flow perhaps ?)
The Java adapter you are referring to is probably the Keycloak Java adapter that covers the OIDC specific logic. (authenticating users, interacting with OIDC clients). As all of that is now covered by the OIDC spec and lots of frameworks have good OIDC support there probably was no longer a need for that keycloak specific adapter.
However certain realm-admin aspects like creating and onboarding users is not covered by the OIDC spec and as such still needs an api.
The Keycloak Admin REST Client still has a java library that is still supported for 19.x releases (keycloak-admin-client). That one can be used to create resources like users and trigger actions (that end up sending emails). That’s what I am using now but might look into other extension points.
(notice how the /auth part is no longer present where it was present in earlier versions of keycloak).
It’s a simple way to pop a registration page but there are some drawbacks :
This doesn’t seem to be a documented / supported feature but rather just some internal url that is used. I know the JS adapter generates it, but if you rely on a backend to generate such a URL things can break with future keycloak releases if they decide to change this url
You need to open up registrations completelty to all users (you cannot limit the invitation / registration to a specific user
execute-actions-email REST call
An alternative is to use the execute-actions-email REST call, that allows you to have keycloak send out an email for a particular keycloak user containing a link allowing him/her to perform the signup / registration
Advantages with that :
You don’t need to open up the registration completely. (on the realm settings you can disable registration).
You can target specific users and put expirations on the signup link.
Disadvantage
Keycloak becomes responsible for sending out the email. If you want to have more control this endpoint is not for you
Other ways ?
If you look at the code behind the execute-actions-email endpoint, the following is done to build that unique / user specific / time limited registration url
KeycloakSession session; // retrieve the session somewhere.
RealmModel realm; // retrieve the realm model somewhere.
ExecuteActionsActionToken token = new ExecuteActionsActionToken(user.getId(), user.getEmail(), expiration, actions, redirectUri, clientId);
UriBuilder builder = LoginActionsService.actionTokenProcessor(session.getContext().getUri());
builder.queryParam("key", token.serialize(session, realm, session.getContext().getUri()));
String link = builder.build(realm.getName()).toString();
It might be possible to create a custom REST resource on keycloak that you can call (using some kind of client credentials flow) that would allow you to return such a URL for a particular user. (that’s what I am currently investigating).
Were you able to make any progress on this? It sounds like a possible solution for us. We want to create the user in our app and assign permissions. Then we send out an email with a magic link for them to register for a Keycloak account. We don’t want to pre-create them in Keycloak.