First broker login - Verify Existing Account By Email


I am trying to build the ‘First broker login’ flow with an option to allow users to confirm the link with Idp by either re-authorizing to the Keycloak (Username Password Form For Identity Provider Reauthentication ) or by sending a link to the email address (Detect Existing Broker UserVerify Existing Account By Email).

The problem is when the user clicks on the link from the Link to confirm account linking from the email it’s being asked to input its credentials. This makes no sense, as the user is already decided to go with the email confirmation flow. For me, it sounds like Keycloak re-starts the complete flow once the user clicks on a link in the email.

Is it possible to skip the re-inputting of the credentials in this case and link the user automatically?

Kind regards

I believe this is how the default action token handler functions in this case. If the user has an existing authentication session, it will join that. If not, it will prompt the user for his credentials. If you build your own action token and action token handler, it would be possible to override that behavior.

1 Like

Not sure about it, because the user is already authenticated while prompted to re-input credentials. The re-authorization page already shows the correct username.

Please, help me understand:

If you build your own action token and action token handler

Do you mean to say - having a custom Email Verification authenticator, correct?

Kind regards

Yes. More information on writing your own action token handler can be found here Server Developer Guide

I am just commenting on the email address verification link, not on the Split Flow.
My understanding is that a link sent by email will try to start an authentication from scratch (the link may be days old), but bear in mind that the link contains a token identifying the user. It will just perform the switch of the user attribute „emailverified“ to true.
If now this is the same Browser that was used before, potentially the authentication continues and may ask the user for credentials…
I try to say that you may experience a working functionality, just the next step is unwanted.
To influence the behavior, build your own Authenticator and implement what you need in there.

Hello, thank you for the feedback! Yes, sounds logical that there could be a delay between starting the linking and email confirmation.

The problem is that some of my users might not have passwords on their records, so this email flow is a special case for them to avoid entering the credentials. I will try to implement the Authenticator as you suggested