How to restrict registration to specific email domains?

Hello,

I would like to restrict the registration process only to specific email domains.
Eg, only accept registration from *@adomain.com or *@anotherdomain.org and reject all other registrations.
I’m not able to find a way to achieve that.

Do you have any clue ?

Regards,

Greg

I don’t think there is anything in keycloak to do that. I made an extension to do just that (whitelist email domain for registration) here :

But there may be better ways.

1 Like

Thanks for your suggestion ! I will have a look

There is also a community design proposal, which should solve your issue too. https://github.com/keycloak/keycloak-community/blob/master/design/user-profile.md. You can have a look and add some feedback if you want, so that it meets your requirements. There is already some feedback here.

@micedre, thanks for posting the link to your custom extension. Does this work with Keycloak - Version 11.0.3 ?

TIA!

Yes, it works. We use it with this version.

Uhm somehow I had now luck with making it work with 11.0.3. Here are the steps I followed …

git clone https://github.com/micedre/keycloak-mail-whitelisting.git
mvn compile
mvn package
copied new .jar file to the deployments folder

the server.log file shows

2020-12-04 12:35:26,919 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) WFLYSRV0027: Starting deployment of “keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar” (runtime-name: “keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar”)
2020-12-04 12:35:26,946 WARN [org.jboss.as.dependency.private] (MSC service thread 1-8) WFLYSRV0018: Deployment “deployment.keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar” is using a private module (“org.keycloak.keycloak-server-spi-private”) which may be changed or removed in future versions without notice.
2020-12-04 12:35:26,946 WARN [org.jboss.as.dependency.private] (MSC service thread 1-8) WFLYSRV0018: Deployment “deployment.keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar” is using a private module (“org.keycloak.keycloak-services”) which may be changed or removed in future versions without notice.
2020-12-04 12:35:26,947 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-3) Deploying Keycloak provider: keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar
2020-12-04 12:35:26,955 WARN [org.keycloak.services] (MSC service thread 1-3) KC-SERVICES0047: registration-mail-check-action (net.micedre.keycloak.registration.RegistrationProfileWithMailDomainCheck) is implementing the internal SPI form-action. This SPI is internal and may change without notice
2020-12-04 12:35:26,991 INFO [org.jboss.as.server] (DeploymentScanner-threads - 1) WFLYSRV0010: Deployed “keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar” (runtime-name : “keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar”)

but I still don’t see it available under the flows

What am I missing here?

Thanks @micedre !

You need to add the execution to Profile Validation, not to the root of the flow :

This should display a list like this :

Let me know if it still doesn’t work.

Got it!

Works, great :slight_smile:

image

Thanks for the guidance @micedre

1 Like

Hello @micedre how can I get the jar file?

Here https://github.com/micedre/keycloak-mail-whitelisting/releases/download/1.0/keycloak-registration-mail-restrict-1.0.jar

I will release another version soon, I think

1 Like

Thanks mate, looking forward for the next release

here https://github.com/micedre/keycloak-mail-whitelisting/releases/download/1.1/keycloak-mail-whitelisting-1.1.jar

With new glob syntax (thanks to @ChloeTigre) and some error checking.

1 Like

Thanks!

Is there any trick to limit (like regex) domain exactly as listed in the whitelist?

Like, if we whitelist yahoo(dot)com, then ayahoo.com or us.yahoo.com should be invalid email domain

Just type yahoo.com in the config:

This should do exactly what you want.

Would you please share the last stable jar file? Thank you

Sure, here Central Repository: net/micedre/keycloak/keycloak-mail-whitelisting/1.3.3

Releases are pushed to maven central, I’ll also publish next releases to github.

Also, if you are using the last versions of keycloak, it may be better to use the nex features around user profiles to whitelist, or blacklist user emails (and do so much more :slight_smile: )

1 Like

Thank you for the module. It is very helpfull! =)