I’m working on implementing a registration flow and would appreciate some guidance. Here’s what I’m aiming to achieve:
- A new user is created via the Keycloak Admin REST API with a temporary password.
- The user receives an invitation email containing the temporary password and a link to a login page.
- Upon clicking the link, the user is directed to a page where they can either:
- Set a new password (after their temporary password has been automatically validated), or
- Log in using Single Sign-On (SSO).
The challenge:
Once the user has authenticated with the temporary password, Keycloak considers the user as logged in. At this point, redirecting the user to the SSO login flow becomes problematic because they are already seen as authenticated.
Desired outcome:
I want to provide a seamless experience where the user can click an invitation link and be taken directly to a page where they have the option to either:
- Set a new password (post temporary password authentication), or
- Log in via SSO.
I want to avoid redirecting the user back to the main login page after they’ve entered the temporary password. This approach would force the user to choose between entering their temporary password again or selecting SSO, which I believe is not an optimal user experience.
Question:
Is there a recommended way to implement this flow? I want to ensure that users have the ability to either set a new password or log in with SSO on the same page, without forcing them through additional redirects or repetitive steps.
Thank you in advance for any suggestions or guidance!