Keycloak - Terms and Conditions confusion

Configuring the server
,
1

Hi, I am trying to configure ‘Terms and conditions’ on a realm, and I have some problems. I am running keycloak 22.0.3

  1. I set ‘Terms and Conditions’ as ‘Enabled’ and ‘Set as Default Action’ on Required Actions. When I did that I expected a default ‘terms and conditions’ page to appear after registration but nothing happened. Registration proceeded with the exact same steps as if I hadn’t enabled it. Is this normal? What is the purpose behind ‘Set as Default Action’ then?

  2. I duplicated the registration flow and managed to create a new registration flow that included ‘terms and conditions’ as a separate step. Changing the original registration flow was not possible (I am sort of ok with this). Now I have a checkbox asking me to accept terms and conditions. I suppose this is ok, but is this the correct way to do it?

  3. Obviously someone wants all new users to accept terms and conditions, even users that first login via an identity provider. I am puzzled on how to do it now. I duplicated the first-broker-login flow, and change it so that there is an alternative flow that triggers terms and conditions. But now the user fills in his profile and then on the next step needs to refill all the info as if registering from the start.

So what is the proper way to make all users before their first login to accept terms and conditions?

2

“Default actions” are only applied to users when they are created. If you have a user that already exists, they won’t be given the action.

3

Yes, I am referring to users that are registering after the settings have changed and set the default action to true.

In case this is of any interest I am using a custom user SPI and getting a warning in the logs anout not being able to change read only attributes
(See this issue: "Attempt to edit denied attribute" error on user registration with Active Directory federation)

4

Yes, that’s an important point. The code here https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/authentication/requiredactions/TermsAndConditions.java#L87 tries to read and update a user attribute. If you are using a federation source that prohibits that, it won’t work as expected.

1 Like
5

If it’s a custom User Storage SPI and you can modify the code, your user adapter could extend the AbstractUserAdapterFederatedStorage class, which is prepared to store additional attributes to an external user in Keycloak. Maybe you have to implement/overwrite a few more methods, but would be the way to go.

2 Likes
6

Hi, and thanks for the answers. Indeed the custom User SPI need to specifically enable required actions after user creation. This is not very clear in the docs. So one needs to add something along the following lines to add required actions after the user is created (I am adding it for the case someone needs it)

in your StorageProvider class:

@Override
    public UserModel addUser(RealmModel realm, String username) {
     // add user blah blah blah
    // and add the following too:

            realm.getRequiredActionProvidersStream()
                .filter(RequiredActionProviderModel::isEnabled)
                .filter(RequiredActionProviderModel::isDefaultAction)
                .map(RequiredActionProviderModel::getAlias)
                .forEach(userAdapter::addRequiredAction);