Is keycloak suitable for managing the authentication in a public-facing website? The website allows everyone to register using a custom UI implemented in our application, but then user creation as well as email verification and later login/logout are handled with keycloak.
When I joined this project, the decision had already been made, but right now, we have troubles making keycloak behave in a more expected way for public internet users:
- redirecting to the client application after the email is verified
- Verifying the email right after the link is clicked (not showing the user a screen for that purpose)
- Changing various email messages (this one, I know can be done by modifying template files)
So, again, this is not a corporate web application, it’s a public website that allows general internet users to register and use the product and it’ll be important to make every step of their initial interaction with the software as seamless as possible.
Thanks for your advice
yes Keycloak can be used for public facing websites, why shouldn’t it be.
Keycloak is not only for corporate websites, it’s there to make life easy for every application.
The troubles you mentioned can be solved by the following
- make sure the redirect url of your client in Keycloak points to the clients application url.
- when user email verification is enabled it will show you a screen when it doesn’t find a session for your registered user. Otherwise it will log you in the moment you click the link. Try clicking the link in an incognito window or other browser you will see the confirm page
- you can change the email templates by changing the template files in a theme, take a look at https://github.com/zonaut/keycloak-extensions and read the readme files of the theme-minimal and/or spi-mail-template-override if you want to add extra variables to them
Don’t let ‘seamless as possible’ dictate on how secure an application can be.
This is re-assuring. I’ll try to fix our existing flow