[keycloak-user] register new user; redirect to specific client url

Marek Posolda mposolda at redhat.com
Tue Sep 24 09:52:55 EDT 2019 

On 24. 09. 19 15:27, John Norris wrote:
> Thanks for this Marek.
>  "Use the single redirect URL as an "entry point" of your 
> application." How would the application know that it had come from new 
> user registration? I already have a root URL set for the client?
> What would be useful is if return from new user mapped to a particular 
> endpoint. Could I raise that as an enhancement? So within keycloak 
> client admin, with the allow registration switch, add an endpoint as well.

Assume you have always single redirect-uri and process both "new user" 
and "old user" requests. Your application may need to:

- Take a look at the ID Token and parse it's content
- Based on if you have some DB if user data, you can then check your DB 
if user is known. If not, you know that it's maybe registration of new user
- If you don't have any DB with user data, you can possibly check the 
token and look if some claim like "createdDate" exists in the token and 
corresponds with the latest time (or is close to it). This can help to 
decide if it's new user or not. The "createdDate" is not added to token 
by default AFAIK, but you can possibly add protocolMapper to your 
client. In tab "Client Scope" of the client in Keycloak admin console, 
you can test how the token will look like and if it contains 
"createdDate" claim with expected value.

I would personally try to do something along those lines.

Marek

> Regards
> John
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
> ------------------------------------------------------------------------
> *From:* Marek Posolda <mposolda at redhat.com>
> *Sent:* Tuesday, September 24, 2019 1:28:17 PM
> *To:* John Norris <johnnorris-10 at outlook.com>; 
> keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] register new user; redirect to specific 
> client url
> Not sure I understand the use-case 100% correctly, bu I think you can:
>
> - Implement EventListener, which will allow you to do some callback when
> registration of new user happens in Keycloak. For example add some role
> or other data specific to your application to the DB used by your
> application
> - Use the single redirect URL as an "entry point" of your application.
> Or eventually use something like servlet filter (if your application is
> servlet based) or something similar. That may allow you to doublecheck
> the content of the IDToken and check if the user is "known" to your DB
> (then it's not new user) or it is unknown user (hence new registered
> user). You can also check the "createdDate" of user in the token and
> compare with current time .
>
> Hopefully some of those options (or some slight variant of it) will work
> for your use-case.
>
> Marek
>
> On 22. 09. 19 13:36, John Norris wrote:
> > I have an app secured by keycloak. Going to a secured page brings up 
> a keycloak login page and the correct user/password gives the expected 
> results.
> > Within the client, I have switched on user registation. So now the 
> login page shows a register link, which displays another keycloak page 
> allowing the user to register with name, username, email.
> > This "works" in that the user is added to the keycloak user 
> database. But the application displays the error page because a role 
> is not mapped to that user in keycloak.
> > What I would like to happen is to be able to add the new user to the 
> apps own user database, associate a role with the user, perhaps do 
> some verification of the user.
> > So I don't really know what keycloak is sending back to the app 
> except that it eventually leads to /error. Is there a way to tell 
> keycloak after a new registration contact this url where things can 
> happen within the app?
> >
> > I realise that I could set a default role. But I really want a way 
> of telling keycloak to go to a specific URL after a new user 
> registration is completed.
> >
> > Regards,
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list