6 a.m.
Hi Gregor,
Is the overall idea the following: upon successful registration, the user should be
redirected back to the application for which the anonymous profile has been created, and
the app should know the profile ID to link the user to?
I think passing back the ID in the redirect URI is unreliable. I'd rather suggest that
upon registration you persist the profile ID as a user attribute in Keycloak, and
propagate it back to the application as a token claim. The application, obviously, will
need to be modified to be able to handle that custom claim.
To extract the ID from the request URI and to persist it as an attribute in Keycloak, you
can use custom execution within the Registration flow (I'd suggest script-based).
To push the attribute to the token claims, use custom protocol mapper.
To overcome the issue with parameter loss due to restarted registration, I'd suggest
that you use browser local storage to hold your profile ID. This will however require
modifications to the Keycloak registration screens (via login theme) so that the ID could
be retrieved from the local storage and sent to Keycloak.
Most likely your pre-Keycloak profile wizard will reside on a separate (sub)domain, so you
should use some tricks to share your local storage between the domains (Google for
"local storage shared"). This scheme will obviously rely on working JavaScript
and local storage support in the browser.
As for email verification, this should be also mitigated by the
attribute/claim approach described above. If your user has reached this
step, this means that technically the registration has been successful,
and the profile ID attribute should have been created already. Upon
completing email verification, the user will be taken to the
application with the claim already in the token.
Feel free to ask any questions,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Tue, 2018-11-20 at 01:15 +0000, Gregor Tudan wrote:
Hi,
I’m trying to find a solution for passing redirect parameters reliably through the
registration page.
Our users will go through some steps prior to the registration. We generate an anonymous
profile for saving the user input of this step. Then we trigger a registration in Keycloak
and pass the id of the profile as parameter in the redirect url.
This works fine in happy path, but breaks on some occasions:
- we use email-verification. If registration works, but the user fails to confirm the
mail-address before the link expires, he will be promted to complete the confirmation the
next time he logs in. But the mail in the Confirmation-link will now no longer contain the
redirect params of the original mail
- if an error occurs during the registration (the user fails multiple times to fill out
the form) an error message will be shown prompting the user to restart the registration.
The original params will be lost.
Is there a way to pass the query params in a more reliable manner through Keycloak?
Or is it better to implement this kind of logic in the application code? If so, are there
any recommendations? Email-Verification makes this quiet hard to do, as the registration
can be completed on a completely different device.
Thanks,
Gregor
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user