8:52 a.m.
On 24. 09. 19 15:27, John Norris wrote:
Thanks for this Marek.
"Use the single redirect URL as an "entry point" of your
application." How would the application know that it had come from new
user registration? I already have a root URL set for the client?
What would be useful is if return from new user mapped to a particular
endpoint. Could I raise that as an enhancement? So within keycloak
client admin, with the allow registration switch, add an endpoint as well.
Assume you have always single redirect-uri and process both "new user"
and "old user" requests. Your application may need to:
- Take a look at the ID Token and parse it's content
- Based on if you have some DB if user data, you can then check your DB
if user is known. If not, you know that it's maybe registration of new user
- If you don't have any DB with user data, you can possibly check the
token and look if some claim like "createdDate" exists in the token and
corresponds with the latest time (or is close to it). This can help to
decide if it's new user or not. The "createdDate" is not added to token
by default AFAIK, but you can possibly add protocolMapper to your
client. In tab "Client Scope" of the client in Keycloak admin console,
you can test how the token will look like and if it contains
"createdDate" claim with expected value.
I would personally try to do something along those lines.
Marek
Regards
John
Get Outlook for Android <https://aka.ms/ghei36>
------------------------------------------------------------------------
*From:* Marek Posolda <mposolda(a)redhat.com>
*Sent:* Tuesday, September 24, 2019 1:28:17 PM
*To:* John Norris <johnnorris-10(a)outlook.com>;
keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org>
*Subject:* Re: [keycloak-user] register new user; redirect to specific
client url
Not sure I understand the use-case 100% correctly, bu I think you can:
- Implement EventListener, which will allow you to do some callback when
registration of new user happens in Keycloak. For example add some role
or other data specific to your application to the DB used by your
application
- Use the single redirect URL as an "entry point" of your application.
Or eventually use something like servlet filter (if your application is
servlet based) or something similar. That may allow you to doublecheck
the content of the IDToken and check if the user is "known" to your DB
(then it's not new user) or it is unknown user (hence new registered
user). You can also check the "createdDate" of user in the token and
compare with current time .
Hopefully some of those options (or some slight variant of it) will work
for your use-case.
Marek
On 22. 09. 19 13:36, John Norris wrote:
> I have an app secured by keycloak. Going to a secured page brings up
a keycloak login page and the correct user/password gives the expected
results.
> Within the client, I have switched on user registation. So now the
login page shows a register link, which displays another keycloak page
allowing the user to register with name, username, email.
> This "works" in that the user is added to the keycloak user
database. But the application displays the error page because a role
is not mapped to that user in keycloak.
> What I would like to happen is to be able to add the new user to the
apps own user database, associate a role with the user, perhaps do
some verification of the user.
> So I don't really know what keycloak is sending back to the app
except that it eventually leads to /error. Is there a way to tell
keycloak after a new registration contact this url where things can
happen within the app?
>
> I realise that I could set a default role. But I really want a way
of telling keycloak to go to a specific URL after a new user
registration is completed.
>
> Regards,
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user