This is just going to be your first headache trying to reproduce everything
Keycloak does in a native Android UI. I'd highly recommend you use a
webview with a custom theme instead.
Examples of flows that you are not going to be able to do:
* OTP
* Required actions
* Registration
* Social logins
* Recover password
* ...
On 11 December 2015 at 05:11, Fabricio Milone <fabricio.milone(a)shinetech.com
Hi all,
I’ve been working on adding custom endpoints under the realm level to
perform some new functions like user registration and send password reset
email without going through the keycloak’s default web view. I’ve read the
discussion regarding add custom REST paths, but I wouldn’t like to go off
topic there.
Why I am doing this?
This is needed because I have to hit the keycloak server directly from the
native Android UI, without going through the Keycloak default login/reset
creds screen and get an user registered or an email to reset the password
(among other possible future use cases).
What I got so far?
I’ve added a custom endpoint class (ForgotPasswordEndpoint) to
org.keycloak.protocol.oidc.endpoints package in order to add a new path
/auth/realms/{realm}/forgotten-password-email that sends an email to the
specified user in a form attribute without going through the web view. I am
also generating a key to be able to execute a client session required
action of UPDATE_PASSWORD, so when the user clicks the link it will be
asked to update its password.
What I’m not sure is about the approach I used to get this done. Let’s
clear that up:
- Created a new endpoint class similar to TokenEndpoint.java which
sends an email with a link to update the user password.
- The link is generated using the UriBuilder for the base path and the
ClientSessionCode class for the access code, using the given realm, session
and any other necessary data.
- I am adding a required action to the clientSession
(ClientSessionModel, created with the given UserModel) of the type
UserModel.RequiredAction.UPDATE_PASSWORD.
- Once the user clicks on the link, the normal updated account starts,
without any modification.
That’s the less invasive way I’ve found so far. However, today I have been
trying to implement an SPI to achieve this (still trying to understand how
to do that)
Is there a clean/proper way to generate a valid code/execution id as it is
generated on the normal forgotten password email?
What is the right way to make a direct call to get a reset password email?
Thank you in advance.
Regards,
Fabricio
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user