[keycloak-dev] Application Initiated Actions

Stian Thorgersen sthorger at redhat.com
Wed Feb 27 14:34:16 EST 2019

Design document:

On Wed, 27 Feb 2019 at 16:09, Stian Thorgersen <sthorger at redhat.com> wrote:

> Keycloak currently has required actions that are used to prompt the user
> to perform an action associated with their account after authenticating,
> but prior to being redirected to the application.
> Examples include: configure OTP, update profile, validate email, etc.
> One issue here is these actions have to be manually registered with the
> users account, but can not be initiated by applications themselves. As an
> example it may not be required by all users to verify their email, but only
> when they use specific applications.
> Keycloak also needs to initiate actions from the account management
> console. Examples: updating email address should require verifying the
> email, configuring OTP, etc.
> With that in mind we are proposing to introduce Application Initiated
> Actions. An Application Initiated Action behind the scenes is just a
> Required Action, but it is initiated by an application and depending on the
> action may be optional for the user to complete (where the user can select
> cancel which would return the user back to the application).
> No Application Initiated Actions should perform any updates to the users
> account without prompting the user first. For example an application
> initiated action that is used to link an existing account to a social
> provider should ask the user first if they want to link to the provider.
> To make it easy for applications to integrate these I would like to
> leverage the standard OAuth flows that applications use to authenticate
> users. So to initiate verify-email action the application would redirect to
> the authentication endpoint and add kc_action=<action alias> query
> parameter.
> One open question I have right now is. Assuming all Application Initiated
> Actions always prompt the user first do we need to add some mechanism in
> place to restrict what clients/applications are permitted to initiate an
> action? Requiring that would make it harder to use for applications.
> One thing I would also like to add is the ability for an Application
> Initiated Action to require the user to re-authenticate prior to performing
> the action. For example update password should require the user to enter
> the current password, while verify email should not (as it simply sends an
> email with a link to continue).

More information about the keycloak-dev mailing list