[keycloak-user] Password-free login using email link

Bill Burke bburke at redhat.com
Fri Oct 16 12:45:12 EDT 2015

You can implement this with our authentication SPI.

On 10/16/2015 11:59 AM, Valerij Timofeev wrote:
> Hi all,
> we have a couple of use-cases where login is password-free and is based
> on email link with a login key, for example:
> * consumer is allowed to review merchant or product without registration
> * customer receives confirmation email on review submission
> * consumer logs in on a client application without password using a link
> in the confirmation email, but is not authorized to update review comment
> * if consumer logs in using username/email and password (e.g. after
> registration), "update review comment" functionality becomes available
> We have to support such use-cases, if we decide to adopt Keycloak.
> I searched  through Keycloak JIRA tickets, but found the only similar
> feature request "Invitation email"
> https://issues.jboss.org/browse/KEYCLOAK-439
> Should I submit another feature request for our use case?
> My vision:
> * implement optional email-link authenticator
> (http://keycloak.github.io/docs/userguide/html/auth_spi.html#auth_spi_walkthrough)
> * client application creates new user via Admin REST API
> <http://keycloak.github.io/docs/userguide/html/admin-rest-api.html> and
> sets credential type to "email_link" and value to login key. Then it
> sends email including login link
> * I suppose that it is difficult or even impossible to transmit query
> parameters via Open ID Connect flow, so the link could point to
> unprotected page storing username and login key in a cookie
> * email-link authenticator checks presence of the email-link cookie and
> if found tries to authenticate user using username and key values
> provided in the cookie
> * if no cookie is set or login fails, user is redirected to login form
> Challenge: how to limit roles bound to user session if login type
> "email_link" is used, may be via configuration parameter for this
> authenticator? The rest of assigned roles should not appear in the user
> session.
> Thank you in advance
> Valerij Timofeev
> Software Engineer
> Trusted Shops GmbH
> P.S. "Password-free" logins seem to become a trend: Yahoo Mail gets a
> redesign, goes “password-free” http://www.siliconbeat.com/2015/10/15/yahoo/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list