[keycloak-user] Persistent Redirect Params in Registration

Dmitry Telegin dt at acutus.pro
Tue Nov 20 07:00:51 EST 2018


Hi Gregor,

Is the overall idea the following: upon successful registration, the user should be redirected back to the application for which the anonymous profile has been created, and the app should know the profile ID to link the user to?

I think passing back the ID in the redirect URI is unreliable. I'd rather suggest that upon registration you persist the profile ID as a user attribute in Keycloak, and propagate it back to the application as a token claim. The application, obviously, will need to be modified to be able to handle that custom claim.
To extract the ID from the request URI and to persist it as an attribute in Keycloak, you can use custom execution within the Registration flow (I'd suggest script-based).
To push the attribute to the token claims, use custom protocol mapper.

To overcome the issue with parameter loss due to restarted registration, I'd suggest that you use browser local storage to hold your profile ID. This will however require modifications to the Keycloak registration screens (via login theme) so that the ID could be retrieved from the local storage and sent to Keycloak.
Most likely your pre-Keycloak profile wizard will reside on a separate (sub)domain, so you should use some tricks to share your local storage between the domains (Google for "local storage shared"). This scheme will obviously rely on working JavaScript and local storage support in the browser.

As for email verification, this should be also mitigated by the
attribute/claim approach described above. If your user has reached this
step, this means that technically the registration has been successful,
and the profile ID attribute should have been created already. Upon
completing email verification, the user will be taken to the
application with the claim already in the token.

Feel free to ask any questions,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2018-11-20 at 01:15 +0000, Gregor Tudan wrote:
> Hi,
> 
> I’m trying to find a solution for passing redirect parameters reliably through the registration page.
> 
> Our users will go through some steps prior to the registration. We generate an anonymous profile for saving the user input of this step. Then we trigger a registration in Keycloak and pass the id of the profile as parameter in the redirect url. 
> 
> This works fine in happy path, but breaks on some occasions: 
> - we use email-verification. If registration works, but the user fails to confirm the mail-address before the link expires, he will be promted to complete the confirmation the next time he logs in. But the mail in the Confirmation-link will now no longer contain the redirect params of the original mail
> - if an error occurs during the registration (the user fails multiple times to fill out the form) an error message will be shown prompting the user to restart the registration. The original params will be lost.
> 
> Is there a way to pass the query params in a more reliable manner through Keycloak?
> Or is it better to implement this kind of logic in the application code? If so, are there any recommendations? Email-Verification makes this quiet hard to do, as the registration can be completed on a completely different device.
> 
> Thanks,
> Gregor 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list