[keycloak-user] Implementing "user invitation" functionality in Keycloak

[Craig Setera]

I'm continuing to attempt to get my "user invitation" functionality working
again.  While I'm 99% certain it worked at some point in the past, I can't
for the life of me get it going again now.  I have not found a working
combination of action tokens, required actions and authenticators to make
this work.

>From the feature perspective, the goal is a user-facing flow similar to the
following:

   - Within our application, a properly authorized user adds a new user to
   our system (using their email address)
   - The addition of that user triggers an email to that user with a
   (action token) link they can click on
   - The link takes them into Keycloak where they can set their "initial"
   password via a form
   - Once that is completed, they are transitioned to the login page

In my case, I have the initial action token email working (via a REST
resource provider).  Within that action token handler, I'm trying to find a
combination of authenticators and/or required actions to pull together the
necessary "challenge" and processing of that challenge.  However, I can't
seem to find a combination that Keycloak is happy with and does what I need
it to do.

When looking at similar combinations of required actions and
authenticators, like those found in the quickstarts, it seems like they
work in reverse of this.  The authenticator initiates the action token and
not the other way around.  Am I misunderstanding what I can/should do here?

Can anyone offer any suggestions or pointers on how to properly handle that
part of the user facing behavior?  This is similar in functionality to
reset credentials, but at the same time it is not the same and our product
folks don't want to see "reset" when the user has not yet set credentials.
Thanks,
Craig

=================================
*Craig Setera*

*Chief Technology Officer*