[keycloak-user] Automatic one-time login

Manuel Bleichenbacher manuel.bleichenbacher at acrea.com
Tue Jun 18 04:03:28 EDT 2019 

Hi everybody,

Our new application will have a length user registration procedure that we would like to keep separate from Keycloak (it will mainly require application data, reuse part of the application's UI etc.). At the end of the registration procedure, we would still like to automatically login the user so he/she doesn't need to reenter the username and password. What are our options to achieve it?

The backend will certainly use a privileged Keycloak user (e.g. to create the new user via the REST Admin API). And the result of the login should be that the user's access token (JWT) is available in the user's session in the backend. So far we have come up with the following options:

Option A: REST endpoint / custom authenticator

- Add a custom REST endpoint so the backend can create a one-time code and save it as a credential on the new user
- Add a custom authenticator to the browser flow that checks for the one-time code
- The user would then be directed to the regular authentication flow. If the one-time code is present and correct, the username/password step and possibly all other authentication steps will be skipped and the authentication immediately succeeds.

Option B: REST endpoint / action token

- Add a custom REST endpoint so the backend can create a one-time code and save it as a credential on the new user
- Implement an additional action token handler that checks the one-time token to authenticate the user
- The user would then be directed to the action token URL. If the one-time code is correct, the user is authenticated.

What is your recommendation:
- Are these feasible options?
- Are we missing a good option?

For option A: How can we pass the one-time code to the authentication flow? Can we use a URL parameter, HTTP header attribute?

For option B: Can the action token flow initiate the OAUTH2 flow and return an authorization code? Can this flow be easily integrated with the Spring Boot  adapter?

Any input is appreciated.

Thanks
Manuel

--
manuel bleichenbacher | senior consultant
m +41 79 617 90 01 | manuel.bleichenbacher at acrea.com
 
acrea ag | konradstrasse 32 | 8005 zürich
www.acrea.com | blog.acrea.com
 
www.nezasa.com - incubated by Acrea

More information about the keycloak-user mailing list