Reputation: 1701
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs.
Use case: The registration page for new users shouldn't be public. New user get an invitation email from the admin. The email contains a link to the registration page.
I thought about using an initial access token
(like for client registration) and add it to the link to the registration page. Afaik there is nothing like that for user registration?
Are there any other ways to do it?
Upvotes: 4
Views: 7422
Reputation: 31679
I think you've got two options to implement it:
First
You know the e-mail of the destination user before sending the invitation, so you would let the admin create a user in keycloak with the e-mail itself as the username. Then the admin should check 'Verify e-mail', 'Update profile' and 'Update password' as required actions, so keycloak will send an activation mail (you can customize the e-mail template) and user will be required to fill his data and set a password.
If you don't want the admin to access keycloak directly, you could do it via the user management API.
Second
Implement this logic in your application. Write a user data form which is publicly accessible using a code (it might be some UUID). When admin sending the invitation mail, link a random code to the address, so when user enters the page, you can verify it. Then you'll need to save the data in keycloak as a new user, using the user management API.
Upvotes: 7