Deactivate automatic created new user
1,355 views
Skip to first unread message
Matteo Riva
Oct 21, 2022, 5:59:46 AM10/21/22
to Keycloak User
Hello everyone,
I hope it is not a too complex task, but I have a question.
Is there a way to create disabled new users? My Keycloak login page does allow new users to register, but the user is automatically enabled to do whatever he/she wants in my secondary application.
What I want is that Keycloak sends me (administrator) an email to advice that a new user has been created and that I need to enable it by myself.
Can you help me, please? If there is a solution, can you tell me what I should do?
Thank you so much in advance.
Matteo
Thomas Darimont
Oct 21, 2022, 6:33:34 AM10/21/22
to Keycloak User
Hello Matteo,
this is not possible out of the box, but you could implement an org.keycloak.events.EventListenerProvider that detects org.keycloak.events.EventType#REGISTER events.
From the event you get the userId and realmId and can use that to lookup the new user via KeycloakSession#users().getUserById(..) e.g.:
var user = session.users().getUserById(realm, userId);
var user = session.users().getUserById(realm, userId);
if (user != null) user.setEnabled(false);
You can then send an email to an admin user to start the manual activation process, like:
EmailTemplateProvider emailProvider = session.getProvider(EmailTemplateProvider.class);
emailProvider.setRealm(realm);
emailProvider.setUser(adminUser);
emailProvider.send("newUserSubject", subjectParams, "new-user-email.ftl", mailBodyAttributesMap);
emailProvider.setRealm(realm);
emailProvider.setUser(adminUser);
emailProvider.send("newUserSubject", subjectParams, "new-user-email.ftl", mailBodyAttributesMap);
Additionally, in order to have a proper UX you might also need to implement a FormAction provider which tells your user that their account will have to be manually activated.
Cheers,
Thomas
Thomas Darimont
Oct 21, 2022, 6:35:29 AM10/21/22
to Keycloak User
.. instead of using an EventListerner you might be able to disable the user and send the email also from a headless FormActrion that runs within a custom Registration Auth flow.
Cheers,
Thomas
Matteo Riva
Oct 21, 2022, 8:23:57 AM10/21/22
to Keycloak User
Hello Thomas,
Thank you so much for your help and your fast reply.
I am sorry, but I am not a super Keycloak developer and it is pretty new to me.
I know this could be boring, but can you be a bit more precise? Fo example: where should I create these files? What files should I write? In summary, now my questions are on a very basic level.
I hope this is not too long or too boring for you.
Thank you again for your help!
Cheers,
Matteo
Matteo Riva
Oct 21, 2022, 8:33:22 AM10/21/22
to Keycloak User
Hello Thomas,
Thank you again!
Sorry, I have another question: could mappers be useful for this task (which is the creation of the user in Keycloak, but only be enabled by the admin)?
Thank you again!
Matteo
C R
Oct 21, 2022, 9:22:43 AM10/21/22
to Matteo Riva, Keycloak User
Le ven. 21 oct. 2022 à 11:59, Matteo Riva <mat.ri...@gmail.com> a écrit :
>
> Hello everyone,
>
> I hope it is not a too complex task, but I have a question.
> Is there a way to create disabled new users? My Keycloak login page does allow new users to register, but the user is automatically enabled to do whatever he/she wants in my secondary application.
> What I want is that Keycloak sends me (administrator) an email to advice that a new user has been created and that I need to enable it by myself.
Hi Matteo,
>
> Hello everyone,
>
> I hope it is not a too complex task, but I have a question.
> Is there a way to create disabled new users? My Keycloak login page does allow new users to register, but the user is automatically enabled to do whatever he/she wants in my secondary application.
> What I want is that Keycloak sends me (administrator) an email to advice that a new user has been created and that I need to enable it by myself.
An more natural alternative to me, would putting the authorization on
your application like an specific scope or role that is not given for
auto-registered users.
Regards,
CR
Thomas Darimont
Oct 21, 2022, 10:14:05 AM10/21/22
to Keycloak User
Hello,
I think the role based approach described by CR is indeed simplier in your case, if you don't want to fiddle with Keycloak too much .
It could be implemented as follows:
1) Realm role "unconfirmed"
Define a realm role named "unconfirmed", configure the "unconfirmed" role as default role (for new users).
-> If a new user registers in realm, keycloak will automatically assign the unconfirmend role.
2) Expose role in token for app
Now, suppose you have a client for your app called "myclient", where you configured the role scope to expose the "unconfirmed" realm role in the token
(id or access token) if a user has it.
3) Detect "unconfirmed" role in token within your client app
If the newly registered user accesses "myclient", then the "client app" can obtain tokens for the user, e.g. via Authorization Code Flow.
The token that "myclient" will receive will now contain the "unconfirmed" realm role. Your app can now detect this role and show a
message to the user and perhaps disable some app functionality.
4) Trigger admin notification
In your backend you can then notify an admin about the new user.
The admin can then either manually remove the "unconfirmed" role from the user OR use the keycloak admin API to remove the role.
I think the role based approach described by CR is indeed simplier in your case, if you don't want to fiddle with Keycloak too much .
It could be implemented as follows:
1) Realm role "unconfirmed"
Define a realm role named "unconfirmed", configure the "unconfirmed" role as default role (for new users).
-> If a new user registers in realm, keycloak will automatically assign the unconfirmend role.
2) Expose role in token for app
Now, suppose you have a client for your app called "myclient", where you configured the role scope to expose the "unconfirmed" realm role in the token
(id or access token) if a user has it.
3) Detect "unconfirmed" role in token within your client app
If the newly registered user accesses "myclient", then the "client app" can obtain tokens for the user, e.g. via Authorization Code Flow.
The token that "myclient" will receive will now contain the "unconfirmed" realm role. Your app can now detect this role and show a
message to the user and perhaps disable some app functionality.
4) Trigger admin notification
In your backend you can then notify an admin about the new user.
The admin can then either manually remove the "unconfirmed" role from the user OR use the keycloak admin API to remove the role.
5) Notify the user
Optionally, notify the user that their account is now "confirmed", or let them simply try again after a while.
This approach is quite lightweight and can be implement without any Keycloak extensions.
However, the downside of this approach is that it results in a valid user account that can already do
This approach is quite lightweight and can be implement without any Keycloak extensions.
However, the downside of this approach is that it results in a valid user account that can already do
self-service account management and potentially access other applications in the same realm.
Cheers,
Thomas
Cheers,
Thomas
Matteo Riva
Oct 21, 2022, 11:02:28 AM10/21/22
to Keycloak User
Hello Thomas and CR,
Thank you so much for your help.
Thomas, can you kindly explain in detail what I should do in step 3 and 4, please?
Thank you so much again!
Matteo
Matteo Riva
Oct 21, 2022, 11:04:27 AM10/21/22
to Keycloak User
Hello,
Sorry, I have just had an idea: what if I create the users, but they need to change the password in the first login? In this way I know who is the new user and he/she can make a new password when he/she tries to enter!
Matteo
Reply all
Reply to author
Forward
0 new messages