User registration for one client

[Laki Luk]

hi,

1) I am trying to set user registration to only one cilent, i have several in one realm. How to do it?

2) I have several federations and i want one of them to be able to have double authentication Password+OTP .

Thanks

[Domenico Briganti]

Hi Laki, all,

 I have the same requirement of point 1. Have you found any solution?

Regards,

Domenico

Il 28/01/21 13:12, Laki Luk ha scritto:

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/c5cdc166-140d-4a5f-9d91-5e2977cd4207n%40googlegroups.com.

[Thomas Darimont]

Hello,

regarding 1)

I assume you want to pre configure a registration link for a particular client, then

you could use an URL like:

https://${KC_HOST}/auth/realms/acme-apps/protocol/openid-connect/registrations?client_id=${CLIENT_ID}&redirect_uri=${CLIENT_REDIRECT_URI}

You can also add other parameters like e.g. PKCE.

Here is another example for a full URL:

https://id.acme.test:8443/auth/realms/acme-apps/protocol/openid-connect/registrations?client_id=app-minispa&redirect_uri=https%3A%2F%2Fapps.acme.test%3A4443%2Facme-account%2F%3Frealm%3Dacme-apps%26show%3Dprofile%2Clogout&state=8324fff6-d8a3-405f-a40a-357611e56c3a&response_mode=fragment&response_type=code&scope=openid%20email%20acme.profile&nonce=0b5c4968-bee7-4e68-92d2-d541c1c32fdb&code_challenge=Ks5W7ctb3ZTdxUhjl88nxHHLfB6BCWG10g45mGA7r4A&code_challenge_method=S256

This will show Keycloaks register page with the name / displayname (if configured) of the given target client app.

regarding 2)

You could configure a custom first / post broker flow for the respective identity provider.

Cheers,

Thomas

[Domenico Briganti]

Hi Thomas, what I want is just to show/hide the registration link on login page only for specific client:

For example, this page at this url:

http://localhost:32769/realms/quarkus/protocol/openid-connect/auth?response_type=code&client_id=frontend&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&state=a9226179-fb1a-4f2a-ab08-6872eab74994

I know that I can personalize the theme and insert some login into, but I prefer (if exists) a configuration way to do this.

Regards,

Domenico

Il 10/01/23 14:03, 'Thomas Darimont' via Keycloak User ha scritto:

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/338539ff-af5b-499e-9260-65119cbe1313n%40googlegroups.com.

[Bruno Ribeiro]

AFAIK, this is not supported. Registration configuration is only at the realm level.

You can have some workarounds tho such as a custom theme that removes the registration link and configures it to the client you don't want to show the registration link. Extending the DB model and templates to add this config at the client level too, but a bit more tricky and more changes to do

[SadaShiv Dash]

hello Bruno,

Steps to configure the self registration at client level would be accomplished via below steps :

1. Change the admin theme to include this self registration in the below link :

      >>> /admin/resources/partials/client-detail.html

        <div class="form-group" data-ng-show="!realm.registrationAllowed" >
                <label for="registrationAllowed" class="col-md-2 control-label">{{:: 'registrationAllowed' | translate}}</label>
                <div class="col-md-6">
                <input class="form-control" type="text" name="registrationAllowed" id="registrationAllowed" data-ng-model="clientEdit.attributes.clientRegistrationEnabled">
                </div>
                <kc-tooltip>{{:: 'registrationAllowed.tooltip' | translate}}</kc-tooltip>
            </div>

2. Through point 1, It will be configurable at client level which stores the attribute in client_attributes table with name "clientRegistrationEnabled" and value as String data type( true/false ) . 

3. Please put the below code in login.ftl to the registration link.

<#if (client.attributes['clientRegistrationEnabled'])?? && (client.attributes['clientRegistrationEnabled']=="true")>

..... registration code...

</if>

Hope it will helps your use case .

Best Regards

Sada Shiv Dash

Mob:+ +9178-48870608

Email Id : sadash...@gmail.com

Linked Id : https://www.linkedin.com/in/sadashivdash/

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/6e50200f-fc18-4206-b6d0-512b132c43b9n%40googlegroups.com.

[Łukasz Dywicki]

User accounts in Keycloak are grouped in realms. This means that by
default any user who is registered in realm can access any client
configured in that realm (assuming user can reach other clients).

There is no such thing as "user registration to only one client",
because above. You can effectively block user from accessing specific
client by modifying authentication flow for clients (see authentication
flow overrides). You can use user groups and attributes for that, and
that would be my recommendation to you.

Suggestions about client registrations you received are completely
unrelated as they cover *dynamic open id connect client registration*.

Best regards,
Łukasz
--
Code-House
http://code-house.org

> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com

> <mailto:keycloak-use...@googlegroups.com>.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/keycloak-user/c5cdc166-140d-4a5f-9d91-5e2977cd4207n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/c5cdc166-140d-4a5f-9d91-5e2977cd4207n%40googlegroups.com?utm_medium=email&utm_source=footer>.