5

I am using keycloak's login and registration page. For login I use:

 keycloak.init({onLoad: 'login-required'}).then(function (authenticated) {
        if (!authenticated) {
           
        } else{

        }

This works fine as I can use the code above to redirect to the application page with token received. However, if the user clicks on registration link and register as a new user, I see browser redirected to :

htttps://localhost/auth/realms/realm1/login-actions/registration?session_code=2TC4xBE5BoFy_Dt7nK8wNDzdLx-8rJmA7l0IjTY1Khk&execution=2e64e3ef-185a-4ca8-a6cc-51c40f9fb7fc&client_id=bizmapp&tab_id=EbayK64spNk

I would like a keycloak callback after registration where I can get the token and redirect the user to the application's original secured page where the user wanted to go to before the login/registration

Ahmed Ashour
  • 5,179
  • 10
  • 35
  • 56
marcg
  • 552
  • 1
  • 8
  • 20

2 Answers2

2

In Keycloak administration interface go to "Authentication" then to the "Flows" tab. Select "registration" in the top left drop-down to configure the registration flow. You can then add a "browser Redirect/Refresh" action at the end of the flow.

You can find more information at https://www.keycloak.org/docs/latest/server_admin/index.html#_authentication-flows

Passing tokens as query params is conventionally considered a bad idea since they stay in the browser history and 1° could be stolen if someone else access that browser and 2° are leaked to 3rd party, for instance when you are using stuff like Google Analytics.

You application should be able to detect the user is authenticated from Keycloak SSO cookie (or whatever other mechanism), that I think will be set automatically after the registration. You just have to rely on the Keycloak adapter configured for your application.

Olivier Tonglet
  • 3,312
  • 24
  • 40
  • You mentioned 'Passing tokens as query params...' . Are you referring to the URL in my posting? I think tha'ts a one time session code. What settings are needed to not pass tokens as query params ? Secondly, in the keycloak JS adapter, we get token and refresh tokens. I save them in custom cookies. Is this not the recommended approach ? Should I rather use the cookies created by keycloak ? Which keycloak cookie has the refresh token ? – marcg Sep 14 '20 at 11:23
  • No, I'm not talking about the URL you put in the question, I'm talking about the callback. HTTPS server cookies can't be stolen (they are not "visible" to other apps). Sending you back the token in the response is also fine but that's not what Keycloak does after a register. Once you configure the browser redirect action I mention, you'll see that Keycloak sets its SSO cookie after a user registers. From the page the user is redirected to you can get your access token from keycloak.token and keycloak.refreshToken (it's standard "Keycloak adapter" logic). Let me know if you need more info. – Olivier Tonglet Sep 14 '20 at 13:24
  • No, I'm not talking about the URL you put in the question, I'm talking about the callback. HTTPS server cookies can't be stolen (they are not "visible" to other apps). Sending back the token in the response is also fine but that's not what Keycloak does after a register. You can just configure the browser redirect action I mentionn,ed. You'll see that Keycloak sets its SSO cookie after a user registers. From the page the user is redirected to you can get your access token from keycloak.token and keycloak.refreshToken (it's standard "Keycloak adapter" logic). Let me know if you need more info. – Olivier Tonglet Sep 14 '20 at 13:50
  • In my keycload installation I do not see an option to add an action at the end of the registration flow. I would also like to directly redirect to one of the clients permitted callback URIs after the email/profile was validated @otonglet – philk Mar 04 '21 at 02:20
  • Is Browser/Redirect not in Http Challenge under the flows tab? It's not in registration.. – Grogu May 14 '21 at 00:54
0

You can simply pass response_type=token in keycloak's login URL and get the whole token inside it(URL) after redirection. Also, make sure you have turned on Implicite flow in your client configurations.

Suren Arakelyan
  • 11
  • 1