I would like to authenticate users through a verification email. So that’s pretty much like a password reset flow, but without the password-resetting bit. I think it’s what Slack’s or Medium’s “magic link” login does.
Expected scenario for the user:
User accesses authorization endpoint from client as usual.
Keycloak shows a form with only an email input. User enters their email address.
Keycloak sends an email with a verification link (I suppose some type of action token).
User gets the email and clicks the action token link.
Keycloak validates the request, creates a session for the user and redirects back to the client.
This is pretty much what the “reset-credentials” form does. However, the reset-credentials action seems to invalidate the grant code, so when the client tries to exchange it for an access token it gets the following error (for good reason):
There’s a big ecosystem of extensions to Keycloak that never make it upstream. I can’t speak for the Keycloak developers, but I’d say they’ve done a great job of building a rock-solid base that solves a set of core problems, while allowing mechanisms of extension that enable to the implementing developer to solve most use cases out there. Thinks like magic link, SMS authenticator, etc. seem to fall outside of their core goals.
Thanks again for the nice information on every new response.
Is there such a repository of community extensions? If there isn’t, would you share a few that you know of? And do you think we should build an informal list? Something like a community wiki page of extensions.
I think it’s what Slack’s or Medium’s “magic link” login does.