Hi,
I’m facing an issue with the e-mail validation process for a self-registered user in Keycloak.
Here is the configuration I’ve applied in Keycloak :
-
Realm settings → Login :
- User registration = ON
- Verify Email = ON -
Clients → my-OIDC-Client → Settings → Capabilities :
- Client authentication : OFF
- Authorization : OFF
- Authentification flow : “Standard flow” enabled only
And here is the configuration I’ve applied at the website side (we are using this plug-in : react-oauth2-code-pkce - npm):
clientId: ‘<my_OIC_client>’,
authorizationEndpoint: ${KEYCLOAK_ENDPOINT}/auth,
logoutEndpoint: ${KEYCLOAK_ENDPOINT}/logout,
tokenEndpoint: ${KEYCLOAK_ENDPOINT}/token,
redirectUri: https://<my_website_URL>/login,
logoutRedirect: https://<my_website_URL>/login,
scope: ‘profile openid’,
decodeToken: true,
autoLogin: true,
KEYCLOAK_ENDPOINT : https://<my_keycloak_URL>/realms/<my_OIDC_realm>/protocol/openid-connect
The login works fine : the user is correclty redirected to the Keycloak login page, then to the website when logged.
But if user needs to register via the Keycloak registration form, he recieves a link by e-mail that contains a validation link like this :
https://<my_keycloak_URL>/realms/<my_OIDC_realm>/login-actions/action-token?key=<a_generated_key>&client_id=<my_OIC_client>&tab_id=<tab_id>
Opening this link actually validates the user’s email, and the user is instantly redirected to https://<my_website_URL>/login?code=<_a_generated_code>
If the link is opened in the same browser tab where the user made his regitration, the user is automatically logged.
But if the link is opened in a new tab, it results the following error in the Javascript console :
Error: Can't get tokens without the CodeVerifier.
Has authentication taken place ?
I wonder what would be the best way to avoid this behavior. It seems that the “tab_id” in the generated validation link forces the user to use the same tab. Is there a configuration that I missed, or a protocol incompatibility with my applied configuration ?