How to restrict registration to specific email domains?

Hello,

I would like to restrict the registration process only to specific email domains.
Eg, only accept registration from *@adomain.com or *@anotherdomain.org and reject all other registrations.
I’m not able to find a way to achieve that.

Do you have any clue ?

Regards,

Greg

I don’t think there is anything in keycloak to do that. I made an extension to do just that (whitelist email domain for registration) here :

But there may be better ways.

Thanks for your suggestion ! I will have a look

There is also a community design proposal, which should solve your issue too. https://github.com/keycloak/keycloak-community/blob/master/design/user-profile.md. You can have a look and add some feedback if you want, so that it meets your requirements. There is already some feedback here.

@micedre, thanks for posting the link to your custom extension. Does this work with Keycloak - Version 11.0.3 ?

TIA!

Yes, it works. We use it with this version.

Uhm somehow I had now luck with making it work with 11.0.3. Here are the steps I followed …

git clone GitHub - micedre/keycloak-mail-whitelisting: Keycloak extension to whitelist email adresses domain when users register
mvn compile
mvn package
copied new .jar file to the deployments folder

the server.log file shows

2020-12-04 12:35:26,919 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) WFLYSRV0027: Starting deployment of “keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar” (runtime-name: “keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar”)
2020-12-04 12:35:26,946 WARN [org.jboss.as.dependency.private] (MSC service thread 1-8) WFLYSRV0018: Deployment “deployment.keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar” is using a private module (“org.keycloak.keycloak-server-spi-private”) which may be changed or removed in future versions without notice.
2020-12-04 12:35:26,946 WARN [org.jboss.as.dependency.private] (MSC service thread 1-8) WFLYSRV0018: Deployment “deployment.keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar” is using a private module (“org.keycloak.keycloak-services”) which may be changed or removed in future versions without notice.
2020-12-04 12:35:26,947 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-3) Deploying Keycloak provider: keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar
2020-12-04 12:35:26,955 WARN [org.keycloak.services] (MSC service thread 1-3) KC-SERVICES0047: registration-mail-check-action (net.micedre.keycloak.registration.RegistrationProfileWithMailDomainCheck) is implementing the internal SPI form-action. This SPI is internal and may change without notice
2020-12-04 12:35:26,991 INFO [org.jboss.as.server] (DeploymentScanner-threads - 1) WFLYSRV0010: Deployed “keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar” (runtime-name : “keycloak-registration-mail-restrict-1.2-SNAPSHOT.jar”)

but I still don’t see it available under the flows

image1194×719 31.9 KB

What am I missing here?

Thanks @micedre !

You need to add the execution to Profile Validation, not to the root of the flow :

image1573×136 19.8 KB

This should display a list like this :

image927×195 13.9 KB

Let me know if it still doesn’t work.

Got it!

image1224×314 18.8 KB

Works, great

Thanks for the guidance @micedre

Hello @micedre how can I get the jar file?

Here https://github.com/micedre/keycloak-mail-whitelisting/releases/download/1.0/keycloak-registration-mail-restrict-1.0.jar

I will release another version soon, I think

Thanks mate, looking forward for the next release

here https://github.com/micedre/keycloak-mail-whitelisting/releases/download/1.1/keycloak-mail-whitelisting-1.1.jar

With new glob syntax (thanks to @ChloeTigre) and some error checking.

Thanks!

Is there any trick to limit (like regex) domain exactly as listed in the whitelist?

Like, if we whitelist yahoo(dot)com, then ayahoo.com or us.yahoo.com should be invalid email domain

Just type yahoo.com in the config:

image1198×406 20.1 KB

This should do exactly what you want.

Would you please share the last stable jar file? Thank you

Sure, here Central Repository: net/micedre/keycloak/keycloak-mail-whitelisting/1.3.3

Releases are pushed to maven central, I’ll also publish next releases to github.

Also, if you are using the last versions of keycloak, it may be better to use the nex features around user profiles to whitelist, or blacklist user emails (and do so much more )

Thank you for the module. It is very helpfull! =)

Related topic, may help some:

hi,
i just implemented this with the user profile, thanks to @nosan for the tip!
it can be found here in the doumentation: Server Administration Guide
here’s the steps i took, but this may not be the perfect way to implement this:

• i enabled the ‘user profile’ preview by passing KC_FEATURES=declarative-user-profile as an environment variable in my docker-compose.yml and restarted the container.
• on the admin dashboard i went to ‘realm settings’ → ‘general’ and set the ‘user profile enabled’ to true.
• after a reload i went to ‘realm settings’ → ‘user profile’, klicked on ‘email’, scrolled down to ‘validators’ and klicked ‘create validator’.
• i selected ‘pattern’ from the list and added .+@mydomain.com as a pattern and Sorry! Only E-Mails with *@mydomain.com are allowed! If you still need an account please message admin@mydomain.com (the error message might be too long)
• after saving i get the error message displayed upon creating an account with e.g. a gmail email adress. *@mydomain.com works fine.
• not solved:
  • this also seems to restrict an admin adding any account not ending in @mydomain.com
  • i haven’t yet got around to making locales, so the error message shows like this in every selected language.