3

In my Angular application (Frontend) the users can sign-in as following:

  • The user will fill-up a login-form (username or email / password).
  • The user will click on Login and that will hit this endpoint: http://localhost:8080/auth/realms/REALM_NAME/protocol/openid-connect/token
  • The user will have an answer in JWT format and will get his access_token (jwt token), refresh_token... etc.
  • Now this token will be used to access my backend APIs that will check the validity of the signature of this token against the JWKs_URI (with the encryption RSA256).

The question now is : how can I enable user registration in the same way, which means, I wish that the user can:

  • Fill up a registration form
  • Enter his email, password, password confirmation, more info (attributes maybe)
  • The user will then click on Register and it will hit an endpoint in Keycloak (/register maybe) which will return some answer about the success of this registration.

BTW: I don't want to use the user management API.

xdeveloper
  • 125
  • 2
  • 9
  • I'm not sure I get it. Do you mean you want to use your own registration form backed by some Keycloak API and not Keycloak's own form ? It'd be a bit strange since you can configure Keycloak's registration form as well as its registration flow however you want. – Olivier Tonglet Sep 11 '20 at 14:13
  • Thanks for your answer. Well I don't want to deal with the complexity of implementing indirect grants, and at the same time there is only one consumer for this system. So that Keycloak will sit between two parts: [frontend]->[keycloak]->[backend] Also, I want to have my own login/registration pages as well. – xdeveloper Sep 11 '20 at 19:27

1 Answers1

3

You can use Keycloak Admin REST API to register new users. Make sure to not expose it carelessly.

Regarding you question, related to the authentication, you can register a Keycloak OIDC client. OIDC offers a bunch of resources you can use.

If you register your application as a Keycloak client that uses OIDC direct grant. Basically "direct grant" implies you can get an access token with just a simple POST to /realms/{realm-name}/protocol/openid-connect/token.

The documentation about direct grants is scattered across the Keycloak documentation and some details can only be found in the OIDC RFCs; so I found you this page that ties everything together.

Careful again ! It might be obvious but don't turn you Angular app into a OIDC client otherwise hacker will steal your Keycloak client's credentials. Make sure to have your Angular app call some server, where you'll implement the necessary safety mechanism to block abusive use of your client (for instance using CAPTCHA).

Olivier Tonglet
  • 3,312
  • 24
  • 40
  • Thank you for your answer. I understood that I must implement some sort of proxy server between my front and keycloak to not expose keycloak directly, and protect my routes to this server by some sort of verification mechanism to block brute fource intrusions. – xdeveloper Sep 14 '20 at 10:00
  • @xdeveloper if I answered your question could you accept it as this post's answer please ? If not please tell me what I should improve. – Olivier Tonglet Sep 14 '20 at 10:43
  • You answered my question of course, I just wanted a confirmation about putting a service between `Keycloak` and my `frontend`. – xdeveloper Sep 14 '20 at 12:00
  • @xdeveloper yes, you should have something in the middle, unless your application is only accessible from a secured network (and even the, I'd recommend it). The front-end code is "public" and you should protect your API, for instance to prevent someone to register a million users or attempt to connect a billion times (to steal someone's password) without anyone checking. – Olivier Tonglet Sep 14 '20 at 13:16
  • 1
    You can also toggle the Registration setting in Keycloak's console then there will be a Register feature where the user can directly register on Keycloak's server which is more secure than doing the registration with your own server using REST API since then the password and other details will be exposed on your private server. – Franco Apr 14 '23 at 07:34