Implement account management in Keycloak

[hkeeler]

Keycloak comes we a default set of account management screens, all managed under the account theme. Like the login theme, we'll need to brand these pages to USWDS standards.

In addition, I think we'll need to limit Keycloak's default functionality by quite a bit. They give the user a lot of insight into the system, and I don't think it is necessary. It even exposes the Google Authenticator functionality, which we're not even using.

I was hopeful that much of this could be controlled via built-in roles, but it is not granular enough. Your options are basically:

• Off
• View All
• Edit All

This will require a bit more research, but I believe the high-level tasks are:

• Modify the base template, removing the sidebar with all the links. We should decide what navigation elements we do need here.

• Modify the Edit Account screen, allowing only the following fields:

  • Email (read-only)
  • First name
  • Last name
  • Institution(s)

• Decide whether we want to keep the Change Password screen. I say this because there is already a Forgot Password? link and Reset password page that's part of the login templates.

  To add a bit of confusion to this mix, their reset flows are different. The login version makes you confirm via email, while the account version lets you put in old and new password all at once, and saves right on the spot. I think it would be weird to support both.

  I favor keeping the current the email confirmation based password reset, and just dumping the account version, but I'm open to discussion.

• Move the Java-based email domain validation logic into it's own library so it can be used in both the account and login providers.

  • I'll likely take another crack at creating unit tests for this lib (Add Unit Tests for Keycloak Authentication Provider #27) if time permits.

• Enforce the page restrictions on the backend as well. We should make sure user's are not able to browse directly to the pages we've removed the links to.

For your viewing pleasure, here are the default version of the account management screens.

[hkeeler]

The Bad News

I spent quite a bit of time yesterday researching just how we would do the backend validation for account management. I'm still not certain exactly how we'd do this, but I can say it will be a lot of work. Keycloak's account management screens are a completely different account app from the authentication and registration login app. And not only do they share almost no code, the account app does not really provide any hooks for validating custom input...or even altering the hard-coded validation is does now.

If anyone is interested in the gory details, most of the from these two classes:

• AccountService - routing, validation and persistence of all account-related pages.
• FreeMarkerAccountProvider - sets all of the Freemark template variables, and renders the pages.

My first thought was to just extend these two classes, overriding a few methods to include a bit of extra validation, and disable routing to the account-related pages we don't want to support. However, there are so many dependent classes that we'd also have to modify, that we'd basically end up doing a big copy/paste job, and redeploying this alongside the current SPIs.

In addition, here are a couple findings on their mailing list that basically confirm what I'm finding:

• [keycloak-user] How to validate required for custom fields

  Adding those custom validations works just for registration form, but not for account management or update-profile pages. In the future, we plan to improve so that you can attach custom validation on all 3 places and you won't need to code your own validator for supporting such common thing like marking some custom field to be mandatory.

• [keycloak-dev] Custom attributes on registration and account management - this thread has a lot of disuccsion around this, but it is all similar to:

  For registration screen, admin can implement his own validator through the Authentication SPI. But for account management and update profile it's currently no way to add custom validations. But for my "birthday" field, I usually want to have same custom validation applied on all 3 places.

The Good News

Keycloak recognizes this is a problem. They have a feature request out a Profile SPI, which sounds like it would it would meet our needs.

As to when this become a reality, it is hard to say. The best I can find it the following, posted on a comment of a related issue on 12/02/2016

This should be high priority and something we should work on. I'll try as much as possible to make sure this happens soon, but it's going to be 3.x at the earliest. Due to a lot of other things happening at the moment I can't make any promises though.

What's Next?

We need to have a deeper discussion around our options, and what issues may arise with each.

Sorry this isn't as straightforward as I though it would be. ☹️

[hkeeler]

It was decided at today's standup that we will hold off on account management. For now, I will just disable account management for all users in the HMDA realm.

[hkeeler]

Really glad we didn't take this on. Not only is Keycloak 3.x likely going to include a Profile SPI for consistent account validation, but also New Account Management:

Per http://blog.keycloak.org/2016/12/keycloak-250cr1-released.html:

• Profile SPI - Single configurable and extensible place to define validation for user validation for self-registration, account management and the admin console
• New Account Management - New modern and easier to use account management console

As for when, doesn't sound like they have a timeline yet. All they say is:

This is the second to last release in the Keycloak 2 series. Expect one more round of bug fixing and a 2.5.1.Final release towards the end of January. After that we'll get started on Keycloak 3!

[vanOmega]

@hkeeler Before, were you able to override AccountFormService in keycloak's 3.4.3.final version?

[hkeeler]

@vanOmega, we do not override AccountFormService or any other services related to Keycloak's account management app. We currently don't even use Keycloak's account management because of it's many limitations.

Keycloak is supposed to have a big account management refactor in the works. If and when that happens, we'll post details back here on this issue.