KEYCLOAK-2359 - Expose current clientId in email templates. #2061
Conversation
We hereby expose the current clientId in email templates in order to be able to generate client application specific links. If a clientId is not available we fall back to the "account" clientId.
| emailVerificationBody=Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you didn''t create this account, just ignore this message. | ||
| emailVerificationBodyHtml=<p>Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address</p><p><a href="{0}">{0}</a></p><p>This link will expire within {1} minutes.</p><p>If you didn''t create this account, just ignore this message.</p> | ||
| emailVerificationBody=Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you didn''t create this account, just ignore this message. ClientId: {3} | ||
| emailVerificationBodyHtml=<p>Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address</p><p><a href="{0}">{0}</a></p><p>This link will expire within {1} minutes.</p><p>If you didn''t create this account, just ignore this message.</p> ClientId: {3} |
There was a problem hiding this comment.
The usage of the clientId ({3}) is a test - suggestions for a more sane default text that uses the client id or should this be just omitted from the messages.properties for now?
|
Thinking some more about this I was thinking that we probably want to make sure the client-id is always available. It shouldn't require manually including in the email. I think we should add it to the links by default and include in the signature part as well to prevent forgery. |
|
Having the clientId accessible in general would make a lot of things easier - shall I close this PR or could you give some hints about how to rework it? |
|
I'm not sure if this is two separate issues or not, but I think the client base-url should always be available in the login flows. Even when the session has timed out. This would make it always possible to have a return to the application link on any page from the login flows. I think the best way to do this is to add the uuid of the client to the ClientSessionCode. It will make links slightly longer, but would improve usability. Would that cover what you want? |
|
Closing this as I didn't get any feedback. Let's talk about this on the mailing list. |
|
Okay, sorry for not giving feedback in time - I'm fine with closing this issue - as I wasn't sure how to proceed - adding the clientId (uuid) to the ClientSessionCode sounded like it should happen in the context of a new dedicated ticket - though it would be related to this one. Looking at ClientSessionCode - I notice that one can already access the client id via clientSessionCode .getClientSession().getClient().getId()/getClientId() - is this already available in emails somehow? |
|
You can get the client from the client session, but only as long as the client session hasn't been garbage collected. If we added the client uuid directly to the client session code it would always be available. |
|
Okay, I understand that. So this all would then boil down to adding the clientId to the access code AND extracting the clientId when the code is parsed again, right? *) Sorry for continuing here - but I think we're almost there ;-) *) currently ClientSessionCode parses the code string back into a ClientSessionCode instance. How about adding a flag (dead, alive) to If |
|
That sounds to complicate to me. All we need is the ability to add the client to the forms if the session is missing so we can add a back to client link. No need for a zombie client session model I'd think. I need to have a chat to Bill about this, then we'll see if we can do something for 1.9 around this. |
|
Okay, thanks :) |
|
Another idea: In the ClientSessionCode.parseResult(..) is used which already deals with the case that the client session is not there anymore.Perhaps ClientSessionCode.parseResult could add the "requesting" clientId (to be added to the code) to the ParseResult. This could then be used as a fallback in LoginActionsService.verifyCode(..) in this case: This would enable keycloak to always redirect a user to the originally request client which would then retrigger the proper authentication flow. |
|
Stian made a big deal about the size of our URLs a year or so ago. |
|
I don't like increasing the size of the client session code as it increases the length of URLs. However, I think we need to make sure the client is always known so we can have a back to application link on all error pages. I can't think of any other way to do it than to add the client uuid to the client session code as well. |
thomasdarimont
deleted the
issue/KEYCLOAK-2359-add-client-id-param-to-emails
branch
We hereby expose the current clientId in email templates in order to be able
to generate client application specific links.
If a clientId is not available we fall back to the "account" clientId.