KEYCLOAK-6455 Ability to require email to be verified before changing #7943
Conversation
reda-alaoui
force-pushed
the
email-update-confirmation
branch
20 times, most recently
from
40ab023
to
cf1596c
Compare
Why should it be removed on a brokered context. It is still ok, to let a mapper copy the email value initially in a brokered identity context (Mapper mode "import"). Then it could be managed in the account at Keycloak including verification on updates. |
|
@reda-alaoui Well done! Could you please resolve the conflicts and rebase it with master? Then we can make a review for this. And last thing, I see there are some failing tests; it'd be great to check it. |
|
Hi @mabartos , |
|
@reda-alaoui many thanks for your work, mate. Any chance you can please fix conflicts and tests? @stianst will this be possible to come into 16 or 17 release? Thanks. |
|
Hello, |
|
@marziman Would be really great to get this feature in the next release. I think it's one of the few major shortcomings of Keycloak at the moment because the current change email process is kind of error prone and a bit insecure. Would love to get this feature from core Keycloak and not have to implement my own workaround in the meantime just to ditch it again in a few months. |
|
@lajosthiel I agree. We might be even forced to apply this now by hand to Keycloak. BR Mehmet |
|
@mposolda It is ready for review. I am polishing a separate PR for the documentation. |
|
Here is the documentation pull request |
|
@mposolda I added 2 commits that seemed important to me. Sorry for the noise. |
|
Has anyone recreated this issue in github issues yet? Would like to follow the progression again now that the original redhat issue is closed https://issues.redhat.com/browse/KEYCLOAK-6455 |
|
Thats alright, I just wanted to make sure there's no duplicate or if it needed to be linked to this pr somehow. Anyway here's he new issue on github #11875 |
There was a problem hiding this comment.
@reda-alaoui Thanks for the changes!
I am approving. I've just added one small note to the documentation PR and requested review from our documentation guru. However I hope that documentation will be finished soon and this will be merged soon.
|
Thank you ! 🥳 |
|
@reda-alaoui Finally merged. Should be ready in Keycloak 19. Thanks for your patience and for your hard work on this issue! |
|
Many thanks @reda-alaoui for this hard work. And also thx @mposolda for the review. |
|
@reda-alaoui Thanks for your work, we have got the latest V19.0.1 for keycloak. This feature works fine when we enable update_email. But once we enable the "User Profile Enabled" from Realm General setting, we are getting error while confirming new email id on update. |
|
@reda-alaoui Also we find that when "User Profile Enabled" is disabled, first name and last name became empty, and on clicking the email validation link. It clears the user profile attributes which were not sent. Also, the error which is shown in the previous field is failing because the first name and last name are mandatory fields and they are not sent in the payload. Only email id should be updated instead of all fields getting updated. |
|
@sparkmylife please create new issues to report this kind of problems. |
|
@reda-alaoui Raised #13561 |
|
Hi all, do you maybe have any info, when will this PR be released? which Keycloak version? |
|
Hey there. I'm using "email as username" (& enabled "Edit username" specifically for this); but when the users are changing their email using this feature, the username is not updated at all. Or did I miss any settings anywhere that would allow for this feature to properly change both email & username? |
I have been using the Keycloak "Personal information update" UI. Going through all the steps expected from this PR (click on update email, form asking me what email I want to use, confirmation email with link sent, clicking on the link to validate the change). Email is properly changed but not the username. We have our own Account Management page so eventually we will want to have it work outside of the KC default UI; but testing in the default UI is not conclusive already ;( Happy to be told this is a misconfiguration on my end though! |
|
It looks more like a bug. Which version you are using? |
v20.0.2 if I'm not mistaken |
|
It should be a bug then. I would ask you to try out 21.1.2 or wait for 22.0.2. The PR I mentioned is fixing a nasty issue in 22.0.0 and 22.0.1 so better try out 22.0.2. |
Fix #11875
This PR adds an UPDATE_EMAIL action (enabled by default) that can be used as an AIA or a required action. The action is associated with a single email input form. If the realm has email verification disabled, this action will allow to update the email without verification. If the realm has email verification enabled, the action will send an email update action token to the new email address without changing the account email. Only the action token triggering will complete the email update.
In the account application personal info (Keycloak V2), this PR turns the email input field into a permanent readonly field. If the UPDATE_EMAIL action is enabled, an "Update Email" link will allow to trigger UPDATE_EMAIL action as an AIA. If the UPDATE_EMAIL action is disabled, there will be no link and therefore no way to update the email from the personal info page.
This PR conditionally removes the email field from
login-update-profile.ftlform: