问题
We're using keycloak (KC) with custom providers for the registration flow. At the end of the registration flow, before the confirmation email is sent to the user (as a default KC functionality), we disable the user as it fits our use case.
When user clicks on the email confirmation, mail is confirmed and user is automatically logged in, despite the fact he/she is disabled at that point. Logins after that work as expected (if user is disabled, login is forbidden, else it succeeds).
Upon reviewing Keycloak source, it seems as if session id is sent in the confirmation mail and if session already exists in KC, it is automatically reused and user proceeds as if logged in. If session doesn't exist, "email confirmed" page is shown and user is not logged in (as expected).
To confirm my theory of KC not checking user status (enabled/disabled) in the middle of an existing session, I've disabled a user that's currently been active in the application. User was not logged out or anything of the like.
My conclusion is that when user complets the registration, session exists and that session is then automatically "hijacked" upon clicking on the confirmation link. Nowhere in the middle of that, does KC check if user is actually enabled or not. Same as if you disable user while he/she is logged in and is browsing the protected application.
Does anyone have any workaround of the issue? My next step is somehow to programatically invalidate session at the end of the registration, so user won't have any when clicking on the confirmation mail. I am not sure how to track this bug on KC jira either, since they don't seem to have any public bug tracker. Regardless, this is not the point of this question - my question is if anyone else already had this problem and if yes, how was it solved?
回答1:
I have solved a similar issue writing a custom Required Action. The required action is triggered after email validation, so you can check if user is enabled or not (Secret question required action example).
In my case if user validation is not ok, I redirect to error page:
Response challenge =
context.form().setError(MessagesIDs.NOT_VALIDATED_ID).createErrorPage(Status.UNAUTHORIZED);
context.challenge(challenge);
return;
来源:https://stackoverflow.com/questions/45382981/keycloak-automatic-login-after-email-confirmation-with-disabled-user