Keycloak tip: disabling the review profile step when using twitter,microsoft,gmail… as an identity provider
Keycloak’ta kimlik sağlayıcılar ile login kullanıyorsanız, kullanıcı ilk kez oturum açtığında can sıkıcı küçük bir sorunla karşılaşmış olabilirsiniz: kullanıcı adı, soyadı v.s içeren “Update Account” inceleme profili formu görünür. Bu gönderide, yapılandırma yoluyla bu sorunu nasıl aşabildiğimizi paylaşmak istiyoruz.
Background:
By the default, the review profile is a required step of the first broker login flow which is triggered whenever authentication is done through an identity provider
The review profile step is meant to prompt the user about a missing required profile property (usually first name or last name) that could not be obtained from the identity provider. Additionally, the review profile can be configured to trigger in all the cases regardless of whether the user info are obtained or not by setting the authenticator configuration option to on
instead of missing
, or not to be triggered at all by setting the option to off
.
The particularity of twitter, compared to other providers, is that there is no first/last name in the user info, just a name rather.
While processing the user info received from twitter, Keycloak assumes that the name is composed of a first name and a last name splitted by a space (The processing logic can be found here). Accordingly, if the twitter account used for logging in does not contain a space (quite common in twitter), the last name would be empty and this will automatically trigger the review profile form (if the default settings are kept)
This means that the user will have to go through an additional step, which ruins a bit the UX and also the main goal behind using an identity provider: skipping the register form.
In the next sections, we would like to share a couple of solutions that can help working around this little needling gotcha.
Solution 1: setting “Update Profile on First Login” to off or disabling the review profle step
This solution is dead simple. When going to the Authentication flows setup and then to the first broker login
flow configuation, you can find a special authenticator configuration for the Review Profile
step:
once clicking on the settings icon, you will get the following modal:
You can simply set the value to off
, and voilà!
It’s also possible to disable the whole review profile step
by setting its value to disabled
.
Solution 2: disabling last name validation using user profiles
This solution requires the activation of a preview feature called declarative user profile
(More details about Keycloak features and how to enable them can be found in the official docs). Because the declarative user profile
is still a preview feature, and thus not recommended to use in production settings, this solution is just for information purposes. To enable the declarative user profile
feature:
- set the Keycloak flag (either
--feature=declarative-user-profile
or-Dkeycloak.profile.feature.declarative_user_profile=enabled
in older versions) - toggle the
User Profile Enabled
in the General realm config
after enabling the feature, you will see the following menu appearing in Keycloak admin:
by clicking on lastNane
and setting the value of required
to false
, we are telling Keycloak that the last name of a user is not required and thus the registration of a new user should go through without a last name. This would apply for registering a user through an idp as well.
References
For further details, checkout the discussion in the following pull request:
https://github.com/keycloak/keycloak/pull/12923
https://www.imager200.io/blog/keycloak-circumventing-review-profile-with-twitter