Problems getting the invitation flow working

[martin31821]

Hi,

We're currently evaluating this project in a multi-tenant b2b scenario and we're having trouble getting the invitation flow to work.

I've been inviting an email to an organization (where the user doesn't previously exist in the realm), then I'm getting a mail with two links, one for registration and one for login.

However, after clicking any of the two links, I'm getting the error message 'Cookie not found'. The server log just says the same thing, so I'm a bit puzzled where to look next.

I'm using the phasetwo docker image, version 22.0.1, with Postgres as database.

[xgp]

@martin31821 Thanks for the message.

How are you initiating the invitation? Using the Organization Admin Portal? Using the API? Also, can you include or screenshot the email you are seeing?

The content of the email messages for invitations is, by default set here https://github.com/p2-inc/keycloak-orgs/blob/main/src/main/resources/theme-resources/messages/messages_en.properties#L2 and includes no links by default, unless you customize the template, or you set the redirectUri value in the invitation API request.

[dierberg]

Thanks @xgp, I'm a coworker of Martin and did the setup. In styles extension I added {{url.registrationUrl}} for Organizations invitation. But these URL has no parameter, it just ends with registration: https://XXX/realms/myRealm/login-actions/registration. It does not depend on existing or not existing user. The problem is the same in admin UI and Phase// portal.

Are there other necessary config items in the realm they may be missed? Thanks

[xgp]

Thanks for the context @dierberg

The problem with that url.registrationUrl is that it's not really meant for this use case. It is used in the cases where an existing authentication session is already underway. The default for Keycloak doesn't officially allow a direct registration link. However, it is possible to construct one:

https://{host}/{relative-path}/realms/{realm-name}/protocol/openid-connect/registrations?client_id={client_id}&response_type=code&scope=openid email&redirect_uri={redirect-path}&kc_locale={two-char-lang-code}

The recommendation in this case is to include a link to an endpoint in your application that is protected by Keycloak. That will cause the user to be redirected to the login page, where the registration link will appear, if you have it enabled.

[dierberg]

Mmmh, this is not what in https://phasetwo.io/docs/getting-started/email is documented.

And why is the redirection URL not used?

[xgp]

Feel free to PR a change to the documentation if you think it's wrong https://github.com/p2-inc/phasetwo-docs/blob/master/docs/getting-started/email.md

And why is the redirection URL not used?

I'm not sure I understand this. The redirectUri field can be passed if you are setting up an invitation using the API (https://phasetwo.io/api/add-organization-invitation). In the default template, this is set as the {{link}}. This can also be used in your custom templates.