Closed lsmith77 closed 4 months ago
xgp
commented
4 months ago That flow makes sense. You could also just create the User in Keycloak and send them a execute-actions email to set up their profile and reset their password. If you're using the API, you could send them invitations with send=false so they don't get an email invite. Then they just get an profile/password setup email, and they are prompted with the invitation required action after they set up their account.
lsmith77
commented
4 months ago I tested it some more and it looks good. Should I document this a bit here https://phasetwo.io/docs/organizations/invitations ?
xgp
commented
4 months ago Should I document this a bit
Yes. Thank you!
lsmith77
commented
4 months ago Should be coming later this week.
lsmith77
commented
4 months ago @xgp while working on the documentation for this, I realized that there is one piece missing and an opportunity to clean up the workflow.
So from what I can tell, when creating an Invitation (via the UI or the API), there is no way prevent sending the invitation email, which is not ideal for the above decribed workflow.
But rather than adding this option, I wonder if it would not make more sense to give make it an option on the Invitation if to use a magic link? In this case it is not a problem that the email is send, because it would contain the magic link rather than the URL to the realm login.
The way I would envision the API (and eventually Admin UI) would be enable optionally passing in the magic link resource parameters https://github.com/p2-inc/keycloak-magic-link?tab=readme-ov-file#resource property on the InvitationRequest.
xgp
commented
4 months ago So from what I can tell, when creating an Invitation (via the UI or the API), there is no way prevent sending the invitation email, which is not ideal for the above decribed workflow.
The Invitation API has a send parameter which prevents sending an email if false
lsmith77
commented
4 months ago Ah thank you. I overlooked that.
In our app we send out an invitation link with a secret (ie. without this secret the user cannot create an account). This invitation also has a lifetime.
So if the user follows the link with the embedded secret before the lifetime has ended, they can set a password (and possibly set other attributes like the name etc). Once they complete this they are added to the organization.
Out of the box with phasetwo the concept seems to be more to allow self registration without limits and use the invitation concept to allow the users then if they want to accept this invitation. Which is maybe the more "multi tenant" view onto this process but it somehow feels wrong to allow anyone to create an account. At the very least we would rather not have to add some capture to the self registration form to prevent the database from being filled by bogus users.
Now I am wondering how to best implement this:
Does this kind of workflow make sense?
I would be happy to build this out in more detail with documentation. We would then also likely add the ability to embedd a firstname/lastname into the magic link