Action token as default for invitation link

[xgp]

Create an action token link for invitations that will (in the handler)

1. create a user if none exists with that email
2. mark email address as verified
3. do additional required actions (e.g. org invitation accept)
4. forward to login

Questions

• What if the user wants to / must login with the linked IdP?
• If the user profile elements that are required are not complete, will the user automatically be challenged for them?
• Can we create an anonymous action token (i.e. no User)?

[xgp]

https://github.com/p2-inc/keycloak-orgs/tree/xgp/anon-invite

Did an experiment to see if we could do an anonymous action token (we cannot) to do a delayed user create on acceptance of org invite.

This code path in the Keycloak action token handler stops a token without a known userId from being passed to the handler:

• https://github.com/keycloak/keycloak/blob/33f580daa47642f2660f5587603ce3893a8f6c8d/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java#L653
• https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java#L126

keycloak-1   | 2024-04-11 17:47:43,064 WARN  [org.keycloak.events] (executor-thread-2) type="EXECUTE_ACTION_TOKEN_ERROR", realmId="7e64e025-21e2-4241-9d2a-cb6ca6f1bfb6", clientId="account", userId="test2@bar.com", ipAddress="172.25.0.1", error="user_not_found", reason="invalidUserMessage", auth_method="openid-connect", token_id="cd6cd79c-1b82-4fb0-bdac-4fde121566c1", action="ext-org-invitation-link", response_type="code", redirect_uri="http://localhost:8080/auth/realms/test/account/", remember_me="false", code_id="b16e49df-2209-4982-9bf6-c31a02ee342d", response_mode="query"

We might try to do a separate endpoint to process the token and accept the invite before creating the user.

• Create a similar resource that takes the token and validates it
• Create a fresh auth session