First8 staat voor vakmanschap. Al onze collega’s zijn een groot aanhanger van Open Source en in het bijzonder het Java-platform. Wij zijn gespecialiseerd in het pragmatisch ontwikkelen van bedrijfskritische Java toepassingen waarbij integratie van systemen, hoge eisen aan beveiliging en veel transacties een belangrijke rol spelen. Op deze pagina vind je onze blogs.

Add a Manage Account link with Keycloak and RedHat-SSO


In this blog, we will look at how you can easily empower users to manage their own account with Keycloak/RedHat-SSO by providing them with a direct link from within your Spring application. Basically, not much more is required than to add this link to your page or menu:

The address of the KC server is, off course, stored in the configuration file in webapp/WEB-INF/keycloak.json. But what is the best way to get it from there into the model(s) used to generate your web pages?

For the logout link, KC provides us with a nice and handy shortcut <a "/sso/logout">Logout</a> where we do not need to put the real address. But for Manage Account, no such thing exists (yet).

Link to the User’s Manage Account in Keycloak

Here is one way to add “accountUrl” to the model in a controller (thanks to Scott Rossillo for this code):

In your page template or header-insert, you can now link to the user’s account page without needing to hard-code either Keycloak-address or realm name:

And Link Back to your Application

But there is more. Keycloak can automatically link back to your application by adding two parameters:

The first parameter referrer is the name of your client, which is also stored in keycloak.json.
The second parameter referrer_uri is the address within your application you want the user to come back to. It must be a valid redirect-URL (as configured in the KC administration console in your Client). The referrer_uri is optional and Keycloak will use the base URL of the client when it is missing.

I’ll demonstrate this with a variation of the previous code, which defines the model property as a @ControllerAdvice, which will make the variable available in all your models (to limit it to a subset of your controllers, check the Documentation):

In this example, I have commented out the code that is adding the original request as the referrer_uri. Because before using it, you should carefully evaluate if this is valid and appropriate in all your views. Otherwise, the return-link may trigger unexpected actions in your application when the user returns, or it may be missing query parameters to show the same view than before.

So much for now. Keep exploring!

P.S.: Did you know that you can get Keycloak with production-grade support from RedHat under the name RedHat SSO, and that everybody with any JBoss subscription has immediate, free access?