Skip to main content

Add a Manage Account link with Keycloak and RedHat-SSO

By 26 januari 2017februari 13th, 2017No Comments


In this blog, we will look at how you can easily empower users to manage their own account with Keycloak/RedHat-SSO by providing them with a direct link from within your Spring application. Basically, not much more is required than to add this link to your page or menu:

<a href="${KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account">Manage Account</a>

The address of the KC server is, off course, stored in the configuration file in webapp/WEB-INF/keycloak.json. But what is the best way to get it from there into the model(s) used to generate your web pages?

For the logout link, KC provides us with a nice and handy shortcut <a "/sso/logout">Logout</a> where we do not need to put the real address. But for Manage Account, no such thing exists (yet).

Link to the User’s Manage Account in Keycloak

Here is one way to add “accountUrl” to the model in a controller (thanks to Scott Rossillo for this code):

public class FooController {

    private AdapterDeploymentContext adapterDeploymentContext;

    public String populateAccountUrl(HttpServletRequest request, HttpServletResponse response) {
        HttpFacade facade = new SimpleHttpFacade(request, response);
        KeycloakDeployment deployment = adapterDeploymentContext.resolveDeployment(facade);
        return deployment.getAccountUrl()

In your page template or header-insert, you can now link to the user’s account page without needing to hard-code either Keycloak-address or realm name:

<a href="${accountUrl}">Manage Account</a>

And Link Back to your Application

But there is more. Keycloak can automatically link back to your application by adding two parameters:


The first parameter referrer is the name of your client, which is also stored in keycloak.json.
The second parameter referrer_uri is the address within your application you want the user to come back to. It must be a valid redirect-URL (as configured in the KC administration console in your Client). The referrer_uri is optional and Keycloak will use the base URL of the client when it is missing.

I’ll demonstrate this with a variation of the previous code, which defines the model property as a @ControllerAdvice, which will make the variable available in all your models (to limit it to a subset of your controllers, check the Documentation):

public class ControllerAdviceSsoManageAccount {

    AdapterDeploymentContext adapterDeploymentContext;

     * Adds a link the the user's Account Management page as <i>accountUrl</i>
    public String ssoManageAccountLink( final HttpServletRequest request, final HttpServletResponse response) {
        HttpFacade facade = new SimpleHttpFacade(request, response);
        KeycloakDeployment resolveDeployment = adapterDeploymentContext.resolveDeployment(facade);
        String manageAccoutUrl = KeycloakUriBuilder.fromUri(resolveDeployment.getAccountUrl())
                .queryParam("referrer", resolveDeployment.getResourceName())
//              .queryParam("referrer_uri", request.getRequestURL() )       // Check carefully before uncommenting - may fail behind a reverse-proxy, or with query parameters
        return manageAccoutUrl;

In this example, I have commented out the code that is adding the original request as the referrer_uri. Because before using it, you should carefully evaluate if this is valid and appropriate in all your views. Otherwise, the return-link may trigger unexpected actions in your application when the user returns, or it may be missing query parameters to show the same view than before.

So much for now. Keep exploring!

P.S.: Did you know that you can get Keycloak with production-grade support from RedHat under the name RedHat SSO, and that everybody with any JBoss subscription has immediate, free access?