Skip to content

feat: map client credentials from clientAlias for user email verification #1173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks
GHkrishna opened this issue Apr 10, 2025 · 2 comments · May be fixed by #1183
Open
2 tasks

feat: map client credentials from clientAlias for user email verification #1173

GHkrishna opened this issue Apr 10, 2025 · 2 comments · May be fixed by #1183
Assignees
@GHkrishna
Labels
enhancement New feature or request feature This is a new feature

Comments

@GHkrishna
Copy link
Contributor

Prerequisites

  • Understanding of current Keycloak integration in email verification flow
  • Awareness of frontend & backend API payload structure

Summary

Currently, for email verification (i.e., user signup), we are sending encrypted clientId and clientSecret from the frontend. These values determine which Keycloak client to use for user registration.

Instead of passing credentials from the frontend, this proposal suggests using a public clientAlias (e.g., "Sovio", "Educreds", "Verifier") and resolving actual credentials on the backend.

Why this change?

  • Simplifies the API for consumers (especially those using Swagger/OpenAPI).
  • Removes the need to encrypt credentials on the frontend.
  • Enables storing sensitive client credentials securely on the backend (e.g., Supabase Vault).
  • Reduces security risks related to handling and transmitting secrets from the frontend.
  • Improves usability by exposing only a user-friendly client identifier (clientAlias) via dropdown or enum in API documentation.

Proposed Payload Change

Current Payload:

{
  "email": "awqx@yopmail.com",
  "clientId": "xxxx-xxxx-xxxx",
  "clientSecret": "xxxx-xxxxx-xxxxx",
  "brandLogoUrl": "https://example.com/logo.png",
  "platformName": "MyPlatform"
}

Proposed Payload:

{
  "email": "awqx@yopmail.com",
  "client": "Educreds",
  "brandLogoUrl": "https://example.com/logo.png",
  "platformName": "MyPlatform"
}

Or client as a parameter

Steps to Reproduce (Current Flow)

  1. Frontend sends an encrypted clientId and clientSecret.
  2. User submits the email verification request.
  3. Backend uses the credentials in the payload to register user on Keycloak.

Current Behavior

  • Encrypted clientId and clientSecret must be passed in the request payload from the frontend.
  • Frontend must manage encryption of Keycloak credentials.
  • API consumers must handle sensitive information.

Expected Behavior

  • API accepts a simple client alias string.
  • Backend maps the alias to corresponding Keycloak credentials.
  • Credentials are securely fetched (e.g., from a secrets manager like Supabase Vault).
  • No sensitive information is handled by the frontend or API users.

Environment

CREDEBL Version: v2.0.1
@GHkrishna GHkrishna added enhancement New feature or request feature This is a new feature labels Apr 10, 2025
@danielmarv
Copy link

i would like to take on this

@GHkrishna
Copy link
Contributor Author

Hello @danielmarv ,
We have a PR ready for this: #1183

If possible maybe you can have a look at it

@GHkrishna GHkrishna self-assigned this Apr 22, 2025
@GHkrishna GHkrishna linked a pull request Apr 23, 2025 that will close this issue
feat: SSO support and clientcredentials based switchig for single sign on feature #1183
Open
@GHkrishna GHkrishna moved this to In Progress in Team Plan Apr 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GHkrishna GHkrishna

Labels
enhancement New feature or request feature This is a new feature
Projects
Team Plan
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: SSO support and clientcredentials based switchig for single sign on feature credebl/platform
2 participants
@GHkrishna @danielmarv