# Enabling Keycloak User Self-Registration

## Overview

This guide covers enabling self-registration for users on Keycloak. Also refer to [Keycloak Advanced Security](https://docs.openg2p.org/operations/deployment/deployment-guide/keycloak/keycloak-advanced-security) guide for other security policies.

## Prerequisites

* The following requires an SMTP server to be set up within the same Kubernetes cluster for email notifications. Check [openg2p/mail](https://github.com/OpenG2P/openg2p-deployment/tree/main/charts/mail) helm chart.
* This also requires the Keycloak server to be publicly accessible.

## Procedure

1. **Log in to Keycloak**
   1. Open the Keycloak Admin Console.
   2. Log in using admin credentials.
   3. You can configure self-registration in your existing realm or create a separate realm for public environments and configure it there.<br>
2. **Enable User Registration**
   1. Navigate to **Realm Settings**.
   2. Click on the **General Settings** tab and provide the necessary details.<br>

      <figure><img src="https://3034178245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJZcdob2emEcLMvLyIxqT%2Fuploads%2Fgk8p1LG2eKQsPfg5Y4o4%2Fimage.png?alt=media&#x26;token=3cf8cb98-b99d-4cdc-9d4c-b44be6b62e0f" alt=""><figcaption></figcaption></figure>
   3. Click on the **Login** tab, enable the following options:
      * **User registration**: Allows users to register themselves.
      * **Verify email**: Ensures users confirm their email addresses after registration.
      * **Forgot password**: Allows users to reset their passwords via email.
      * **Login with email**: Enables users to log in using their email addresses instead of usernames.<br>
3. **Configure Email Settings**
   1. In the **Realm Settings**, locate the **Email** section.
   2. Configure the **Template** and **Connection & Authentication** sections with SMTP settings.

      <figure><img src="https://3034178245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJZcdob2emEcLMvLyIxqT%2Fuploads%2FS5VWYPAjqv6i1mM8L4Qa%2Fimage.png?alt=media&#x26;token=5dc72d1f-31dd-4304-abec-aa5efe27719d" alt=""><figcaption></figcaption></figure>
   3. Ensure the SMTP server is installed within the Kubernetes cluster.
   4. Provide SMTP server details (host, port, authentication credentials, etc.).

      <figure><img src="https://3034178245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJZcdob2emEcLMvLyIxqT%2Fuploads%2Fx8mBCyFiANfit8iLAEAZ%2Fimage.png?alt=media&#x26;token=66111664-3ab4-4fe9-a168-f55b79a26cfa" alt=""><figcaption></figcaption></figure>
   5. Save the configuration to enable email notifications for user registrations.
4. **Configure Authentication and reCAPTCHA**
   1. Navigate to the **Authentication** tab and make a copy of the **registration** as **registration2** and bind it to Resgistration flow.

      <figure><img src="https://3034178245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJZcdob2emEcLMvLyIxqT%2Fuploads%2FoRtQXgksB96XEVO7d63K%2Fimage.png?alt=media&#x26;token=63f73d5d-c5fa-47c8-85bd-1e086fdcc0d2" alt=""><figcaption></figcaption></figure>

      1. Edit the newly created registration flow, ensuring all step requirements remain the same.
      2. Add reCAPTCHA in the **reCAPTCHA settings**.
      3. Generate the reCAPTCHA site key and secret key from Google reCAPTCHA and configure them in Keycloak.
5. **Assign Client Roles**
   1. Add the required **client roles** under each client to grant access to applications. For more refer [here](https://docs.openg2p.org/social-registry/deployment).
   2. To provide complete access to **SR** or **PBMS** for self-registered users, create the necessary roles for the respective clients.
   3. Assign all the created client roles to **Realm Settings → User Registration** to set default roles for self-registered users.

      <figure><img src="https://3034178245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJZcdob2emEcLMvLyIxqT%2Fuploads%2FKEzX0yHRU1rcoYksp1I3%2Fimage.png?alt=media&#x26;token=e81bcb44-91e7-4b13-9224-188a38d48a44" alt=""><figcaption><p><br></p></figcaption></figure>
6. **Integrate Keycloak Credentials with Applications**
   1. Make sure your application is already integrated with Keycloak login for authentication. If not, configure it for [Keycloak authentication](https://docs.openg2p.org/products/pbms/previous-generation/functionality/administration/role-based-access-control/user-guides/configure-keycloak-authentication-provider-for-user-log-in).<br>
7. **Verify Self-Registration**
   1. Open **Socialregistry** or **PBMS** service in an incognito/private browser window.
   2. Try to **login with keycloak** and it will redirect you to keycloak login page.
   3. The **Register** link should now be visible.

      <figure><img src="https://3034178245-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJZcdob2emEcLMvLyIxqT%2Fuploads%2FkwgEgxRqOG7QmA3X14QU%2Fimage.png?alt=media&#x26;token=514186dd-3940-4206-97b0-f0762b901e3a" alt=""><figcaption></figcaption></figure>
   4. Click the **Register** link to access the registration page.
   5. Users can enter their details (name, email, and password) and proceed with 2 factor authentication to create an account.
   6. Upon registration, users will receive a confirmation email (if email verification is enabled).
   7. After confirming their email, users can log in to odoo application.<br>
8. Once users are registered in Keycloak, they can use the same credentials wherever the app integrates with Keycloak authentication.