Skip to content

feat: map client credentials from clientAlias for user email verification #1173

New issue
New issue
Open
Feature
Open
feat: map client credentials from clientAlias for user email verification#1173
Feature
Assignees
GHkrishna
Labels
enhancementNew feature or requestfeatureThis is a new feature
@GHkrishna

Description

@GHkrishna
GHkrishna
opened on Apr 10, 2025

Prerequisites

  • Understanding of current Keycloak integration in email verification flow
  • Awareness of frontend & backend API payload structure

Summary

Currently, for email verification (i.e., user signup), we are sending encrypted clientId and clientSecret from the frontend. These values determine which Keycloak client to use for user registration.

Instead of passing credentials from the frontend, this proposal suggests using a public clientAlias (e.g., "Sovio", "Educreds", "Verifier") and resolving actual credentials on the backend.

Why this change?

  • Simplifies the API for consumers (especially those using Swagger/OpenAPI).
  • Removes the need to encrypt credentials on the frontend.
  • Enables storing sensitive client credentials securely on the backend (e.g., Supabase Vault).
  • Reduces security risks related to handling and transmitting secrets from the frontend.
  • Improves usability by exposing only a user-friendly client identifier (clientAlias) via dropdown or enum in API documentation.

Proposed Payload Change

Current Payload:

{
  "email": "[email protected]",
  "clientId": "xxxx-xxxx-xxxx",
  "clientSecret": "xxxx-xxxxx-xxxxx",
  "brandLogoUrl": "https://example.com/logo.png",
  "platformName": "MyPlatform"
}

Proposed Payload:

{
  "email": "[email protected]",
  "client": "Educreds",
  "brandLogoUrl": "https://example.com/logo.png",
  "platformName": "MyPlatform"
}

Or client as a parameter

Steps to Reproduce (Current Flow)

  1. Frontend sends an encrypted clientId and clientSecret.
  2. User submits the email verification request.
  3. Backend uses the credentials in the payload to register user on Keycloak.

Current Behavior

  • Encrypted clientId and clientSecret must be passed in the request payload from the frontend.
  • Frontend must manage encryption of Keycloak credentials.
  • API consumers must handle sensitive information.

Expected Behavior

  • API accepts a simple client alias string.
  • Backend maps the alias to corresponding Keycloak credentials.
  • Credentials are securely fetched (e.g., from a secrets manager like Supabase Vault).
  • No sensitive information is handled by the frontend or API users.

Environment

CREDEBL Version: v2.0.1

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestfeatureThis is a new feature

Type

Feature

Projects

Team Plan

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions