Preventing user from modifying their name in Keycloak
In Keycloak, by default, users are able to change their first and last name in the account manager page. However, is it possible to disable this behavior?
Removing both fields in the theme results in those values not being sent and the form failing, and a hand-crafted POST request would defeat this method anyway.
In Keycloak, by default, users are able to change their first and last name in the account manager page. Is it possible to disable this behavior?
That can be done out-of-the-box (since Keycloak 14) by using the user profile functionality. First, the preview feature declarative-user-profile has to be enabled. For that start the server with:
--features=declarative-user-profile.
for the Quarkus version, or with
-Dkeycloak.profile.feature.declarative_user_profile=enabled
for the Wildfly version.
Bear in mind that:
Declarative User Profile is Technology Preview and is not fully supported.
After starting the server with the aforementioned option, go to the Keycloak Admin Console and:
- Go to the according
Realm; - Go to the tab
General; - Set
User Profile enabledtoON
A new tab named User Profile (top right) will show up; click on it, and a set of configurable attributes will be shown.
Click on firstName, and then go to Permissions
In that section the permissions can be changed, accordingly. For example, if one sets Can user edit? to OFF, then when the user tries to change the firstName field in the account UI, that UI throws the following warning message:
The field First name is read only.
The same configuration can also be applied to the lastName attribute.
For the new Keycloak UI the workflow is exactly the same as the one I have just described. More information about the feature can be found in the official keycloak documentation (link)
UPDATE:
For new keycloak versions use the following env var:
- name: KC_FEATURES
value: 'declarative-user-profile'
- Spring Security 6 .permitAll() not working
- Preventing user from modifying their name in Keycloak
- Keycloak - Assigning role per tenant
- How are Keycloak roles managed?
- Use Keycloak Spring Adapter with Spring Boot 3
- Spring Boot with React and Keycloak: redirect to Keycloak's login page fails due to CORS error (no Access-Control-Allow-Origin header set)
- Keycloak 9.0.2 : missing script mapper
- Using Keycloak behind a reverse proxy: Could not open Admin loginpage because mixed Content
- How to add resource_access key (realm-management or account) to admin token (fastapi-keycloak)?
- How to periodically sync and clean up Keycloak users with Entra ID?
- Need help understanding keycloak, reverse proxies, and middleware in a cluster
- Changing default port of keycloak in docker
- Keycloak Admin Console Login - Infinite Loop
- Keycloak and React infinite redirect loop in local development environment
- How to set up AWS Client VPN with Keycloak as IdP
- keycloak-angular 26 is unable to find keycloak-js
- Unable to start keycloak with preview or scripts features enabled
- How to use Keycloak for user self-registration
- Keycloak Account API returns Unauthorized 401 with token from user logged in via my spring client
- Configure reverse-proxy for Keycloak docker with custom base URL
- Unable to authenticate the login of application user using Keycloak
- Angular-Keycloak is not adding the bearer token by default to my http requests
- Keycloak: Role based client log-in access restriction for users
- In Keycloak, how do I customize my login theme so that social providers are at the top?
- Java, Keycloak: How to programatically create a Realm and set userProfile attributes in it
- How to retrieve the code verifier using Keycloak from Angular
- Is it possible to have a Spring-boot application with a JWT-Decoder and as oauth2Login?
- Client secret not provided in request error
- Implementing OIDC with Authorization Code Flow on API Gateway using Keycloak as SSO provider
- Spring Boot with Spring Security and Keycloak only providing Anonymous Authentication Token