Future of sending messages to identities in Keycloak #37848

srose · 2025-03-05T14:58:47Z

srose
Mar 5, 2025

Current status of this discussion

Implementing XOAUTH2 for Keycloaks outgoing Emails described in #17432 made several ideas and improvements visible. The topic was discussed with serveral participants of the Keycloak DevDay 2025 Hackathon. Needs further feedback, everone is welcome.

Problem description

The abstract topic is: The IAM System has several reasons to send a message to the user of an identity. Keycloak provides Email for several Use-Cases via SMTP-Protokoll which allow sending good old E-Mails to users. There are several improvements in every step.

From a user of an identity, there might be different things a message can be sent to: message-handle

E-Mail
Mobile phone Number
Chat/Messanger-Handle
-- Slack
-- ...

When looking into the Details of each of the message-handles there are the protocols these handles accept:

SMTP
Some HTTP-Service that allowes sending messages to these handles, probably very specific to a provider

Each protocol supports different authentication mechanisms

Password
Token

For Token based authentication mechanisms we have different ways to gather a token. I would argue to stick to mechanisms that are meant to be used by a machine:

Provide the token as is, no option to renew it. User is required to update the token before the token expires.
Client Credentials Grant authenticate with Client Secret
Client Credentials Grant authenticate with JWT
Client Credentials Grant with other option to authenticate

Solution

Assumptions

Required functionality is not in the core-domain of Keycloak.
There is no standard the can be used throughout cloud providers
Not aware of something that can do all these things like a library or framework

Build some more explicit ways to allow extensions to the area

Things to keep in mind/requirements

Separate extensionpoints for creating/building the message and sending the message? Might be more complicated when the message has to consider restrictions of the way the message is sent? E.g. size restrictions, formatting rules, etc.; Some people during the hackathon have involved a content management system in the message building process.
Sending a message is a function for keycloak user and its attributes given a message. Maybe the message can be provided in a way that restrictions of the sending-mechanism can be applied: e.g. send an SMS has different properties than sending an email.
The configuration might be different per realm and might support different mechanisms depending on the users attributes
Provide some of the existing ways Keycloak supports as explicit implementations, but not try to make things composeable/reusable in the first place. An explicit list with explicit configuration per message-service could make sense.

This would create a dropdown with every message provider that Keycloak can find during startup

SMTP Password
SMTP Microsoft-XOAUTH2
SMTP Gmail-XOAUTH2
Azure-Message-Service
Google-Message-Service
AWS-Message-Service
...

Each line is self-contained and complete. Behind the scenes there might be libraries or code shared that is part of Keycloak, but things are likely to be more complex than planned.

Any alternative ideas or recommendations? Maybe existing libraries? The available provider-SDKs might introduce a lot of dependencies :(.
Using the build feature might be useful similar to the db selection.

jbman · 2025-05-13T11:19:00Z

jbman
May 13, 2025

It would be very good to have a Keycloak MessageToUser SPI for custom message rendering, delivery and authentication implementations. As described above this shouldn't be restricted to emails. This approach doesn't require to integrate provider SDKs. It should enable integration with a custom SPI implementation.

The EmailSenderProvider.java could be reworked, so that

Implementations can use texts managed and rendered at the external service. The Keycloak email implementation still renders the texts based on localized messages
Not the whole message is provided, but variables for a message template and an identifier for the message which should be sent (one of "test connection", "email verification", "password reset", ...)
A recipient user and sometimes a sender user is provided, so that their data can be used to render the message. While Keycloak sends the emails, the message could be triggered by an (admin) user and you may want the data to occur in the message to the user.

SPI implementations which send emails rendered at Keycloak and just want to replace the sending protocol or authentication, they should be able to re-use parts of the Keycloak default email delivery implementation (i.e. message rendering based on localized texts, sending the email via standard protocol like SMTP, authentication options like XOAUTH2)

0 replies

darius-m · 2025-05-14T10:01:09Z

darius-m
May 14, 2025

Would delegating messages to an external process that provides a simple REST API work for Keycloak, similar to how Prometheus and Alertmanager are separated?

I assume this can introduce some issues with external dependencies and trust / reliability, but it can also make things quite a bit easier to get going, as libraries are language-dependent so harder to write and maintain (fewer users by default) than standalone services.

0 replies

alemairebe · 2025-05-20T06:45:08Z

alemairebe
May 20, 2025

I would keep it simple : stick with simple SMTP interface.
With that interface, we can use many tools like :

But also, as Keycloak only needs to send mails, a simple postfix server can perfectly do the job as long as it is properly configured to send mail (spf,dkim,dmarc,dane,reverse dns)

Maybe someone in the community will see a need to fork the old/previously opensource version of https://emailengine.app/ and keep distributing it as OSS
But I do not think it is part of keycloak to develop such product.

0 replies

pcolombani · 2025-12-11T17:49:54Z

pcolombani
Dec 11, 2025

how about rfc4422 ?

0 replies

stianst · 2025-12-16T12:18:11Z

stianst
Dec 16, 2025
Maintainer

Let's break this down a bit more;

First you'd need the user to supply additional means of contact than email. Then who decide what messages goes where? Is it the realm admin or the user, or both?

Final thing of supporting multiple different messaging mechanisms, that's fairly simple really. We should really just add a SmtpMessageSPI or something, probably with no default implementation as there's no standard for that AFAIK.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Future of sending messages to identities in Keycloak #37848

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 5 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Future of sending messages to identities in Keycloak #37848

Uh oh!

Uh oh!

srose Mar 5, 2025

Current status of this discussion

Problem description

Solution

Build some more explicit ways to allow extensions to the area

Replies: 5 comments

Uh oh!

Uh oh!

jbman May 13, 2025

Uh oh!

darius-m May 14, 2025

Uh oh!

alemairebe May 20, 2025

Uh oh!

pcolombani Dec 11, 2025

Uh oh!

stianst Dec 16, 2025 Maintainer

srose
Mar 5, 2025

jbman
May 13, 2025

darius-m
May 14, 2025

alemairebe
May 20, 2025

pcolombani
Dec 11, 2025

stianst
Dec 16, 2025
Maintainer