Keycloak offers a delete account functionality that allows end users to delete their own acount. This functionality is only available for the account console v2 and can be activated by adding a delete-account client role to the user in question, and also by activating the Delete Account required action. More details can be found in the official docs. So far so good, but what if you are still using the legacy account console (keycloak v1), and still want to add this functionality ? No worries, we got you covered. Because Keycloak offers the possibility to initiate the required actions as AIAs (Application Initiated Actions), you can actually initiate any required action by redirecting to keycloak login and adding the query parameter ?kc_action=the_action_id. Since the account console is also considered as an application, we can simply alter some template to redirect to the Keycloak login with ?kc_action=delete_account when a button is clicked
Let’s do it
To add the delete functionality, we are going to extend the keycloak theme. We are not required to extend all the parts (email, login…etc), but just the account console theme rather. So our theme structure looks like:
theme
└── imager200
├── account
│ ├── account.ftl
│ ├── theme.properties
because we are interested only in the account.ftl template, we do need to override all the templates. We can simply specify in the theme.properties that we are extending the keycloak theme, so that whenever a template is not found in our theme, the parent template will be used.
parent=keycloak
Now we need to add the delete functionality to our template, this can be achieved by adding something similar to the following snippet:
<form action="/auth/realms/${realm.name}/protocol/openid-connect/auth" class="form-horizontal" method="GET">
<input type="hidden" id="client-id" name="client_id" value="account">
<input type="hidden" id="redirect_uri" name="redirect_uri" value="${url.accountUrl}">
<input type="hidden" id="response-type" name="response_type" value="code">
<input type="hidden" id="scope" name="scope" value="openid">
<input type="hidden" id="kc_action" name="kc_action" value="delete_account">
<button type="submit" class="${properties.kcButtonClass!} btn-danger ${properties.kcButtonLargeClass!}" name="submitAction" value="Delete Account">Delete Account</button>
</form>
As we mentionned earlier, to trigger an AIA we need to redirect to the authentication page with the query parameter kc_action. We are also required to provide some other parameters like the client_id, redirect_uri, response-type, and scope. These parameters are generally needed during the first step of a three legged OAuth flow. and Voilà! all we need is to package and deploy our theme (more on that here) and now the user will be able to see a delete account button in his account console:
Once clicked the user will be redirected to re-authenticate, and confirm the deletion of his account.
