How to enable users to delete their own Keycloak account using API?

2.9k views Asked by At

I have an Express.js CRUD application and I use Keycloak 18.0.2 for identity management. Keycloak handles Google and Facebook Single Sign-On (SSO) for my application, and all authentications are managed through Keycloak. Currently, users are authenticated using their access tokens received in HTTP requests.

I want to implement a feature where users can delete their own accounts without requiring administrative privileges. Ideally, I would like to use the user's token received in the HTTP request to authenticate and delete the user record from Keycloak. So user will make request to DELETE base_url_to_my_express_js_application/users then I will delete user from my application and then call the Keycloak deletion API with the same token I received as authorization header.

I have tried the following approaches without success:

  1. On internet I got suggestion for Enabling "Self-Service Account Management" in Keycloak's "Account" tab: I found that there is no "Account" tab in Keycloak 18.0.2, and I couldn't locate the option to enable self-service account management.
  2. Making a DELETE request to https://my-keycloak/auth/realms/my-realm/account: This endpoint returns status 404.
  {
    "error": "RESTEASY003210: Could not find resource for full path:http://your-keycloak-server/auth/realms/your-realm-name/account
  }
  1. Making a DELETE request to https://my-keycloak/realms/my-realm/account: This endpoint returns status 405.
  {
    "error": "RESTEASY003650: No resource method found for DELETE, return 405 with Allow header"
  }

Since the above approaches didn't work as expected, I'm seeking guidance on how to implement this feature using the Keycloak Admin API or any other alternative method. Specifically, I would like to know:

  • How can I enable users to delete their own Keycloak accounts using their own access tokens ?
  • Is there a specific Keycloak Admin API endpoint that allows users to delete their own accounts? If so, how can I access it?
  • If the above approach is not possible, what alternative methods can I use to implement the account deletion feature securely?

I appreciate any insights, examples, or guidance on how to achieve this functionality within the Keycloak 18.0.2 version.

Thank you in advance for your help!

2

There are 2 answers

2
yohannes getu On

Enabling account deletion by users

End users and applications can delete their accounts in the Account Console if you enable this capability in the Admin Console. Once you enable this capability, you can give that capability to specific users.

Enabling the Delete Account Capability

You enable this capability on the Required Actions tab.

Procedure Click Authentication in the menu.

Click the Required Actions tab.

Select Enabled on the Delete Account row.

Delete account on required actions tab enable delete account action

Giving a user the delete-account role

You can give specific users a role that allows account deletion.

Procedure Click Users in the menu.

Select a user.

Click the Role Mappings tab.

Click the Assign role button.

Click account delete-account.

Click Assign.

Delete-account role delete-account role

Deleting your account

Once you have the delete-account role, you can delete your own account.

Log into the Account Console.

At the bottom of the Personal Info page, click Delete Account.

Delete account page Delete account page

Enter your credentials and confirm the deletion.

Delete confirmation delete account confirm

This action is irreversible. All your data in Keycloak will be removed.

0
Jakub Gańczorz On

Yohannes's answer is correct, but it requires your user to use Account Console, which is not always convenient.

You need to enable the Delete Account action and assign delete-account role to users, as described, but the last step can be achieved with an Application Initiated Action.

Just start the OAuth action with the additional query parameter kc_action=delete_account, and after logging in, the user will see the delete account confirm form.

After confirming (or cancelling), you'd need to handle redirect, as per usual OAuth challenge, but with an additional parameter kc_action_status.