keycloak · pedroigor · Jul 9, 2025 · Jun 5, 2025
@@ -96,7 +96,7 @@ public enum Feature {
 
         RECOVERY_CODES("Recovery codes", Type.DEFAULT),
 
-        UPDATE_EMAIL("Update Email Action", Type.PREVIEW),
+        UPDATE_EMAIL("Update Email Action", Type.DEFAULT),
 
         FIPS("FIPS 140-2 mode", Type.DISABLED_BY_DEFAULT),
 

@@ -18,7 +18,6 @@
 package org.keycloak.federation.kerberos;
 
 import org.jboss.logging.Logger;
-import org.keycloak.common.Profile;
 import org.keycloak.common.constants.KerberosConstants;
 import org.keycloak.credential.CredentialAuthentication;
 import org.keycloak.credential.CredentialInput;
@@ -289,9 +288,7 @@ protected UserModel importUserToKeycloak(RealmModel realm, KerberosPrincipal ker
         user.setSingleAttribute(KERBEROS_PRINCIPAL, kerberosPrincipal.toString());
 
         if (kerberosConfig.isUpdateProfileFirstLogin()) {
-            if (Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL)) {
-                user.addRequiredAction(UserModel.RequiredAction.UPDATE_EMAIL);
-            }
+            user.addRequiredAction(UserModel.RequiredAction.UPDATE_EMAIL);
             user.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
         }
 

@@ -20,7 +20,6 @@
   test("sets basic information", async ({ page }) => {
     await login(page, user, "pwd", realm);
 
-    await page.getByTestId("email").fill(`${user}@somewhere.com`);
     await page.getByTestId("firstName").fill("Erik");
     await page.getByTestId("lastName").fill("de Wit");
     await page.getByTestId("save").click();
@@ -67,7 +66,7 @@
    await login(page, user, "jdoe", realm);

    await page.locator("#alternatelang").click();
    await page.waitForSelector("text=Italiano");

    await page.locator("#alternatelang").click();
    await page.locator("*:focus").press("Control+A");
@@ -81,7 +80,7 @@
    await login(page, user, "jdoe", realm);

    await page.locator("#attributes\\.locale").click();
    await page.waitForSelector("text=Italiano");

    await page.locator("#attributes\\.locale").click();
    await page.locator("*:focus").press("Control+A");

@@ -193,7 +193,7 @@ public static void addVerifyProfile(RealmModel realm) {
             verifyProfile.setName("Verify Profile");
             verifyProfile.setProviderId(UserModel.RequiredAction.VERIFY_PROFILE.name());
             verifyProfile.setDefaultAction(false);
-            verifyProfile.setPriority(90);
+            verifyProfile.setPriority(100);
             realm.addRequiredActionProvider(verifyProfile);
         }
     }
@@ -219,7 +219,7 @@ public static void addDeleteCredentialAction(RealmModel realm) {
             deleteCredential.setName("Delete Credential");
             deleteCredential.setProviderId("delete_credential");
             deleteCredential.setDefaultAction(false);
-            deleteCredential.setPriority(100);
+            deleteCredential.setPriority(110);
             realm.addRequiredActionProvider(deleteCredential);
         }
     }
@@ -232,7 +232,7 @@ public static void addIdpLink(RealmModel realm) {
             idpLink.setName("Linking Identity Provider");
             idpLink.setProviderId("idp_link");
             idpLink.setDefaultAction(false);
-            idpLink.setPriority(110);
+            idpLink.setPriority(120);
             realm.addRequiredActionProvider(idpLink);
         }
     }
@@ -287,7 +287,7 @@ public static void addRecoveryAuthnCodesAction(RealmModel realm) {
             recoveryCodes.setName("Recovery Authentication Codes");
             recoveryCodes.setProviderId(PROVIDER_ID);
             recoveryCodes.setDefaultAction(false);
-            recoveryCodes.setPriority(120);
+            recoveryCodes.setPriority(130);
             realm.addRequiredActionProvider(recoveryCodes);
         }
     }
@@ -308,7 +308,7 @@ public static void addWebAuthnRegisterAction(RealmModel realm) {
             webauthnRegister.setName("Webauthn Register");
             webauthnRegister.setProviderId(PROVIDER_ID);
             webauthnRegister.setDefaultAction(false);
-            webauthnRegister.setPriority(70);
+            webauthnRegister.setPriority(80);
             realm.addRequiredActionProvider(webauthnRegister);
         }
     }
@@ -329,7 +329,7 @@ public static void addWebAuthnPasswordlessRegisterAction(RealmModel realm) {
             webauthnRegister.setName("Webauthn Register Passwordless");
             webauthnRegister.setProviderId(PROVIDER_ID);
             webauthnRegister.setDefaultAction(false);
-            webauthnRegister.setPriority(80);
+            webauthnRegister.setPriority(90);
             realm.addRequiredActionProvider(webauthnRegister);
         }
     }

@@ -68,7 +68,7 @@ public enum UserProfileContext {
      * In this context, a user profile is managed by themselves when updating their email through an application initiated action.
      * In this context, only the {@link UserModel#EMAIL} attribute is supported.
      */
-    UPDATE_EMAIL(false, true, false, Set.of(UserModel.EMAIL)::contains);
+    UPDATE_EMAIL(false, true, true, Set.of(UserModel.EMAIL)::contains);
 
     private final boolean resetEmailVerified;
     private final Predicate<String> attributeSelector;

@@ -152,6 +152,16 @@ private static boolean editEmailCondition(AttributeContext c) {
         }
 
         if (Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL)) {
+            if (UPDATE_PROFILE.equals(c.getContext())) {
+                if (!isNewUser(c)) {
+                    if (c.getUser().getEmail() == null || c.getUser().getEmail().isEmpty()) {
+                        // allow to set email via UPDATE_PROFILE if the email is not set for the user
+                        return true;
+                    }
+                } else if (UserModel.EMAIL.equals(c.getAttribute().getKey()) && c.getAttribute().getValue().isEmpty()) {
+                    return true;
+                }
+            }
             return !(UPDATE_PROFILE.equals(c.getContext()) || ACCOUNT.equals(c.getContext()));
         }
 
@@ -170,6 +180,16 @@ private static boolean readEmailCondition(AttributeContext c) {
         }
 
         if (Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL)) {
+            if (UPDATE_PROFILE.equals(c.getContext())) {
+                if (!isNewUser(c)) {
+                    if (c.getUser().getEmail() == null || c.getUser().getEmail().isEmpty()) {
+                        // show email field in UPDATE_PROFILE page if the email is not set for the user
+                        return true;
+                    }
+                } else if (UserModel.EMAIL.equals(c.getAttribute().getKey()) && c.getAttribute().getValue().isEmpty()) {
+                    return true;
+                }
+            }
             return !UPDATE_PROFILE.equals(context);
         }
 
@@ -233,9 +253,7 @@ public void init(Config.Scope config) {
         addContextualProfileMetadata(configureUserProfile(createBrokeringProfile(readOnlyValidator)));
         addContextualProfileMetadata(configureUserProfile(createAccountProfile(ACCOUNT, readOnlyValidator)));
         addContextualProfileMetadata(configureUserProfile(createDefaultProfile(UPDATE_PROFILE, readOnlyValidator)));
-        if (Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL)) {
-            addContextualProfileMetadata(configureUserProfile(createDefaultProfile(UPDATE_EMAIL, readOnlyValidator)));
-        }
+        addContextualProfileMetadata(configureUserProfile(createDefaultProfile(UPDATE_EMAIL, readOnlyValidator)));
         addContextualProfileMetadata(configureUserProfile(createRegistrationUserCreationProfile(readOnlyValidator)));
         addContextualProfileMetadata(configureUserProfile(createUserResourceValidation(config)));
     }

@@ -19,17 +19,17 @@ public class CustomConfigTest {
     Keycloak adminClient;
 
     @Test
-    public void testUpdateEmailFeatureEnabled() {
-        Optional<FeatureRepresentation> updateEmailFeature = adminClient.serverInfo().getInfo().getFeatures().stream().filter(f -> f.getName().equals(Profile.Feature.UPDATE_EMAIL.name())).findFirst();
-        Assertions.assertTrue(updateEmailFeature.isPresent());
-        Assertions.assertTrue(updateEmailFeature.get().isEnabled());
+    public void testPasskeyFeatureEnabled() {
+        Optional<FeatureRepresentation> passKeysFeature = adminClient.serverInfo().getInfo().getFeatures().stream().filter(f -> f.getName().equals(Profile.Feature.PASSKEYS.name())).findFirst();
+        Assertions.assertTrue(passKeysFeature.isPresent());
+        Assertions.assertTrue(passKeysFeature.get().isEnabled());
     }
 
     public static class CustomServerConfig implements KeycloakServerConfig {
 
         @Override
         public KeycloakServerConfigBuilder configure(KeycloakServerConfigBuilder config) {
-            return config.features(Profile.Feature.UPDATE_EMAIL);
+            return config.features(Profile.Feature.PASSKEYS);
         }
 
     }

@@ -66,6 +66,7 @@ public void testRequiredActions() {
         addRequiredAction(expected, "CONFIGURE_RECOVERY_AUTHN_CODES", "Recovery Authentication Codes", true, false, null);
         addRequiredAction(expected, "CONFIGURE_TOTP", "Configure OTP", true, false, null);
         addRequiredAction(expected, "TERMS_AND_CONDITIONS", "Terms and Conditions", false, false, null);
+        addRequiredAction(expected, "UPDATE_EMAIL", "Update Email", true, false, null);
         addRequiredAction(expected, "UPDATE_PASSWORD", "Update Password", true, false, null);
         addRequiredAction(expected, "UPDATE_PROFILE", "Update Profile", true, false, null);
         addRequiredAction(expected, "VERIFY_EMAIL", "Verify Email", true, false, null);