[KEYCLOAK-18428] - dynamic registration form

2021-06-24 16:51:41 +02:00 · 2021-06-24 16:51:41 +02:00 · 512bcd14f7
commit 512bcd14f7
parent 6e4a0044fd
14 changed files with 435 additions and 45 deletions
--- a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java
+++ b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java
@ -24,7 +24,7 @@ public enum LoginFormsPages {
    LOGIN, LOGIN_USERNAME, LOGIN_PASSWORD, LOGIN_TOTP, LOGIN_CONFIG_TOTP, LOGIN_WEBAUTHN, LOGIN_VERIFY_EMAIL,
    LOGIN_IDP_LINK_CONFIRM, LOGIN_IDP_LINK_EMAIL,
-    OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, LOGIN_SELECT_AUTHENTICATOR, REGISTER, INFO, ERROR, ERROR_WEBAUTHN, LOGIN_UPDATE_PROFILE,
+    OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, LOGIN_SELECT_AUTHENTICATOR, REGISTER, REGISTER_USER_PROFILE, INFO, ERROR, ERROR_WEBAUTHN, LOGIN_UPDATE_PROFILE,
    LOGIN_PAGE_EXPIRED, CODE, X509_CONFIRM, SAML_POST_FORM,
    LOGIN_OAUTH2_DEVICE_VERIFY_USER_CODE, VERIFY_PROFILE;
--- a/server-spi-private/src/main/java/org/keycloak/userprofile/DefaultAttributes.java
+++ b/server-spi-private/src/main/java/org/keycloak/userprofile/DefaultAttributes.java
@ -168,6 +168,9 @@ public class DefaultAttributes extends HashMap<String, List<String>> implements
    @Override
    public Map<String, List<String>> getReadable() {
        if(user == null)
            return null;
        Map<String, List<String>> attributes = new HashMap<>(user.getAttributes());
        if (attributes.isEmpty()) {
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java
@ -63,6 +63,7 @@ import org.keycloak.theme.beans.MessageBean;
 import org.keycloak.theme.beans.MessageFormatterMethod;
 import org.keycloak.theme.beans.MessageType;
 import org.keycloak.theme.beans.MessagesPerFieldBean;
 import org.keycloak.userprofile.UserProfileProvider;
 import org.keycloak.utils.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
@ -180,6 +181,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
    @SuppressWarnings("incomplete-switch")
    protected Response createResponse(LoginFormsPages page) {
        Theme theme;
        try {
            theme = getTheme();
@ -230,7 +232,14 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
                attributes.put("otpLogin", new TotpLoginBean(session, realm, user, (String) this.attributes.get(OTPFormAuthenticator.SELECTED_OTP_CREDENTIAL_ID)));
                break;
            case REGISTER:
-                attributes.put("register", new RegisterBean(formData));
+                if(isDynamicUserProfile()) {
                    page = LoginFormsPages.REGISTER_USER_PROFILE;
                }
                RegisterBean rb = new RegisterBean(formData,session);
                //legacy bean for static template
                attributes.put("register", rb);
                //bean for dynamic template
                attributes.put("profile", rb);
                break;
            case OAUTH_GRANT:
                attributes.put("oauth",
@ -253,6 +262,10 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
        return processTemplate(theme, Templates.getTemplate(page), locale);
    }
    private boolean isDynamicUserProfile() {
        return session.getProvider(UserProfileProvider.class).getConfiguration() != null;
    }
    @Override
    public Response createForm(String form) {
        Theme theme;
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/Templates.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/Templates.java
@ -56,6 +56,8 @@ public class Templates {
                return "select-authenticator.ftl";
            case REGISTER:
                return "register.ftl";
            case REGISTER_USER_PROFILE:
                return "register-user-profile.ftl";
            case INFO:
                return "info.ftl";
            case ERROR:
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/AbstractUserProfileBean.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/AbstractUserProfileBean.java
@ -32,12 +32,14 @@ public abstract class AbstractUserProfileBean {
     * Subclass have to call this method at the end of constructor to init user profile data. 
     * 
     * @param session
     * @param writeableOnly if true then only writeable (no read-only) attributes are put into template, if false then all readable attributes are there 
     */
-    protected void init(KeycloakSession session) {
+    protected void init(KeycloakSession session, boolean writeableOnly) {
        UserProfileProvider provider = session.getProvider(UserProfileProvider.class);
        this.profile = createUserProfile(provider);
-        this.attributes = toAttributes(profile.getAttributes().getReadable());
+        this.attributes = toAttributes(profile.getAttributes().getReadable(), writeableOnly);
-        this.attributesByName = attributes.stream().collect(Collectors.toMap((a) -> a.getName(), (a) -> a));        
+        if(this.attributes != null)
            this.attributesByName = attributes.stream().collect(Collectors.toMap((a) -> a.getName(), (a) -> a));        
    }
    /**
@ -56,6 +58,13 @@ public abstract class AbstractUserProfileBean {
     */
    protected abstract List<String> getAttributeDefaultValue(String name);
    /**
     * Get context the template is used for, so view can be customized for distinct contexts. 
     * 
     * @return name of the context
     */
    public abstract String getContext();
    /**
     * All attributes to be shown in form sorted by the configured GUI order. Useful to render dynamic form.
     * 
@ -74,8 +83,10 @@ public abstract class AbstractUserProfileBean {
        return attributesByName;
    }
-    private List<Attribute> toAttributes(Map<String, List<String>> readable) {
+    private List<Attribute> toAttributes(Map<String, List<String>> attributes, boolean writeableOnly) {
-        return readable.keySet().stream().map(name -> profile.getAttributes().getMetadata(name)).map(Attribute::new).sorted().collect(Collectors.toList());
+        if(attributes == null)
            return null;
        return attributes.keySet().stream().map(name -> profile.getAttributes().getMetadata(name)).filter((am) -> writeableOnly ? !profile.getAttributes().isReadOnly(am.getName()) : true).map(Attribute::new).sorted().collect(Collectors.toList());
    }
    /**
@ -98,7 +109,7 @@ public abstract class AbstractUserProfileBean {
        }
        public String getValue() {
-            List<String> v = formData.getOrDefault(getName(), getAttributeDefaultValue(getName()));
+            List<String> v = formData!=null ? formData.getOrDefault(getName(), getAttributeDefaultValue(getName())): getAttributeDefaultValue(getName());
            if (v == null || v.isEmpty()) {
                return null;
            }
@ -113,6 +124,15 @@ public abstract class AbstractUserProfileBean {
            return profile.getAttributes().isReadOnly(getName());
        }
        /** define value of the autocomplete attribute for html input tag. if null then no html input tag attribute is added */
        public String getAutocomplete() {
            if(getName().equals("email") || getName().equals("username"))
                return getName();
            else
                return null;    
        }
        public Map<String, Object> getAnnotations() {
            Map<String, Object> annotations = metadata.getAnnotations();
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/RegisterBean.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/RegisterBean.java
@ -16,29 +16,54 @@
 */
 package org.keycloak.forms.login.freemarker.model;
 import javax.ws.rs.core.MultivaluedMap;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import javax.ws.rs.core.MultivaluedMap;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.userprofile.UserProfile;
 import org.keycloak.userprofile.UserProfileContext;
 import org.keycloak.userprofile.UserProfileProvider;
 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
 * @author Vlastimil Elias <velias@redhat.com>
 */
-public class RegisterBean {
+public class RegisterBean extends AbstractUserProfileBean {
-    private Map<String, String> formData;
+    private Map<String, String> formDataLegacy = new HashMap<>();
-    public RegisterBean(MultivaluedMap<String, String> formData) {
+    public RegisterBean(MultivaluedMap<String, String> formData, KeycloakSession session) {
-        this.formData = new HashMap<>();
+        
        super(formData);
        init(session, true);
        if (formData != null) {
            for (String k : formData.keySet()) {
-                this.formData.put(k, formData.getFirst(k));
+                this.formDataLegacy.put(k, formData.getFirst(k));
            }
        }
    }
    @Override
    protected UserProfile createUserProfile(UserProfileProvider provider) {
        return provider.create(UserProfileContext.REGISTRATION_PROFILE, null, null);
    }
    @Override
    protected List<String> getAttributeDefaultValue(String name) {
        return null;
    }
    @Override 
    public String getContext() {
        return UserProfileContext.REGISTRATION_PROFILE.name();
    }
    public Map<String, String> getFormData() {
-        return formData;
+        return formDataLegacy;
    }
 }
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/VerifyProfileBean.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/VerifyProfileBean.java
@ -22,7 +22,7 @@ public class VerifyProfileBean extends AbstractUserProfileBean {
    public VerifyProfileBean(UserModel user, MultivaluedMap<String, String> formData, KeycloakSession session) {
        super(formData);
        this.user = user;
-        init(session);
+        init(session, false);
    }
    @Override
@ -35,4 +35,9 @@ public class VerifyProfileBean extends AbstractUserProfileBean {
        return singletonList(user.getFirstAttribute(name));
    }
    @Override 
    public String getContext() {
        return UserProfileContext.UPDATE_PROFILE.name();
    }
 }
--- a/services/src/main/java/org/keycloak/userprofile/legacy/AbstractUserProfileProvider.java
+++ b/services/src/main/java/org/keycloak/userprofile/legacy/AbstractUserProfileProvider.java
@ -79,7 +79,7 @@ public abstract class AbstractUserProfileProvider<U extends UserProfileProvider>
        KeycloakSession session = c.getSession();
        KeycloakContext context = session.getContext();
        RealmModel realm = context.getRealm();
-        return realm.isEditUsernameAllowed();
+        return ((c.getContext() == REGISTRATION_PROFILE || c.getContext() == IDP_REVIEW) && !realm.isRegistrationEmailAsUsername()) || realm.isEditUsernameAllowed();
    }
    public static Pattern getRegexPatternString(String[] builtinReadOnlyAttributes) {
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/auth/page/AccountFields.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/auth/page/AccountFields.java
@ -147,9 +147,15 @@ public class AccountFields extends FieldsBase {
        @FindBy(id = "input-error-firstname")
        private WebElement firstNameError;
        @FindBy(id = "input-error-firstName")
        private WebElement firstNameDynamicError;
        @FindBy(id = "input-error-lastname")
        private WebElement lastNameError;
        @FindBy(id = "input-error-lastName")
        private WebElement lastNameDynamicError;
        @FindBy(id = "input-error-email")
        private WebElement emailError;
@ -160,7 +166,11 @@ public class AccountFields extends FieldsBase {
            try {
                return getTextFromElement(firstNameError);
            } catch (NoSuchElementException e) {
-                return null;
+                try {
                    return getTextFromElement(firstNameDynamicError);
                } catch (NoSuchElementException ex) {
                    return null;
                }
            }
        }
@ -168,7 +178,11 @@ public class AccountFields extends FieldsBase {
            try {
                return getTextFromElement(lastNameError);
            } catch (NoSuchElementException e) {
-                return null;
+                try {
                    return getTextFromElement(lastNameDynamicError);
                } catch (NoSuchElementException ex) {
                    return null;
                }
            }
        }
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/RegisterPage.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/RegisterPage.java
@ -22,6 +22,7 @@ import org.junit.Assert;
 import org.keycloak.testsuite.auth.page.AccountFields;
 import org.keycloak.testsuite.auth.page.PasswordFields;
 import org.keycloak.testsuite.util.UIUtils;
 import org.openqa.selenium.By;
 import org.openqa.selenium.NoSuchElementException;
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.support.FindBy;
@ -55,6 +56,9 @@ public class RegisterPage extends AbstractPage {
    @FindBy(id = "password-confirm")
    private WebElement passwordConfirmInput;
    @FindBy(id = "department")
    private WebElement departmentInput;
    @FindBy(css = "input[type=\"submit\"]")
    private WebElement submitButton;
@ -67,8 +71,11 @@ public class RegisterPage extends AbstractPage {
    @FindBy(linkText = "« Back to Login")
    private WebElement backToLoginLink;
    public void register(String firstName, String lastName, String email, String username, String password, String passwordConfirm) {
        register(firstName, lastName, email, username, password, passwordConfirm, null);
    }
    public void register(String firstName, String lastName, String email, String username, String password, String passwordConfirm, String department) {
        firstNameInput.clear();
        if (firstName != null) {
            firstNameInput.sendKeys(firstName);
@ -99,6 +106,13 @@ public class RegisterPage extends AbstractPage {
            passwordConfirmInput.sendKeys(passwordConfirm);
        }
        if(isDepartmentPresent()) {
            departmentInput.clear();
            if (department != null) {
                departmentInput.sendKeys(department);
            }
        }
        submitButton.click();
    }
@ -159,6 +173,10 @@ public class RegisterPage extends AbstractPage {
        return null;
    }
    public String getLabelForField(String fieldId) {
        return driver.findElement(By.cssSelector("label[for="+fieldId+"]")).getText();
    }
    public String getFirstName() {
        return firstNameInput.getAttribute("value");
    }
@ -183,6 +201,23 @@ public class RegisterPage extends AbstractPage {
        return passwordConfirmInput.getAttribute("value");
    }
    public String getDepartment() {
        return departmentInput.getAttribute("value");
    }
    public boolean isDepartmentEnabled() {
        return departmentInput.isEnabled();
    }
    public boolean isDepartmentPresent() {
        try {
            return driver.findElement(By.id("department")).isDisplayed();
        } catch (NoSuchElementException nse) {
            return false;
        }
    }
    public boolean isCurrent() {
        return PageUtils.getPageTitle(driver).equals("Register");
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java
@ -186,9 +186,14 @@ public class AssertEvents implements TestRule {
    }
    public ExpectedEvent expectRegister(String username, String email) {
        return expectRegister(username, email, DEFAULT_CLIENT_ID);
    }
    public ExpectedEvent expectRegister(String username, String email, String clientId) {
        UserRepresentation user = username != null ? getUser(username) : null;
        return expect(EventType.REGISTER)
                .user(user != null ? user.getId() : null)
                .client(clientId)
                .detail(Details.USERNAME, username)
                .detail(Details.EMAIL, email)
                .detail(Details.REGISTER_METHOD, "form")
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterWithUserProfileTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterWithUserProfileTest.java
@ -16,32 +16,40 @@
 */
 package org.keycloak.testsuite.forms;
 import static org.junit.Assert.assertEquals;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import javax.ws.rs.core.Response;
 import org.jboss.arquillian.graphene.page.Page;
 import org.junit.Assert;
 import org.junit.Rule;
 import org.junit.Test;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.common.Profile;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
 import org.keycloak.testsuite.arquillian.annotation.SetDefaultProvider;
-import org.keycloak.testsuite.pages.*;
+import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
 import org.keycloak.testsuite.pages.AppPage;
 import org.keycloak.testsuite.pages.AppPage.RequestType;
-
+import org.keycloak.testsuite.pages.LoginPage;
-import org.keycloak.testsuite.util.*;
+import org.keycloak.testsuite.pages.RegisterPage;
 import org.keycloak.testsuite.pages.VerifyEmailPage;
 import org.keycloak.testsuite.util.ClientScopeBuilder;
 import org.keycloak.testsuite.util.GreenMailRule;
 import org.keycloak.testsuite.util.KeycloakModelUtils;
 import org.keycloak.userprofile.UserProfileSpi;
 import org.keycloak.userprofile.config.DeclarativeUserProfileProvider;
 import javax.ws.rs.core.Response;
 import static org.junit.Assert.assertEquals;
 import java.util.Collections;
 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
 * @author Stan Silvert ssilvert@redhat.com (C) 2016 Red Hat Inc.
@ -88,18 +96,25 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
    @Override
    public void configureTestRealm(RealmRepresentation testRealm) {
-        testRealm.setClientScopes(Collections.singletonList(ClientScopeBuilder.create().name(SCOPE_LAST_NAME).protocol("openid-connect").build()));
+        testRealm.setClientScopes(new ArrayList<>());
        testRealm.getClientScopes().add(ClientScopeBuilder.create().name(SCOPE_LAST_NAME).protocol("openid-connect").build());
        testRealm.getClientScopes().add(ClientScopeBuilder.create().name(VerifyProfileTest.SCOPE_DEPARTMENT).protocol("openid-connect").build());
        List<String> scopes = new ArrayList<>();
        scopes.add(SCOPE_LAST_NAME);
        scopes.add(VerifyProfileTest.SCOPE_DEPARTMENT);
        client_scope_default = KeycloakModelUtils.createClient(testRealm, "client-a");
-        client_scope_default.setDefaultClientScopes(Collections.singletonList(SCOPE_LAST_NAME));
+        client_scope_default.setDefaultClientScopes(scopes);
        client_scope_default.setRedirectUris(Collections.singletonList("*"));
        client_scope_optional = KeycloakModelUtils.createClient(testRealm, "client-b");
-        client_scope_optional.setOptionalClientScopes(Collections.singletonList(SCOPE_LAST_NAME));
+        client_scope_optional.setOptionalClientScopes(scopes);
        client_scope_optional.setRedirectUris(Collections.singletonList("*"));
    }
    @Test
-    public void registerUserSuccess_lastNameOptional() {
+    public void testRregisterUserSuccess_lastNameOptional() {
        setUserProfileConfiguration("{\"attributes\": ["
                + UP_CONFIG_BASIC_ATTRIBUTES
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
@ -120,7 +135,7 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
    }
    @Test
-    public void registerUserSuccess_lastNameRequiredForScope_notRequested() {
+    public void testRegisterUserSuccess_lastNameRequiredForScope_notRequested() {
        setUserProfileConfiguration("{\"attributes\": ["
                + UP_CONFIG_BASIC_ATTRIBUTES
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
@ -141,7 +156,7 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
    }
    @Test
-    public void registerUserSuccess_lastNameRequiredForScope_requested() {
+    public void testRegisterUserSuccess_lastNameRequiredForScope_requested() {
        setUserProfileConfiguration("{\"attributes\": ["
                + UP_CONFIG_BASIC_ATTRIBUTES
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
@ -167,7 +182,7 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
    }
    @Test
-    public void registerUserSuccess_lastNameRequiredForScope_clientDefault() {
+    public void testRegisterUserSuccess_lastNameRequiredForScope_clientDefault() {
        setUserProfileConfiguration("{\"attributes\": ["
                + UP_CONFIG_BASIC_ATTRIBUTES
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
@ -193,7 +208,7 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
    }
    @Test
-    public void registerUserSuccess_lastNameLengthValidation() {
+    public void testRegisterUserSuccess_lastNameLengthValidation() {
        setUserProfileConfiguration("{\"attributes\": ["
                + UP_CONFIG_BASIC_ATTRIBUTES
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
@ -214,7 +229,7 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
    }
    @Test
-    public void registerUserInvalidLastNameLength() {
+    public void testRegisterUserInvalidLastNameLength() {
        setUserProfileConfiguration("{\"attributes\": ["
                + UP_CONFIG_BASIC_ATTRIBUTES
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
@ -234,6 +249,160 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
                .error("invalid_registration").assertEvent();
    }
    @Test
    public void testAttributeDisplayName() {
        setUserProfileConfiguration("{\"attributes\": [" 
                + "{\"name\": \"firstName\",\"displayName\":\"${firstName}\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}}," 
                + "{\"name\": \"lastName\"," + VerifyProfileTest.PERMISSIONS_ALL + "},"
                + "{\"name\": \"department\", \"displayName\" : \"Department\", " + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\":{}}" 
                + "]}");
        loginPage.open();
        loginPage.clickRegister();
        registerPage.assertCurrent();
        //assert field names
        // i18n replaced
        Assert.assertEquals("First name",registerPage.getLabelForField("firstName"));
        // attribute name used if no display name set
        Assert.assertEquals("lastName",registerPage.getLabelForField("lastName"));
        // direct value in display name
        Assert.assertEquals("Department",registerPage.getLabelForField("department"));
    }
    @Test
    public void testRegisterUserSuccess_requiredReadOnlyAttributeNotRenderedAndNotBlockingRegistration() {
        setUserProfileConfiguration("{\"attributes\": [" 
                + "{\"name\": \"firstName\",\"displayName\":\"${firstName}\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}}," 
                + "{\"name\": \"lastName\"," + VerifyProfileTest.PERMISSIONS_ALL + "},"
                + "{\"name\": \"department\", \"displayName\" : \"Department\", " + VerifyProfileTest.PERMISSIONS_ADMIN_EDITABLE + ", \"required\":{}}" 
                + "]}");
        loginPage.open();
        loginPage.clickRegister();
        registerPage.assertCurrent();
        Assert.assertFalse(registerPage.isDepartmentPresent());
        registerPage.register("FirstName", "LastName", "requiredReadOnlyAttributeNotRenderedAndNotBlockingRegistration@email", "requiredReadOnlyAttributeNotRenderedAndNotBlockingRegistration", "password", "password");
        appPage.assertCurrent();
        assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
    }
    @Test
    public void testRegisterUserSuccess_attributeRequiredAndSelectedByScopeMustBeSet() {
        setUserProfileConfiguration("{\"attributes\": [" 
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}}," 
                + "{\"name\": \"lastName\"," + VerifyProfileTest.PERMISSIONS_ALL + "},"
                + "{\"name\": \"department\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\":{}, \"selector\":{\"scopes\":[\""+VerifyProfileTest.SCOPE_DEPARTMENT+"\"]}}" 
                + "]}");
        oauth.scope(VerifyProfileTest.SCOPE_DEPARTMENT).clientId(client_scope_optional.getClientId()).openLoginForm();
        loginPage.clickRegister();
        registerPage.assertCurrent();
        //check required validation works
        registerPage.register("FirstAA", "LastAA", "attributeRequiredAndSelectedByScopeMustBeSet@email", "attributeRequiredAndSelectedByScopeMustBeSet", "password", "password", "");
        registerPage.assertCurrent();
        registerPage.register("FirstAA", "LastAA", "attributeRequiredAndSelectedByScopeMustBeSet@email", "attributeRequiredAndSelectedByScopeMustBeSet", "password", "password", "DepartmentAA");
        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
        Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
        UserRepresentation user = getUserByUsername("attributeRequiredAndSelectedByScopeMustBeSet");
        assertEquals("FirstAA", user.getFirstName());
        assertEquals("LastAA", user.getLastName());
        assertEquals("DepartmentAA", user.firstAttribute(VerifyProfileTest.ATTRIBUTE_DEPARTMENT));
    }
    @Test
    public void testRegisterUserSuccess_attributeNotRequiredAndSelectedByScopeCanBeIgnored() {
        setUserProfileConfiguration("{\"attributes\": [" 
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}}," 
                + "{\"name\": \"lastName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
                + "{\"name\": \"department\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"selector\":{\"scopes\":[\""+VerifyProfileTest.SCOPE_DEPARTMENT+"\"]}}" 
                + "]}");
        oauth.scope(VerifyProfileTest.SCOPE_DEPARTMENT).clientId(client_scope_optional.getClientId()).openLoginForm();
        loginPage.clickRegister();
        registerPage.assertCurrent();
        Assert.assertTrue(registerPage.isDepartmentPresent());
        registerPage.register("FirstAA", "LastAA", "attributeNotRequiredAndSelectedByScopeCanBeIgnored@email", "attributeNotRequiredAndSelectedByScopeCanBeIgnored", "password", "password", null);
        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
        Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
        String userId = events.expectRegister("attributeNotRequiredAndSelectedByScopeCanBeIgnored", "attributeNotRequiredAndSelectedByScopeCanBeIgnored@email",client_scope_optional.getClientId()).assertEvent().getUserId();        
        UserRepresentation user = getUser(userId);
        assertEquals("FirstAA", user.getFirstName());
        assertEquals("LastAA", user.getLastName());
        assertEquals("", user.firstAttribute(VerifyProfileTest.ATTRIBUTE_DEPARTMENT));
    }
    @Test
    public void testRegisterUserSuccess_attributeNotRequiredAndSelectedByScopeCanBeSet() {
        setUserProfileConfiguration("{\"attributes\": [" 
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}}," 
                + "{\"name\": \"lastName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
                + "{\"name\": \"department\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"selector\":{\"scopes\":[\""+VerifyProfileTest.SCOPE_DEPARTMENT+"\"]}}" 
                + "]}");
        oauth.clientId(client_scope_default.getClientId()).openLoginForm();
        loginPage.clickRegister();
        registerPage.assertCurrent();
        Assert.assertTrue(registerPage.isDepartmentPresent());
        registerPage.register("FirstAA", "LastAA", "attributeNotRequiredAndSelectedByScopeCanBeSet@email", "attributeNotRequiredAndSelectedByScopeCanBeSet", "password", "password", "Department AA");
        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
        Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
        String userId = events.expectRegister("attributeNotRequiredAndSelectedByScopeCanBeSet", "attributeNotRequiredAndSelectedByScopeCanBeSet@email",client_scope_default.getClientId()).assertEvent().getUserId();        
        UserRepresentation user = getUser(userId);
        assertEquals("FirstAA", user.getFirstName());
        assertEquals("LastAA", user.getLastName());
        assertEquals("Department AA", user.firstAttribute(VerifyProfileTest.ATTRIBUTE_DEPARTMENT));
    }
    @Test
    public void testRegisterUserSuccess_attributeRequiredButNotSelectedByScopeIsNotRenderedAndNotBlockingRegistration() {
        setUserProfileConfiguration("{\"attributes\": [" 
                + "{\"name\": \"firstName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}}," 
                + "{\"name\": \"lastName\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\": {}},"
                + "{\"name\": \"department\"," + VerifyProfileTest.PERMISSIONS_ALL + ", \"required\":{}, \"selector\":{\"scopes\":[\""+VerifyProfileTest.SCOPE_DEPARTMENT+"\"]}}" 
                + "]}");
        oauth.clientId(client_scope_optional.getClientId()).openLoginForm();
        loginPage.clickRegister();
        registerPage.assertCurrent();
        Assert.assertFalse(registerPage.isDepartmentPresent());
        registerPage.register("FirstAA", "LastAA", "attributeRequiredButNotSelectedByScopeIsNotRendered@email", "attributeRequiredButNotSelectedByScopeIsNotRendered", "password", "password");
        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
        Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
        String userId = events.expectRegister("attributeRequiredButNotSelectedByScopeIsNotRendered", "attributeRequiredButNotSelectedByScopeIsNotRendered@email",client_scope_optional.getClientId()).assertEvent().getUserId();
        UserRepresentation user = getUser(userId);
        assertEquals("FirstAA", user.getFirstName());
        assertEquals("LastAA", user.getLastName());
        assertEquals(null, user.firstAttribute(VerifyProfileTest.ATTRIBUTE_DEPARTMENT));
    }
    private void assertUserRegistered(String userId, String username, String email, String firstName, String lastName) {
        events.expectLogin().detail("username", username.toLowerCase()).user(userId).assertEvent();
@ -253,6 +422,13 @@ public class RegisterWithUserProfileTest extends AbstractTestRealmKeycloakTest {
        return testRealm().users().get(userId).toRepresentation();
    }
    protected UserRepresentation getUserByUsername(String username) {
        List<UserRepresentation> users = testRealm().users().search(username);
        if(users!=null && !users.isEmpty())
            return users.get(0);
        return null;
    }
    private void setUserProfileConfiguration(String configuration) {
        Response r = testRealm().users().userProfile().update(configuration);
        if (r.getStatus() != 200) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/VerifyProfileTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/VerifyProfileTest.java
@ -67,12 +67,12 @@ import org.keycloak.userprofile.config.DeclarativeUserProfileProvider;
@AuthServerContainerExclude(AuthServerContainerExclude.AuthServer.REMOTE)
 public class VerifyProfileTest extends AbstractTestRealmKeycloakTest {
-    private static final String SCOPE_DEPARTMENT = "department";
+    public static final String SCOPE_DEPARTMENT = "department";
-    private static final String ATTRIBUTE_DEPARTMENT = "department";
+    public static final String ATTRIBUTE_DEPARTMENT = "department";
-    public static String PERMISSIONS_ALL = "\"permissions\": {\"view\": [\"admin\", \"user\"], \"edit\": [\"admin\", \"user\"]}";
+    public static final String PERMISSIONS_ALL = "\"permissions\": {\"view\": [\"admin\", \"user\"], \"edit\": [\"admin\", \"user\"]}";
-    public static String PERMISSIONS_ADMIN_ONLY = "\"permissions\": {\"view\": [\"admin\"], \"edit\": [\"admin\"]}";
+    public static final String PERMISSIONS_ADMIN_ONLY = "\"permissions\": {\"view\": [\"admin\"], \"edit\": [\"admin\"]}";
-    public static String PERMISSIONS_ADMIN_EDITABLE = "\"permissions\": {\"view\": [\"admin\", \"user\"], \"edit\": [\"admin\"]}";
+    public static final String PERMISSIONS_ADMIN_EDITABLE = "\"permissions\": {\"view\": [\"admin\", \"user\"], \"edit\": [\"admin\"]}";
    public static String VALIDATIONS_LENGTH = "\"validations\": {\"length\": { \"min\": 3, \"max\": 255 }}";
--- a/themes/src/main/resources/theme/base/login/register-user-profile.ftl
+++ b/themes/src/main/resources/theme/base/login/register-user-profile.ftl
@ -0,0 +1,92 @@
 <#import "template.ftl" as layout>
 <@layout.registrationLayout displayMessage=messagesPerField.exists('global') displayRequiredFields=true; section>
    <#if section = "header">
        ${msg("registerTitle")}
    <#elseif section = "form">
        <form id="kc-register-form" class="${properties.kcFormClass!}" action="${url.registrationAction}" method="post">
            <#list profile.attributes as attribute>
                <div class="${properties.kcFormGroupClass!}">
                    <div class="${properties.kcLabelWrapperClass!}">
                        <label for="${attribute.name}" class="${properties.kcLabelClass!}">${advancedMsg(attribute.displayName!'')}</label>
                        <#if attribute.required>*</#if>
                    </div>
                    <div class="${properties.kcInputWrapperClass!}">
                        <input type="text" id="${attribute.name}" name="${attribute.name}" value="${(attribute.value!'')}"
                               class="${properties.kcInputClass!}"
                               aria-invalid="<#if messagesPerField.existsError('${attribute.name}')>true</#if>"
                               <#if attribute.readOnly>disabled</#if>
                               <#if attribute.autocomplete??>autocomplete="${attribute.autocomplete}"</#if>
                        />
                        <#if messagesPerField.existsError('${attribute.name}')>
                            <span id="input-error-${attribute.name}" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
                                ${kcSanitize(messagesPerField.get('${attribute.name}'))?no_esc}
                            </span>
                        </#if>
                    </div>
                </div>
                <#-- render password fields just under the username or email (if used as username) -->
 	            <#if passwordRequired?? && (attribute.name == 'username' || (attribute.name == 'email' && realm.registrationEmailAsUsername))>
 	                <div class="${properties.kcFormGroupClass!}">
 	                    <div class="${properties.kcLabelWrapperClass!}">
 	                        <label for="password" class="${properties.kcLabelClass!}">${msg("password")}</label> *
 	                    </div>
 	                    <div class="${properties.kcInputWrapperClass!}">
 	                        <input type="password" id="password" class="${properties.kcInputClass!}" name="password"
 	                               autocomplete="new-password"
 	                               aria-invalid="<#if messagesPerField.existsError('password','password-confirm')>true</#if>"
 	                        />
 	                        <#if messagesPerField.existsError('password')>
 	                            <span id="input-error-password" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
 	                                ${kcSanitize(messagesPerField.get('password'))?no_esc}
 	                            </span>
 	                        </#if>
 	                    </div>
 	                </div>
 	                <div class="${properties.kcFormGroupClass!}">
 	                    <div class="${properties.kcLabelWrapperClass!}">
 	                        <label for="password-confirm"
 	                               class="${properties.kcLabelClass!}">${msg("passwordConfirm")}</label> *
 	                    </div>
 	                    <div class="${properties.kcInputWrapperClass!}">
 	                        <input type="password" id="password-confirm" class="${properties.kcInputClass!}"
 	                               name="password-confirm"
 	                               aria-invalid="<#if messagesPerField.existsError('password-confirm')>true</#if>"
 	                        />
 	                        <#if messagesPerField.existsError('password-confirm')>
 	                            <span id="input-error-password-confirm" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
 	                                ${kcSanitize(messagesPerField.get('password-confirm'))?no_esc}
 	                            </span>
 	                        </#if>
 	                    </div>
 	                </div>
 	            </#if>
            </#list>
            <#if recaptchaRequired??>
                <div class="form-group">
                    <div class="${properties.kcInputWrapperClass!}">
                        <div class="g-recaptcha" data-size="compact" data-sitekey="${recaptchaSiteKey}"></div>
                    </div>
                </div>
            </#if>
            <div class="${properties.kcFormGroupClass!}">
                <div id="kc-form-options" class="${properties.kcFormOptionsClass!}">
                    <div class="${properties.kcFormOptionsWrapperClass!}">
                        <span><a href="${url.loginUrl}">${kcSanitize(msg("backToLogin"))?no_esc}</a></span>
                    </div>
                </div>
                <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
                    <input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}" type="submit" value="${msg("doRegister")}"/>
                </div>
            </div>
        </form>
    </#if>
 </@layout.registrationLayout>