ARTICLE AD BOX
Problem: I need to implement a scheduler that sends an email verification reminder to Keycloak users 30 days after their initial registration (if they haven't verified their email yet).
My Requirements:
Identify users where email_verified is false.
Filter these users based on a custom attribute email-sent-date
Re-trigger the verification email using the Keycloak Admin API.
The Dilemma: I looked into the Keycloak Admin REST API and found the q parameter for searching custom attributes. However, it seems the API only supports exact matches (e.g., q=last-sent:2024-01-01) and does not support date range or inequality filters (e.g., last-sent < 30 days ago).
My Proposed Solutions:
Option 1: Direct DB Query (SQL). I can run a query against the USER_ENTITY and USER_ATTRIBUTE tables to get exactly the IDs I need.
Concern: Is querying the Keycloak database directly considered a bad practice for read-only operations?Option 2: API Fetch & Filter. Fetch all unverified users via GET /users?emailVerified=false and filter the dates in my application logic.
Concern: This won't scale if the list of unverified users grows to thousands.Question: What is the recommended approach for this in a production-grade environment? Is there a way to perform range queries via the Admin API, or is a custom SPI / direct DB read the standard way to handle this?
