Forcing login after password update/recovery

fgarcia5 · May 30, 2024, 4:56pm

Hi there!

I also need to change the registration flow as you mentioned.

I’ve tried to do the same with an event listener. I have described what I did here. But thinking again about this approach, the event is handled once the user is redirected to the app, so I can’t do anything with the redirection (at least as I understand it).

Now I’m trying to overwrite UpdatePassword.java (required action). I am guided by this video of the great @dasniko . But I can’t get KeyCloak to take my class and overwrite the processAction method.

Here is my UpdatePassword.java:

package cloud.poc.keycloak.authentication;

import org.keycloak.Config;
import org.jboss.logging.Logger;
import org.keycloak.authentication.*;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ModelException;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;

import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;

public class UpdatePassword extends org.keycloak.authentication.requiredactions.UpdatePassword {

	private static final Logger logger = Logger.getLogger(UpdatePassword.class);

	// Base code taken from the KC V.22.0.5: https://github.com/keycloak/keycloak/blob/22.0.5/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java
	@Override
	public void processAction(RequiredActionContext context) {
		logger.debug("TEST override processAction");
		EventBuilder event = context.getEvent();
		AuthenticationSessionModel authSession = context.getAuthenticationSession();
		UserModel user = context.getUser();
		MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
		event.event(EventType.UPDATE_PASSWORD);
		String passwordNew = formData.getFirst("password-new");
		String passwordConfirm = formData.getFirst("password-confirm");

		EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR)
				.client(authSession.getClient())
				.user(authSession.getAuthenticatedUser());

		if (Validation.isBlank(passwordNew)) {
			Response challenge = context.form()
					.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
					.addError(new FormMessage(Validation.FIELD_PASSWORD, Messages.MISSING_PASSWORD))
					.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
			context.challenge(challenge);
			errorEvent.error(Errors.PASSWORD_MISSING);
			return;
		} else if (!passwordNew.equals(passwordConfirm)) {
			Response challenge = context.form()
					.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
					.addError(new FormMessage(Validation.FIELD_PASSWORD_CONFIRM, Messages.NOTMATCH_PASSWORD))
					.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
			context.challenge(challenge);
			errorEvent.error(Errors.PASSWORD_CONFIRM_ERROR);
			return;
		}

		if ("on".equals(formData.getFirst("logout-sessions"))) {
			AuthenticatorUtil.logoutOtherSessions(context);
		}

		try {
			user.credentialManager().updateCredential(UserCredentialModel.password(passwordNew, false));
			// I understand that at this point we need to close the current session and redirect to the browser flow.
			context.success();
		} catch (ModelException me) {
			errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED);
			Response challenge = context.form()
					.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
					.setError(me.getMessage(), me.getParameters())
					.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
			context.challenge(challenge);
			return;
		} catch (Exception ape) {
			errorEvent.detail(Details.REASON, ape.getMessage()).error(Errors.PASSWORD_REJECTED);
			Response challenge = context.form()
					.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
					.setError(ape.getMessage())
					.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
			context.challenge(challenge);
			return;
		}
	}

	@Override
	public int order() {
		return 100;
	}
}

I build the package, deployed it in KC v.22.0.5 but the method is not overwriting.

Just sharing what I have tried so far. Any recommendation or help is welcome.

Regards, Fabricio.

Topic		Replies	Views
Logout all session when password change Configuring the server authentication , client-configuration	7	3385	May 31, 2024
Keycloak UPDATE_PASSWORD updates a user password but repeatedly asks to update password - only for a particular user Getting advice	0	1206	January 4, 2021
Get message "Your password has been updated." after reset password Getting advice	2	1316	January 31, 2024
How to trigger the "update password" page in keycloak for users Getting advice	17	14965	November 29, 2024
Auto login after password reset from execute-actions-email Getting advice authentication	3	3489	December 23, 2021

Forcing login after password update/recovery

Related topics