Ho to build a login url with given action (UPDATE_PASSWORD)

frhack · May 22, 2024, 3:09pm

I need to create an URL so the user after login must change the password.
I know I have to append the parameter kc_action=UPDATE_PASSWORD…
But how do I fill the other params that are automatically filled when I go to

http://localhost:8080/realms/myrealm/account

===>

http://localhost:8080/realms/myrealm/protocol/openid-connect/auth?client_id=account-console&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Fmyrealm%2Faccount%2F&state=############&response_mode=query&response_type=code&scope=openid&nonce=##############&code_challenge=##############&code_challenge_method=S256

Without them it does not work.

thanks

Francesco

embesozzi · May 22, 2024, 3:43pm

Have you checked:

Integrate "Change password" (from account console) into own webapp?

frhack · May 22, 2024, 3:55pm

Yes I tried the plain recipe (below) but without the extra parameters it does not work, don’t know why.

http://localhost:8080/auth/realms/disney/protocol/openid-connect/auth?client_id=ariel&redirect_uri=http://localhost:5053&response_type=code&scope=openid&kc_action=UPDATE_PASSWORD

frhack · May 22, 2024, 4:13pm

I get the error “Sorry, an unexpected error has occurred.”

embesozzi · May 22, 2024, 4:53pm

Just to double-check, have you tried without /auth? In the newer versions, it is no longer necessary unless you have set the environment variable KC_HTTP_RELATIVE_PATH

frhack · May 22, 2024, 5:00pm

Hi yes I double checked that.
The problem is that KC wants a code_challenge (because KC use PKCE), and without it complain.

So I need to generate a valid code_challenge…
I need to create a simple link to change password.

But how ?
any hints ?

KC already automatically creates a code_challenge but then it should append the parameter passed ( kc_action )

frhack · May 22, 2024, 5:10pm

maybe something like that:

I’ll write a JS script that create a link…

it would have been better if KC automatically added it whenever it was missing, so even in the presence of kc_action

embesozzi · May 22, 2024, 5:20pm

Just to clarify some points: it is not just a link to change the password. In this example, the app is initiating an authentication request following the OIDC standard with the Authorization Code flow.
Regarding PKCE or not, it all depends on whether your application is a SPA or not.

frhack · May 22, 2024, 5:24pm

Yes but I need to create a JS APP "Change your PWD " where the user just click a botton and get redirected to an KC url that initiates the auth with kc_action=UPDATE_URL

I need to create myself the code_challenge in JS in order to create the URL

(Maybe a work around could be disable PKCE)

dasniko · May 22, 2024, 8:26pm

You can call the login(...) function of the JS adapter with an options object. one of the options is the action parameter, this action param is the one you are looking for.
It’s mentioned in the docs: Securing Applications and Services Guide

Disabling PKCE is not an option, as it decreases security.
Just calculating a custom code challenge is also not an option, if you can’t use the custom code verifier in your flow.

Topic		Replies	Views
How to trigger the "update password" page in keycloak for users Getting advice	17	14531	November 29, 2024
User Password Update flow Getting advice admin-console , authentication , identity-brokering	1	580	January 22, 2024
Update password action triggers login	0	56	January 20, 2025
Keycloak - Direct Reset Password URL Configuring the server	4	15998	November 29, 2022
Update Password in a New Window Getting advice authentication	3	198	June 20, 2024

Ho to build a login url with given action (UPDATE_PASSWORD)

Related topics