I want to open the default “update password” page in keycloak for a user triggered via a link in the App.
The app is added via OIDC and their specific client.
The code from the account-pages where it says “update password” i was not able to re-use as this is some angular magic.
Try this one: https://<domain>/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<client>&redirect_uri=<client_redirect_uri>&response_type=code&scope=openid&kc_action=UPDATE_PASSWORD
This should initiate an update password flow. If the user is not yet authenticated, the login screen will occur first, then the update password screen comes and afterwards the user should be redirected to your client app.
Hi there folks,
Could you please provide an example for a url you might use locally? Whenever I try setting something up that’s like what you post above I receive a “We are sorry… page not found” page for Keycloak
The original answer is pretty old and uses the legacy default context path /auth, which is no more default today.
So, try to skip the base path /auth and use http://localhost:8080/realms/....
Hi there, I was currently struggling with some flows, update password related and stumbled over this gem, you might also find it useful.
The adapters login method accepts an action option, which can be set to UPDATE_PASSWORD. This will redirect you to the password reset page and redirect you back to your app afterwards with a param (or fragment) kc_action_status=success if the update was successful
This is available in versions 21.1.2 and 22.0.4. Haven’t checked others.
Hi, I would like to add a button to my SPA application, which redirects the user to the kecyloak-page where he can update his password (like described above: if he’s not logged in yet, the login page comes first). I tried to achieve it with this link:
What makes me confused is, that it works no matter what the value of the code_challenge is set.
It also works in both scenarios - when I call the link as an authenticated user and when I need to authenticate first. After the password is updated, I get redirected to my app - so it looks “ok”.
Why are these parameters needed, if they doesn’t seem to be used during this flow anyway?
It doesn’t feel right to set some random values here… Disabling PKCE is also not what I want.
PKCE stands for Proof Key for Code Exchange [1], and it is used in public clients to improve security. The PKCE-enhanced Authorization Code Flow introduces a secret (code verifier) created by the calling application, which can be verified by the authorization server. In other words, it ensures that the application that starts the authentication flow is the same one that finishes it.
The code verifier is a random string generated by the application (client).
Because you are initiating an authentication process first and then changing the password, it is appropriate for the IdP to enforce those parameters, as this is recommended from a security perspective.
So basically since I’m using the authorization endpoint to trigger the password update action by adding the kc_action parameter, the code_challenge, code_challenge_method parameters are mandatory.
When I try to initiate this action as a non authenticated user, Keycloak seems to take over the authentication step before this action is performed.
But the code_challenge, code_challenge_method parameters that I provide while calling:
seem to be completely ignored during the whole process, they just need to be present in the above call. I can set any random code_challenge and do not need to provide the corresponding code_verifier in any further request and the action is executed correctly.
Some answers in this thread suggest, that calling this endpoint without code_challenge, code_challenge_method should work.
The example in the documentation also doesn’t take these parameters into account:
The actual question is: should I provide the code_challenge with some random value while initiating the password update just to satisfy the IdP?
The PKCE code is a combination of the code challenge and the code verifier. While the challenge is being passed with the initial auth request, the verifier is being sent by the client when exchanging the authz-code into the tokens.
When you’re doing the update-password process, Keycloak just requests the challenge from the client, as this is an auth request and the (public) client is configured to use PKCE. No matter if it’s being used or not.
Depending on the implementation of your client application, especially a JS-based SPA, the JS adapter might initialize a new auth request, even after returning from the update-password process.
Might be, because the used clients are not configured to use PKCE.
Best possibly NOT. You never know, what will happen, if you use just a random value, which might yield into invalid behavior. Use the options your JS lib will provide to you.
This would be a different usecase. Changing a password will always require a user to be authenticated.
If you don’t want users to authenticate, this would be the Reset Credentials usecase. If you turn on the “forgot password” feature on the realm settings → login tab, you’ll get this.
Thanks for your reply, acutallay my use case is this:
We seek to redirect newly created users to change password screen whithout having to authentifcate via login screen, for example pre-athenticate them so they get redirected to update password directly?
