Hello together,
I have a question regarding the Update Profile action and how to enforce reauthentication for it. I’m using Keycloak to secure my SPA. To let a user update their password or profile or delete their account, I want to redirect users to the different login actions. For instance for updating the password to http://localhost:8080/realms/myrealm/protocol/openid-connect/auth?client_id=myclient&redirect_uri=https://link-to-my-spa&response_type=code&scope=openid&kc_action=UPDATE_PASSWORD or their profile http://localhost:8080/realms/myrealm/protocol/openid-connect/auth?client_id=myclient&redirect_uri=https://link-to-my-spa&response_type=code&scope=openid&kc_action=UPDATE_PROFILE. For UPDATE_PASSWORD I can set the Maximum Authentication Age to 0 in the Keycloak settings, so a user has to reauthenticate before changing their password. This is also the case for the delete account action. However, how can I also enforce this for UPDATE_PROFILE? I’ve thought about creating a SPI for this, such as:
@AutoService(org.keycloak.authentication.requiredactions.UpdateProfile.class)
class UserEventsProvider extends UpdateProfile {
@Override
public int getMaxAuthAge() {
return 0;
}
@Override
public int order() {
return 100;
}
@Override
public String getId() {
return "RESTRICTED_UPDATE_PROFILE";
}
}
but I cant find out how to use this RESTRICTED_UPDATE_PROFILE instead of UPDATE_PROFILE. Additionally, I don’t even know if this would be the right approach to force reauthentication for profile updates. Any help would be greatly appreciated! Thank you!