Hi @dasniko , can I ask why keycloak trust without current password for the case when usr change password.
Assume usr just login and session still valid. but they just leave a screen bit, and someone try to changepassword without current password. It think it will be more secure for layer with current password ?, right. it should seperate as a one case , instead of count change password, forgot password, reset password into one UPDATE_PASSWORD action