For a user arriving on the “Update Password” screen with an UPDATE_PASSWORD action token, how would I go about authenticating the user automatically using the new credentials followed by a forward to the redirect_uri?
Our use case:
- User is created programatically with throwaway password that is not shared with them.
- User receives a link to a Keycloak URL with a token for the UPDATE_PASSWORD action.
- Current default behaviour - undesired in this context - is that once password has been changed user needs to click on “Proceed to application” link and then log in.
I discarded the option of sending the throwaway password to the user and flagging them with “Update Password” required action even though it authenticates/redirects to the application once the flow is completed.
I guess I’d need to code a provider which mixes log in + password change which seems non-trivial. Any pointers to prior examples or relevant parts in the Keycloak source are appreciated.