Authenticating user automatically after password update

For a user arriving on the “Update Password” screen with an UPDATE_PASSWORD action token, how would I go about authenticating the user automatically using the new credentials followed by a forward to the redirect_uri?

Our use case:

  • User is created programatically with throwaway password that is not shared with them.
  • User receives a link to a Keycloak URL with a token for the UPDATE_PASSWORD action.
  • Current default behaviour - undesired in this context - is that once password has been changed user needs to click on “Proceed to application” link and then log in.

I discarded the option of sending the throwaway password to the user and flagging them with “Update Password” required action even though it authenticates/redirects to the application once the flow is completed.

I guess I’d need to code a provider which mixes log in + password change which seems non-trivial. Any pointers to prior examples or relevant parts in the Keycloak source are appreciated.

Thank you,


Hello, in the end I used something similar to what is discussed here: Logging a user in directly from an ActionToken, a custom token and its handler.