We’re planning to use Keycloak as login manager / identity provider for a number of applications we’ve developing. We have developed a Custom User Storage provider because we need to authenticate users against a legacy database, which we can’t afford to migrate right now. Out applications will use Keycloak’s API to authenticate users.
Now, the problem is that we have no idea about how to handle a “password expired” use case. The only point where I see that we could add password expiration handling is the method
public boolean isValid(RealmModel realm, UserModel user, CredentialInput credentialInput);
in our custom UserStorageProvider class. The problem is obviously that this method allows only to return a boolean value, and we need to distinguish invalid credentials (if I just return false, I get
“error_description”: “Invalid user credentials”
as JSON response) from expired password. I tried to throw a RuntimeException, but in such case I only get
as error. Moreover, this approach seems to break the authentication flow.
I’ve read in another similar post the the OP found out to add a RequiredAction (PASSWORD_UPDATE) in case of password expiration, but in this case I noticed that Keycloak seems to loop until the user is authenticated nevertheless. The very same behaviour could be seen using Postman as client.
Any suggestion ?