Enable account-api in docker

Hello together,

i’d like to enable and use the account-api feature of keycloak but I have problems to enable it. If I try and GET http://localhost:8080/auth/realms/master/account the following error is returned:

    "error": "RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/master/account"

I am using following docker container to run keycloak.

    image: 'quay.io/keycloak/keycloak:17.0.0'
    command: start-dev --hostname-strict false
      - "db:db"
      KC_DB: 'postgres'
      KC_FEATURES: 'account-api'
      KC_FEATURES_ACCOUNT_API: 'enabled'
      #KC_DB_SCHEMA: 'keycloak'

Do you have any idea what I am missing. Is there a way to list all enabled features?

Best regards,

Most likely Using curl or POSTMAN results in Could not find resource for full path - #2 by dasniko

1 Like

Thank you Niko you were right. Is there any documentation about the account api? I want to change the current users password via a rest api call form my own application. The only thing I found was this blog post: Using the Keycloak Accounts Management API | Marcus Povey (marcus-povey.co.uk)

But the post on account/credentials/password always runs into a 405.

Modifying the credentials via REST API is not supported due to security reasons.
The user is only allowed to change its credentials itself using the secure IdP (Keycloak) UI. Otherwise you are creating a man-in-the-middle scenario, which is most likely not what you want.
Generally, users should only enter their credentials on the secure server UI - the IdP, Keycloak.

1 Like

I expected this :confused:
So I am implementing keycloak for an legacy application which authenticates via password grant. It has already a user profile page where the user should be able to change her/his password. Also the users should be forced to change the password after first login. Sounds like we cannot use password grant at all if we want to achieve this, right?

ROPC (aka “Direct Access Grant” or “Pasword Grant”) ist deprecated and MUST NOT be used, according to draft-ietf-oauth-security-topics-18
It’s highly insecure.

Using new systems and tools always bring the chance (or need) to change your environment to a more secure one. Never think in terms of “it should be exactly like it is/was”. If so, you don’t have the need to change anything.

1 Like

Thank you for the clarification :slight_smile: I’ll discuss this with my stakeholders.