I want to implement the following flow for updating/resetting passwords in Keycloak:
- Allow users to start the password recovery process by entering their email address on the reset page.
- Send an email to the user containing a URL with a unique, one-time token.
- Ensure that the password reset page does not authenticate the user to the application; it should only allow a password reset.
- Invalidate the token after it has been used once.
Currently, when a user updates their password, they are taken back to the application without being prompted to log in again. I have tried to address this using an event listener where I remove user sessions with the userSessionProvider.removeUserSessions(realm) method. However, this approach is not working as expected.
Any help or suggestions would be greatly appreciated.
1 Like
Hi there!
I also need to change the registration flow as you mentioned.
I’ve tried to do the same with an event listener. I have described what I did here. But thinking again about this approach, the event is handled once the user is redirected to the app, so I can’t do anything with the redirection (at least as I understand it).
Now I’m trying to overwrite UpdatePassword.java (required action). I am guided by this video of the great @dasniko . But I can’t get KeyCloak to take my class and overwrite the processAction method.
Here is my UpdatePassword.java:
package cloud.poc.keycloak.authentication;
import org.keycloak.Config;
import org.jboss.logging.Logger;
import org.keycloak.authentication.*;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ModelException;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
public class UpdatePassword extends org.keycloak.authentication.requiredactions.UpdatePassword {
private static final Logger logger = Logger.getLogger(UpdatePassword.class);
// Base code taken from the KC V.22.0.5: https://github.com/keycloak/keycloak/blob/22.0.5/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java
@Override
public void processAction(RequiredActionContext context) {
logger.debug("TEST override processAction");
EventBuilder event = context.getEvent();
AuthenticationSessionModel authSession = context.getAuthenticationSession();
UserModel user = context.getUser();
MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
event.event(EventType.UPDATE_PASSWORD);
String passwordNew = formData.getFirst("password-new");
String passwordConfirm = formData.getFirst("password-confirm");
EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR)
.client(authSession.getClient())
.user(authSession.getAuthenticatedUser());
if (Validation.isBlank(passwordNew)) {
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.addError(new FormMessage(Validation.FIELD_PASSWORD, Messages.MISSING_PASSWORD))
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
errorEvent.error(Errors.PASSWORD_MISSING);
return;
} else if (!passwordNew.equals(passwordConfirm)) {
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.addError(new FormMessage(Validation.FIELD_PASSWORD_CONFIRM, Messages.NOTMATCH_PASSWORD))
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
errorEvent.error(Errors.PASSWORD_CONFIRM_ERROR);
return;
}
if ("on".equals(formData.getFirst("logout-sessions"))) {
AuthenticatorUtil.logoutOtherSessions(context);
}
try {
user.credentialManager().updateCredential(UserCredentialModel.password(passwordNew, false));
// I understand that at this point we need to close the current session and redirect to the browser flow.
context.success();
} catch (ModelException me) {
errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED);
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.setError(me.getMessage(), me.getParameters())
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
return;
} catch (Exception ape) {
errorEvent.detail(Details.REASON, ape.getMessage()).error(Errors.PASSWORD_REJECTED);
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.setError(ape.getMessage())
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
return;
}
}
@Override
public int order() {
return 100;
}
}
I build the package, deployed it in KC v.22.0.5 but the method is not overwriting.
Just sharing what I have tried so far. Any recommendation or help is welcome.
Regards, Fabricio.
Hi
Have you tried calling logout api of keycloak (http://localhost:8080/admin/realms/test-realm/users/c2a516a3-35f2-4367-b270-cc49a74e2123/logout
) in your event listener’s onEvent method?
I can logout the user without calling the API. The session ends but the problem is that the user has already been redirected to the app.
I managed to override KeyCloak’s UpdatePassword class and implemented a solution.
As I had complications with restarting the flow and redirecting the user to the browser flow, I redirect to info.ftl and there (on the front page) I filter if the message is the one related to “Password changed” and then I redirect to the browser flow, forcing an login restart.
I understand that there should be a more elegant solution, but this is what I have managed so far with very basic knowledge of Java and KC.
UpdatePassword.java:
package cloud.poc.keycloak.authentication;
import org.jboss.logging.Logger;
import org.keycloak.authentication.*;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ModelException;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.http.HttpRequest;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
public class UpdatePassword extends org.keycloak.authentication.requiredactions.UpdatePassword {
private static final Logger logger = Logger.getLogger(UpdatePassword.class);
// Base code taken from the KC V.22.0.5:
// https://github.com/keycloak/keycloak/blob/22.0.5/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java
@Override
public void processAction(RequiredActionContext context) {
logger.info("TEST override processAction");
EventBuilder event = context.getEvent();
AuthenticationSessionModel authSession = context.getAuthenticationSession();
UserModel user = context.getUser();
MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
event.event(EventType.UPDATE_PASSWORD);
String passwordNew = formData.getFirst("password-new");
String passwordConfirm = formData.getFirst("password-confirm");
EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR)
.client(authSession.getClient())
.user(authSession.getAuthenticatedUser());
if (Validation.isBlank(passwordNew)) {
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.addError(new FormMessage(Validation.FIELD_PASSWORD, Messages.MISSING_PASSWORD))
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
errorEvent.error(Errors.PASSWORD_MISSING);
return;
} else if (!passwordNew.equals(passwordConfirm)) {
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.addError(new FormMessage(Validation.FIELD_PASSWORD_CONFIRM, Messages.NOTMATCH_PASSWORD))
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
errorEvent.error(Errors.PASSWORD_CONFIRM_ERROR);
return;
}
// if ("on".equals(formData.getFirst("logout-sessions"))) {
// AuthenticatorUtil.logoutOtherSessions(context);
// }
try {
user.credentialManager().updateCredential(UserCredentialModel.password(passwordNew, true));
logoutAllSessions(context.getSession(), context.getRealm(), context.getUser());
redirectToLoginPage(context);
} catch (ModelException me) {
errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED);
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.setError(me.getMessage(), me.getParameters())
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
return;
} catch (Exception ape) {
errorEvent.detail(Details.REASON, ape.getMessage()).error(Errors.PASSWORD_REJECTED);
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.setError(ape.getMessage())
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
return;
}
}
private static void logoutAllSessions(KeycloakSession keycloakSession, RealmModel realm, UserModel user) {
keycloakSession.sessions().removeUserSessions(realm, user);
}
public void redirectToLoginPage(RequiredActionContext context) {
// On the info.ftl page I'll take the message and redirect to the login with
// this message.
context.challenge(context.form().setInfo("userPasswordUpdated").createInfoPage());
}
@Override
public int order() {
return 100;
}
}
Any recommendations are welcome. I hope it will help you to solve this requirement.
Regards, Fabricio.
Hi Fabricio,
Thank you very much for the solution. I’ll try this out and let you know if I find any other way. I would appreciate it if you could share the info.ftl file. I will reach out again if I need any further assistance.
Hello @pawankumar-netspi !
I’m working with Keycloakify so I did the info.ftl implementation on React. You must filter the message and restart the login flow.
Regards, Fabricio.
Hi @fgarcia5,
After updating Keycloak to version 24.0.4, I encountered a screen stating “Your account has been updated” after resetting the password. While I recommend upgrading to this version, there is a drawback: there is no option for the user to navigate to the login screen to log in with the new password.
1 Like
Hi!
The solution I have proposed is not consistent, the user enters a loop where he is asked for the new password after logging in.
I’m looking for a way to remove the update password as a required action (both at user and session level), but that doesn’t work either.
Could someone with more experience in JAVA and KC help me?
Maybe @dasniko would be so kind to guide us in the solution?