Forcing login after password update/recovery

Securing applications
6

I managed to override KeyCloak’s UpdatePassword class and implemented a solution.
As I had complications with restarting the flow and redirecting the user to the browser flow, I redirect to info.ftl and there (on the front page) I filter if the message is the one related to “Password changed” and then I redirect to the browser flow, forcing an login restart.
I understand that there should be a more elegant solution, but this is what I have managed so far with very basic knowledge of Java and KC.

UpdatePassword.java:

package cloud.poc.keycloak.authentication;

import org.jboss.logging.Logger;
import org.keycloak.authentication.*;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ModelException;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.http.HttpRequest;

import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;

public class UpdatePassword extends org.keycloak.authentication.requiredactions.UpdatePassword {

	private static final Logger logger = Logger.getLogger(UpdatePassword.class);

	// Base code taken from the KC V.22.0.5:
	// https://github.com/keycloak/keycloak/blob/22.0.5/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java
	@Override
	public void processAction(RequiredActionContext context) {
		logger.info("TEST override processAction");
		EventBuilder event = context.getEvent();
		AuthenticationSessionModel authSession = context.getAuthenticationSession();
		UserModel user = context.getUser();
		MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
		event.event(EventType.UPDATE_PASSWORD);
		String passwordNew = formData.getFirst("password-new");
		String passwordConfirm = formData.getFirst("password-confirm");

		EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR)
				.client(authSession.getClient())
				.user(authSession.getAuthenticatedUser());

		if (Validation.isBlank(passwordNew)) {
			Response challenge = context.form()
					.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
					.addError(new FormMessage(Validation.FIELD_PASSWORD, Messages.MISSING_PASSWORD))
					.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
			context.challenge(challenge);
			errorEvent.error(Errors.PASSWORD_MISSING);
			return;
		} else if (!passwordNew.equals(passwordConfirm)) {
			Response challenge = context.form()
					.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
					.addError(new FormMessage(Validation.FIELD_PASSWORD_CONFIRM, Messages.NOTMATCH_PASSWORD))
					.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
			context.challenge(challenge);
			errorEvent.error(Errors.PASSWORD_CONFIRM_ERROR);
			return;
		}

		// if ("on".equals(formData.getFirst("logout-sessions"))) {
		// AuthenticatorUtil.logoutOtherSessions(context);
		// }

		try {
			user.credentialManager().updateCredential(UserCredentialModel.password(passwordNew, true));
			logoutAllSessions(context.getSession(), context.getRealm(), context.getUser());
			redirectToLoginPage(context);
		} catch (ModelException me) {
			errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED);
			Response challenge = context.form()
					.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
					.setError(me.getMessage(), me.getParameters())
					.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
			context.challenge(challenge);
			return;
		} catch (Exception ape) {
			errorEvent.detail(Details.REASON, ape.getMessage()).error(Errors.PASSWORD_REJECTED);
			Response challenge = context.form()
					.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
					.setError(ape.getMessage())
					.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
			context.challenge(challenge);
			return;
		}
	}

	private static void logoutAllSessions(KeycloakSession keycloakSession, RealmModel realm, UserModel user) {
		keycloakSession.sessions().removeUserSessions(realm, user);
	}

	public void redirectToLoginPage(RequiredActionContext context) {
		// On the info.ftl page I'll take the message and redirect to the login with
		// this message.
		context.challenge(context.form().setInfo("userPasswordUpdated").createInfoPage());
	}

	@Override
	public int order() {
		return 100;
	}
}

Any recommendations are welcome. I hope it will help you to solve this requirement.

Regards, Fabricio.