I managed to override KeyCloak’s UpdatePassword class and implemented a solution.
As I had complications with restarting the flow and redirecting the user to the browser flow, I redirect to info.ftl and there (on the front page) I filter if the message is the one related to “Password changed” and then I redirect to the browser flow, forcing an login restart.
I understand that there should be a more elegant solution, but this is what I have managed so far with very basic knowledge of Java and KC.
UpdatePassword.java:
package cloud.poc.keycloak.authentication;
import org.jboss.logging.Logger;
import org.keycloak.authentication.*;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ModelException;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.http.HttpRequest;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
public class UpdatePassword extends org.keycloak.authentication.requiredactions.UpdatePassword {
private static final Logger logger = Logger.getLogger(UpdatePassword.class);
// Base code taken from the KC V.22.0.5:
// https://github.com/keycloak/keycloak/blob/22.0.5/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java
@Override
public void processAction(RequiredActionContext context) {
logger.info("TEST override processAction");
EventBuilder event = context.getEvent();
AuthenticationSessionModel authSession = context.getAuthenticationSession();
UserModel user = context.getUser();
MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
event.event(EventType.UPDATE_PASSWORD);
String passwordNew = formData.getFirst("password-new");
String passwordConfirm = formData.getFirst("password-confirm");
EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR)
.client(authSession.getClient())
.user(authSession.getAuthenticatedUser());
if (Validation.isBlank(passwordNew)) {
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.addError(new FormMessage(Validation.FIELD_PASSWORD, Messages.MISSING_PASSWORD))
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
errorEvent.error(Errors.PASSWORD_MISSING);
return;
} else if (!passwordNew.equals(passwordConfirm)) {
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.addError(new FormMessage(Validation.FIELD_PASSWORD_CONFIRM, Messages.NOTMATCH_PASSWORD))
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
errorEvent.error(Errors.PASSWORD_CONFIRM_ERROR);
return;
}
// if ("on".equals(formData.getFirst("logout-sessions"))) {
// AuthenticatorUtil.logoutOtherSessions(context);
// }
try {
user.credentialManager().updateCredential(UserCredentialModel.password(passwordNew, true));
logoutAllSessions(context.getSession(), context.getRealm(), context.getUser());
redirectToLoginPage(context);
} catch (ModelException me) {
errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED);
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.setError(me.getMessage(), me.getParameters())
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
return;
} catch (Exception ape) {
errorEvent.detail(Details.REASON, ape.getMessage()).error(Errors.PASSWORD_REJECTED);
Response challenge = context.form()
.setAttribute("username", authSession.getAuthenticatedUser().getUsername())
.setError(ape.getMessage())
.createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
context.challenge(challenge);
return;
}
}
private static void logoutAllSessions(KeycloakSession keycloakSession, RealmModel realm, UserModel user) {
keycloakSession.sessions().removeUserSessions(realm, user);
}
public void redirectToLoginPage(RequiredActionContext context) {
// On the info.ftl page I'll take the message and redirect to the login with
// this message.
context.challenge(context.form().setInfo("userPasswordUpdated").createInfoPage());
}
@Override
public int order() {
return 100;
}
}
Any recommendations are welcome. I hope it will help you to solve this requirement.
Regards, Fabricio.