Ho to build a login url with given action (UPDATE_PASSWORD)

I need to create an URL so the user after login must change the password.
I know I have to append the parameter kc_action=UPDATE_PASSWORD…
But how do I fill the other params that are automatically filled when I go to

http://localhost:8080/realms/myrealm/account

===>

http://localhost:8080/realms/myrealm/protocol/openid-connect/auth?client_id=account-console&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Fmyrealm%2Faccount%2F&state=############&response_mode=query&response_type=code&scope=openid&nonce=##############&code_challenge=##############&code_challenge_method=S256

Without them it does not work.

thanks

Francesco

Have you checked:

1 Like

Yes I tried the plain recipe (below) but without the extra parameters it does not work, don’t know why.

http://localhost:8080/auth/realms/disney/protocol/openid-connect/auth?client_id=ariel&redirect_uri=http://localhost:5053&response_type=code&scope=openid&kc_action=UPDATE_PASSWORD

I get the error “Sorry, an unexpected error has occurred.”

Just to double-check, have you tried without /auth? In the newer versions, it is no longer necessary unless you have set the environment variable KC_HTTP_RELATIVE_PATH

1 Like

Hi yes I double checked that.
The problem is that KC wants a code_challenge (because KC use PKCE), and without it complain.

So I need to generate a valid code_challenge…
I need to create a simple link to change password.

But how ?
any hints ?

KC already automatically creates a code_challenge but then it should append the parameter passed ( kc_action )

maybe something like that:

I’ll write a JS script that create a link…

it would have been better if KC automatically added it whenever it was missing, so even in the presence of kc_action

Just to clarify some points: it is not just a link to change the password. In this example, the app is initiating an authentication request following the OIDC standard with the Authorization Code flow.
Regarding PKCE or not, it all depends on whether your application is a SPA or not.

1 Like

Yes but I need to create a JS APP "Change your PWD " where the user just click a botton and get redirected to an KC url that initiates the auth with kc_action=UPDATE_URL

I need to create myself the code_challenge in JS in order to create the URL

(Maybe a work around could be disable PKCE)

You can call the login(...) function of the JS adapter with an options object. one of the options is the action parameter, this action param is the one you are looking for.
It’s mentioned in the docs: Securing Applications and Services Guide

Disabling PKCE is not an option, as it decreases security.
Just calculating a custom code challenge is also not an option, if you can’t use the custom code verifier in your flow.

1 Like