I am facing a situation where it would be very convenient if I had a hook/spi/callback that would be triggered when user changes its password, so I can take that password and use it to update that same user password in other repository, which has to be maintained for a while.
So, it is there a possiblity to “export” the plain text password of a user when the reset password happens ?
Yes, I know how it sounds in terms of security, not ideal, but any connection in our out will be SSL/TLS encrypted obviously.
You could use an EventListener on the EventType.UPDATE_PASSWORD to know that it happened, but the plain text password wouldn’t be there for you in the Event object. There might be some way to store it in the session and have access to it that way, but that would require writing a custom Authenticator for the update password flow.
I am wondering now if I could alter/extend the LDAP provider , I should be able to get the password there, and then call a messaging tool or similar to send an alert that password has changed. It must be a way
xgp is correct… The best (maybe only) way would be to extend the update password flow and just make API calls to your other repository after the Keycloak password update happens. Should be something like calling the super method from the overridden method and then updating your repo after the super completes. You should have access to the plain-text password at this point.