How to customize first time login flow

Does Keycloak provides the feature to require a first time user to trigger a Required-Action?
For example, I’ve added a user to my keycloak instance without giving a temp password.

I want to see if I can setup a flow where the user would login in using the email and random password (or just press enter without password), keycloak would check to see if it was a first time user or not. If yes, it will forward the user to a update password form. If not, it will just indicate that a wrong password was entered.

That use case seems like a pretty big security hole. If I know the email, then I can takeover anyone’s account who hasn’t logged in before.

That said, it is possible to build a custom Authenticator that ignores password and just logs the user in. You can then add the UpdatePassword RequiredAction to the user’s required actions using the setRequiredActions method in the Authenticator.