My web application with a backend is secured by OAuth2 with Keycloak as AuthServer. It needs a screen where a logged in user can change their own password by entering the old and a new password.
If I understand there are two ways to achieve this:
- Redirect the user to the account console so that they can change the password there.
- Have the user enter the password into my application, and use the admin REST API from the backend to change the password.
My understanding is that option 2 (the admin REST API) is discouraged for two reasons: first, the it’s none of the application’s business to ask for user credentials (this should be Keycloak’s job), and second there is no good way to verify the old password via the admin REST API (there’s a workaround to request a token by client credentials, but this has a couple of drawbacks). I understand this.
However, redirecting to the account console is also no option since my app is required (by client specification) to show the “change password” screen within the app itself.
- Is there a possibility to integrate the relevant part of the account console into an existing web application, eg. via iframe or some other means.
- Can anyone point to an example where this has been done?