Keycloak account api password endpoint removed. Why?


so keycloak had account api where user can change it’s password.

I have installed latest server and it does not work.
I checked git history and found that /password endpoint was removed.

But form auth/realms/my_realm/account/password still exists where user can change it’s password.

Issue KEYCLOAK-15395 is not public. I get “You can’t view this issue”.

So can anyone explain why this was removed?

Anyone ? I need this endpoint so I forward the request from by BE to keycloak…

@Steinkauz Hi, it was removed because it is generally considered unsafe to allow password changes using REST API. A user can change their password only through browser using AIA (Application Initiated Action) which is available in the new Account Console.

Ok thanks for the answer.
So it’s only possible to change password over keycloak UI?
If you want your own look for this, the only option is custom keycloak theme?

Yes, exactly. The AIA uses the login page theme.
Also, the AIA can be triggered from your app too, it’s not tied to the new Account Console.

@vmuzikar could you explain how this would work?

AIA can be triggered from your app too

I guess I struggle to see the difference from sending a request via AIA and via a REST call…both seem to send the old and new password right in the request body, and both requests with TLS of course.

1 Like

jFTR – replied here.

1 Like