We have a business requirement where we need to send an email notifications to user, before 10 days prior to password expiry.
Kindly advice how can we achieve this in Keycloak.
Can we fetch somehow password expiration date so that we can compare the current date against it and if the diference is less than 10 days, we can trigger an email.
PS: We have millions of user, so fetching each user credentials by api one by one is not an option.
Is there any way via admin console or events or API so that we can ge list of users whose password will expire in 10 days?
A while back implemented this. First of all you really cannot achieve this unless you write some custom code (create a Keycloak extension which is a jar build by maven or gradle where you can extend any SPI provided by Keycloak).
In our case the solution was to create a custom endpoint (resource) which would return the list of users that will have their password expired in the next X days. The endpoint handler actually used the entity manager available in Keycloak which you can retrieve from the KeycloakSession like viewed here:
Once you have the entity manager you can run a jql query, or in our case in the end we choose to use a native query that will fetch the users based on the expiry date as the query was non trivial (the reason was that actually the business logic to extract the users to send the email was not trivial and took into account other things).
So we had our Keycloak endpoint from which you can extract the email addresses of users that will expire in X days (btw be VERY careful to properly secure such endpoints, for example you should never ever let a custom endpoint not authenticated, should be called only by authenticated user which has the proper role/permission and could also not be exposed outside on the internet). And we had another application which would call Keycloak each day to fetch the email adresses (we also had millions) and then batch them and send reminder emails.