I’d like to redirect a user from another app, directly to the Keycloak Password Reset flow, but unfortunately, there are some issues because of the missing tab_id query param.
Unfortunately, it works differently from when a user navigates to Keycloak’s login page and then clicks the Reset Password link. That generated URL by Keycloak contains a tab_id param, which for some reason makes some difference.
I assume it’s how sessions are handled in the background. How can I make this work?
The goal is to just redirect from a Custom app, to the Keycloak Password flow. Can I somehow generate a tabId myself if it doesn’t exist on Keycloak – do I need to initialize some kind of session and mimick what happens when a user opens up the login page?
Quick question too - is there any way to avoid requiring the user to log in? Can a similar link be used to direct the user to the Reset (Forgot) Password flow, without them having to authenticate again, or see the login page at all?
Hm, not sure… don’t think so.
Maybe someone can prove me wrong!?
Solution could be to implement in your application to call the admin API endpoint to send a reset password link by mail to the user. But this only works for server-side apps/clients and they have to have service accounts enabled with proper rights. While this may be a valid scenario/usecase, this of course adds a potential attack vector to your backend app, as it gains (limited) admin access to the Keycloak realm.