Keycloak UPDATE_PASSWORD updates a user password but repeatedly asks to update password - only for a particular user

When I log in with a particular user, keycloak redirects to https://my-domain/auth/realms/my-realm/login-actions/required-action?execution=UPDATE_PASSWORD&client_id=my-client&tab_id=D_tuOJydHZ4

This is expected as “Update Password” is set for that user for “Required User Actions”

However, upon updating the password correctly (i.e., no error for previous password or validations) instead of redirecting to my app with a token, the update password page is again displayed.

This is only happening for a particular user.

When I check that user in the keycloak administration site the “Update Password” is still set for that user for “Required User Actions”.

If I attempt to login with that user the updated password ‘works’ - but the user is also redirected to the update password page.

For other users the behaviour is as expected, such that when “Update Password” is set for “Required User Actions” for the user, upon login with correct credentials, they are prompted to update their password, but when they successfully do that, they are logged into our app. Also, the “Update Password” is removed for the user for “Required User Actions”.

I’ve looked in the keycloak logs and can’t see any errors or warning related to the UPDATE_PASSWORD action.

I can’t see anything that is different for the user in question.

We’re using keycloak 6.0.1

Does anyone know what might be hindering “Update Password” from being removed from “Required User Actions” for the user? …or have any suggestions about how to track down why this might be happening?