I login to keycloak and then change my password but my access token and refresh token still worked
all sessions for that user should be logout .
I believe you would need to implement an EventListener that invalidates the sessions of the user on receipt of a password change event.
has anyone done something along those lines already.
Not exactly the same, but the same approach:
this link does’nt work. Has anyone achieved this yet?
Did someone can answer this please ?
The flow is very simple at the end of user reset password user should be redirect to login page and need to connect not to be connected
Hello there.
I’m trying to do this. I’ve just implemented an event listener where I remove all user sessions after the UPDATE_PASSWORD event. I am closing all sessions but I can’t find a way to redirect to login (browser flow) with a message.
My implementation is below:
UpdatePasswordEventListener.java
package cloud.poc.keycloak.authentication;
import org.keycloak.common.util.Time;
import org.keycloak.events.Event;
import org.keycloak.events.EventListenerProvider;
import org.keycloak.events.EventType;
import org.keycloak.events.admin.AdminEvent;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.messages.Messages;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.RealmModel;
import org.keycloak.storage.adapter.InMemoryUserAdapter;
public class UpdatePasswordEventListener implements EventListenerProvider {
private final KeycloakSession keycloakSession;
public UpdatePasswordEventListener(KeycloakSession keycloakSession) {
this.keycloakSession = keycloakSession;
}
@Override
public void onEvent(Event event) {
if(!event.getType().equals(EventType.UPDATE_PASSWORD)) {
return;
}
RealmModel realm = keycloakSession.getContext().getRealm();
InMemoryUserAdapter user = new InMemoryUserAdapter(keycloakSession, realm, event.getUserId());
keycloakSession.sessions().getUserSessionsStream(realm, user).forEach(userSession -> {
// remove all existing user sessions
keycloakSession.sessions().removeUserSession(realm, userSession);
});
// Here I need to do something like bellow but I can't access to AuthenticationFlowContext
// context.forkWithSuccessMessage(new FormMessage(Messages.PASSWORD_UPDATED));
}
@Override
public void onEvent(AdminEvent event, boolean includeRepresentation) {
}
@Override
public void close() {
}
}
UpdatePasswordEventListenerFactory.java
package cloud.poc.keycloak.authentication;
import org.keycloak.Config;
import org.keycloak.events.EventListenerProvider;
import org.keycloak.events.EventListenerProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
public class UpdatePasswordEventListenerFactory implements EventListenerProviderFactory {
public static final String PROVIDER_ID = "update-password-event-listener";
@Override
public EventListenerProvider create(KeycloakSession keycloakSession) {
return new UpdatePasswordEventListener(keycloakSession);
}
@Override
public void init(Config.Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public void close() {
}
@Override
public String getId() {
return PROVIDER_ID;
}
}
Could someone help me? Or let me know if there is a better solution for this requirement.
I’m working with KeyCloak V. 22.0.5
Regards, Fabricio.
I have found a workaround.
Here are the details: