Hello,
As part of my client requirements I need to have a forgot password flow that instead of sending templated keycloak mails instead use the client configured saleforce marketing cloud mails. Also they have decided that keycloak should not be open to the internet so I cannot use keycloak’s pages for login and reset password.
I’ve challenged both of those decisions and its clear that there is no way around it.
To make this happen I have created a new reset credential flow, copy of the default one and created a custom step for the send-email. In this step I call SFMC to send the email with appropriate link to my custom page but still with the action token generated by keycloak.
I have a few questions to tie it all together :
- How to generate all the parameters necessary to trigger the flow ?
In the out of the box scenario the link that triggers the reset credentials flow looks like this :
{keycloakHost}/realms/{realmName}/login-actions/reset-credentials?session_code={sessionCode}&execution={executionId}&client_id={clientId}&tab_id={tabId}
keycloakHost, realmName and clientId are information that we already have available and I’ve figured out how to obtain the execution parameter as well. But for tabId and sessionCode I’m a bit lost, I see some reference to them in the keycloak source code but it’s unclear how they are generated.
- How to validate the reset password action token ?
Once I’ve clicked on the link in the email I’ll be redirected to my custom page (not the keycloak one once again) for entering my new password, on this page on the out of the box scenario the token is validated by keycloak to make sure it was issued by keycloak and not expired. But it is unclear how this is done, which endpoint to call, with what parameters.
Any help on either of those questions would be massively appreciated. I can provide more info if necessary.
Thanks.
P.S : I use keycloak 19.0.3