Hi Guys,
I’m a new user of keycloak. I just want to ask on how to require the old password during update password on account (page)
Thanks
xgp
November 15, 2021, 8:25am
2
The built-in password update functionality doesn’t allow that. It would be possible to build a custom authenticator and replace that. Docs and files you would override are here:
https://www.keycloak.org/docs/latest/server_development/#_auth_spi
<#import "template.ftl" as layout>
<@layout.registrationLayout displayMessage=!messagesPerField.existsError('password','password-confirm'); section>
<#if section = "header">
${msg("updatePasswordTitle")}
<#elseif section = "form">
<form id="kc-passwd-update-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
<input type="text" id="username" name="username" value="${username}" autocomplete="username"
readonly="readonly" style="display:none;"/>
<input type="password" id="password" name="password" autocomplete="current-password" style="display:none;"/>
<div class="${properties.kcFormGroupClass!}">
<div class="${properties.kcLabelWrapperClass!}">
<label for="password-new" class="${properties.kcLabelClass!}">${msg("passwordNew")}</label>
</div>
<div class="${properties.kcInputWrapperClass!}">
<input type="password" id="password-new" name="password-new" class="${properties.kcInputClass!}"
autofocus autocomplete="new-password"
aria-invalid="<#if messagesPerField.existsError('password','password-confirm')>true</#if>"
/>
This file has been truncated. show original
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authentication.requiredactions;
import org.jboss.logging.Logger;
This file has been truncated. show original
Or if you don’t need it on the same form you should be able to require the old password in a custom flow for credentials reset.
2 Likes
Hi bpedersen2, How can I enable that? I think your solution is much more good on me because I don’t want to modify the source code.
Hi for anyone who’s trying to solve this issue. I manage to fix it by changing the account theme.
keycloak server > realm > realm settings > themes > account theme
and use keycloak theme.
Hey guys, what the link of update password page ! i can’t get it guys !
mserag
January 4, 2025, 9:05pm
8
Hello everyone, I did a small demo for changing password with validating old password.
You can check it here
This functionality can now (since a few versions) be configured directly in Keycloak itself.
Go to the required action “Update Password” and click on the cog icon ( ) and set the Maximum Age of Authentication
to 0
. This way, the users will always be forced to re-authenticate (aka entering the current password) before updating their password. No need for custom code.