We have a business requirement where we need to send an email notifications to user, before 10 days prior to password expiry.
Kindly advice how can we achive this in Keycloak.
Can we fetch somehow password expiration date so that we can compare the current date against it and if the diference is less than 10 days, we can trigger an email.
No, as far as I know this is not possible and the user will only be asked to change their password when they try to login, at that point a check is done.
It’s a strange business requirement though, there is no real advantage from a usability standpoint for this but that’s only my opinion and you are free to ignore it.
But if you really want this functionality you can probably go about it in a couple of ways:
- use the admin rest api and check user by user
- extend Keycloak’s rest api and add such a search feature which returns all those users
- extend Keycloak and add a scheduled task that uses the above extension
Either way, depending on the number of users you have or you expect to have all the options could be a hassle.
Thanks for your suggestion.
I tried to use the admin rest API to fetch the user details as you suggested.
But the response received, does not contains any information about the password policies or password expired date for any user.
Can you please suggest, what I am missing here?
as far as I know you need to set a password policy at the realm level, the default is a full year.
You can get a users credentials with the following endpoint
A user can have many Credentials, the one you will need is of type password. So you need to loop over it and get the correct one.
Then you can compare the value of the expiry policy against the createdDate value of the user credentials.
This is the best way I can see on what is available through the REST API.
You could always extend the API yourself and write some custom stuff. An example can be found on https://github.com/zonaut/keycloak-extensions/tree/master/spi-resource
Thank you so much. This information helped us a lot.
I need to achieve a similar thing as the OP and therefore I’m trying to retrieve user credential using the REST endpoint mentioned above.
Sadly, I’m not able to retrieve the credentials and I always get 404 Not Found.
When I try to fetch the user (using the following URI) it succeeds:
however, when I add the /credentials (see the full URI below) it fails:
- I’m using Keycloak version 5.0.0 and Postman version 220.127.116.11
- I’ve tried using HTTPS, too
- I’ve tried retrieving the credentials from both standard Keycloak user as well as LDAP user but neither seem to work
Is there something I’m missing?