We have a business requirement where we need to send an email notifications to user, before 10 days prior to password expiry.
Kindly advice how can we achive this in Keycloak.
Can we fetch somehow password expiration date so that we can compare the current date against it and if the diference is less than 10 days, we can trigger an email.
No, as far as I know this is not possible and the user will only be asked to change their password when they try to login, at that point a check is done.
It’s a strange business requirement though, there is no real advantage from a usability standpoint for this but that’s only my opinion and you are free to ignore it.
But if you really want this functionality you can probably go about it in a couple of ways:
use the admin rest api and check user by user
extend Keycloak’s rest api and add such a search feature which returns all those users
extend Keycloak and add a scheduled task that uses the above extension
…
Either way, depending on the number of users you have or you expect to have all the options could be a hassle.
Hi,
Thanks for your suggestion.
I tried to use the admin rest API to fetch the user details as you suggested.
But the response received, does not contains any information about the password policies or password expired date for any user.
A user can have many Credentials, the one you will need is of type password. So you need to loop over it and get the correct one.
Then you can compare the value of the expiry policy against the createdDate value of the user credentials.