User feedback on the Forgot Password page about the existence of a user

schuerg · November 10, 2021, 11:17am

Can the “Forgot Password” page be configured in such a way that the user receives feedback as to whether a username / email address has been entered that belongs to an existing account in the keycloak realm?

The default behavior seems to be to show the following green message no matter what is entered in the input field:

I am aware that you may not want to have this behavior for security reasons. But is it still possible to configure?

xgp · November 10, 2021, 11:33am

You would have to customize the Authenticator in the “Reset Credentials” flow, but yes, you could do this. Looks like the email gets sent and the message gets set here: keycloak/ResetCredentialEmail.java at main · keycloak/keycloak · GitHub

Topic		Replies	Views
Get message "Your password has been updated." after reset password Getting advice	2	907	January 31, 2024
Custom ResetCredentialEmail does not work after upgrade to Keycloak 21 Extending the server authentication	0	147	March 31, 2023
Keycloak Forgot/Reset Password flow Getting advice	0	503	June 5, 2020
Password reset request works via "Forgot Password" link but not via Admin REST call Getting advice	4	461	August 25, 2022
Success full password reset user need to redirect to login page Getting advice authentication	3	555	December 20, 2023

User feedback on the Forgot Password page about the existence of a user

Related Topics