User Password Change Programatically

Trying to change the password of a user using user context, not an admin context in a Java application.

The change password works when admin context (token) is used, but, not when a non-admin user context (token) is used.

However, when logging into the Keycloak UI, the non-admin user can change password.

Any help is appreciated

In newest Keycloak 9.0.2, it is possible to change the password “on
behalf of the user” with the usage of Account REST API.

However the default account console (the one available under
http://your-keycloak-host/auth/realms/your-realm/account) is not using
Account REST API. You need to enable Account REST API feature as it is
only preview feature , which is not enabled by default (see “Server
Installation Guide” for more details). And then there is endpoint for
changing the password. This is preview feature and AFAIK it is not yet
very well documented. So best is to look at the sources and figure how
it works :slight_smile: You can take a look at the Keycloak class
AccountCredentialResource and AccountRestServiceTest and some other
classes from where it is referenced. Hopefully you will be able to
figure how it works.


1 Like

Thank you. Currently on an older version of keycloak. Will upgrade in due course and check.

Will post here when the upgrade is done and implementation is complete.


would like to understand how to use Account REST API in an ionic app to change the password.
In my ionic app, I started keycload with -Dkeycloak.profile.feature.account_api=enabled and I’m using this following function to change the password
doChangePassword(password_data_model: DataModel) {
const headers = new HttpHeaders(
‘Content-Type’: ‘application/json’,
‘Accept’: ‘application/json’ }
{ headers: headers }
but the password get successfully changed but I’m still getting this following CORS error:

Access to XMLHttpRequest at your-keycloak-host/auth/realms/your-realm/account/credentials/password from origin http://localhost:8100 has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I would appreciate to understand why the password was changed successful but this also return a CORS error?
do I have to set the origin http://localhost:8100 in Web Origins of the “account” client?


1 Like

Hi, thanks for a great authorization platform.

Please could you point me in the right direction. I too need to use a change password feature in an IONIC app. My users do not easily have the ability to log into the standard KeyCloak change password by email.
I have spent hours on this combing the web for all Change Password by API. Most, like this one above, get the error:
{“error”:“RESTEASY003210: Could not find resource for full path: https://>sso nanme>/auth/realms//protocol/credentials/password”}

Please could you let me know what the correct end point is to change the password as well as the Header and Body required (i.e. Supply old password, supply new password, supply secret, supply tokens, supply user id)

Thanks Marek.

Sorry it took me a while to write back, we are at version 6.0.1 and will be upgrading sometime later.
Will let you know when we do that.

We have worked around that for now.


Have you found solution to this?
We currently have Web Origins: * and still getting this CORS error.

I’m also having difficulties using the account_api. I’m running Keycloak 12.0.2 dockerized, and added the following environment variable:


But when I try to access

POST {{keycloak-host}}/auth/realms/{{keycloak-realm}}/account/credentials/password

I get

“error”: “RESTEASY003650: No resource method found for POST, return 405 with Allow header”

Any help would be appreciated how to change and reset the password programmatically as a simple user without the Keylocak UI.

They say they removed it on 12 and above, use Admin Rest API instead.

@kukukk please have a look into the link posted by @gmesml. There is a very simple method shown, just perform a login and advertise the wish to change the password as a parameter. It will enable the flow to request the current password (which makes the procedure secure against some types of attacks, especially if a session is kept open and the device is left unlocked. Then the user will have to provide the password. I believe that is the most clean approach possible since it ensures that the interactive steps are happening. A simple REST call is not enough.
If you want to do it yourself, build a custom server side authenticator, route the user to a custom endpoint and make sure that both the token is valid and the old password provided is correct before updating the password in the user object.

1 Like