In newest Keycloak 9.0.2, it is possible to change the password āon
behalf of the userā with the usage of Account REST API.
However the default account console (the one available under http://your-keycloak-host/auth/realms/your-realm/account) is not using
Account REST API. You need to enable Account REST API feature as it is
only preview feature , which is not enabled by default (see āServer
Installation Guideā for more details). And then there is endpoint for
changing the password. This is preview feature and AFAIK it is not yet
very well documented. So best is to look at the sources and figure how
it works You can take a look at the Keycloak class
AccountCredentialResource and AccountRestServiceTest and some other
classes from where it is referenced. Hopefully you will be able to
figure how it works.
would like to understand how to use Account REST API in an ionic app to change the password.
In my ionic app, I started keycload with -Dkeycloak.profile.feature.account_api=enabled and Iām using this following function to change the password
doChangePassword(password_data_model: DataModel) {
const headers = new HttpHeaders(
{
āContent-Typeā: āapplication/jsonā,
āAcceptā: āapplication/jsonā }
);
return this.http.post(your-keycloak-host/auth/realms/your-realm/account/credentials/password,
JSON.stringify(password_data_model),
{ headers: headers }
);
}
but the password get successfully changed but Iām still getting this following CORS error:
Access to XMLHttpRequest at your-keycloak-host/auth/realms/your-realm/account/credentials/password from origin http://localhost:8100 has been blocked by CORS policy: No āAccess-Control-Allow-Originā header is present on the requested resource.
I would appreciate to understand why the password was changed successful but this also return a CORS error?
do I have to set the origin http://localhost:8100 in Web Origins of the āaccountā client?
Please could you point me in the right direction. I too need to use a change password feature in an IONIC app. My users do not easily have the ability to log into the standard KeyCloak change password by email.
I have spent hours on this combing the web for all Change Password by API. Most, like this one above, get the error:
{āerrorā:āRESTEASY003210: Could not find resource for full path: https://>sso nanme>/auth/realms//protocol/credentials/passwordā}
Please could you let me know what the correct end point is to change the password as well as the Header and Body required (i.e. Supply old password, supply new password, supply secret, supply tokens, supply user id)
@kukukk please have a look into the link posted by @gmesml. There is a very simple method shown, just perform a login and advertise the wish to change the password as a parameter. It will enable the flow to request the current password (which makes the procedure secure against some types of attacks, especially if a session is kept open and the device is left unlocked. Then the user will have to provide the password. I believe that is the most clean approach possible since it ensures that the interactive steps are happening. A simple REST call is not enough.
If you want to do it yourself, build a custom server side authenticator, route the user to a custom endpoint and make sure that both the token is valid and the old password provided is correct before updating the password in the user object.