Unfortunaly we can not use the keycloak interface directly so we had to build a proxy communicating with the keycloak over the java-admin-client in our application. Currently you are able to login and change your password with our proxy.
Now we want to detect if a password is expired or temporary to force the user to choose and set a new password. To reach this we catch the possible HttpResponseException due to the authClient.obtainAccessToken(String,String) method. If the StatusCode is 400 we check if the users password is expired.
To check this we first check if the UserRepresentation contains the required action “UPDATE_PASSWORD”. Additionally we try to validate if the given password is correct.
As now we remove the UPDATE_PASSWORD action and try to login again. If this works correctly we assume the password may be correct and the user is able to change its password.
This worked for us when using a temporary password or setting the UPDATE_PASSWORD action manually.
Now we activated a password policy with an expiration date. but now our approach to detect if a password is valid does not work anymore. The UPDATE_PASSWORD action is set but if we remove it login is still not possible (probably because of the password policy and the reached expiration?).
I know this is veeeeeeery hacky and we are not happy with this approach. Is there any way to check if a password is valid even if its expired or temprorary?
We use the keycloak admin and auth client maven dependency in version 18.0.2 and a keycloak in version 18.0.0
Greetings from Germany!