Keycloak get user password

Question

In my project, I need to get current user password from Rest API.

I searched keycloak 4.8.3 final documentation but I could not find it. With admin user I can change password without knowing the current password. But my logged in user can be admin or not. I found that keycloak does not give me permission to that because of security. Wrap up is there any way to active that settings or is there a way to get password with Rest API ? Thank you.

Answer 1

Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.

---

Via the Rest API, one cannot get the password for obvious reasons. Ideally, in a secure setting, even if one is the admin one should not have access to the users' passwords.

From the comments you wrote:

I could use method like boolean isPasswordCorrect(username,password)

An approach is to create a client on your Realm as follows:

• Go to your Realm;
• Clients;
• Create Client;
• Set Access Type to public;
• Set Direct Access Grants Enabled to ON;
• Save;

Now request from the newly created client a token on behalf of the user that you want to check if the password is correct:

As you can see the endpoint is:

<KEYCLOAK_HOST>/auth/realms/<REALM_NAME/protocol/openid-connect/token

and the body is:

client_id : <The client ID of the newly create client>
username : <The username>
password : <The password to be tested>
grant_type : password

If the password is correct you will get back a token object, otherwise you will get the following response:

{
    "error": "invalid_grant",
    "error_description": "Invalid user credentials"
}