Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there an API call for changing user password on keycloak?

Tags:

json

keycloak

I am trying to implement my own form for changing a user's password. I tried to find an API for changing a user's password in Keycloak but I couldn't find anything in the documentation. Is there an API for doing it?

like image 443
Itay k Avatar asked Nov 25 '15 07:11

Itay k


People also ask

How do I change my Keycloak password?

Steps for changing keycloak admin user credentials:Click on the Credentials tab. The password can be changed for admin(keycloak) user in this screen. Enter the new Password and Disable the Temporary password option. Finally click on reset password.

How do I change a Keycloak user?

If you want to allow User to update their own profile then you have to grant manage-users role in Keycloak. (That user will be able to update other users info hence it is not recommended)

How to update user’s Password with REST API in Keycloak server?

How To Update User’s Password With REST API in KeyCloak Server… KeyCloak is a platform which provides an Open Source Identity and Access Management System for our applications. In this platform, If you want to change password, you will expose API to reset the password and then It will go through users emails.

Which user can access /member API in Keycloak?

According to our KeyCloak Security Configuration class, the user with the role Member can access /member API, and the user with the role Admin can access /admin API. Let’s test our application using Postman.

Why does Keycloak Send Me an email to change my password?

This causes Keycloak to send an email to the user that gives a magic link for the user to set a new password. You are right, but there are still a few users, who prefer to get the password told by phone and then be forced to change it instead of searching for an email. @shonky, Is there any way to modify Keycloak's email template?

Does Keycloak support OAuth or OpenID Connect to reset password?

No, OAuth and OpenID Connect protocols doesn't define such feature and Keycloak also doesn't have ability to do this on user's behalf. There is a server-to-Server Admin API that alows to change the user's password or reset it but you can't call it from GUI.


2 Answers

you can use PUT /auth/admin/realms/{realm}/users/{id}/reset-password

  • {id} is the user id in keycloak (not the login)

Here is s sample body.

{ "type": "password", "temporary": false, "value": "my-new-password" }

like image 132
Barny Avatar answered Oct 19 '22 07:10

Barny


UPDATE Keycloak 12

The solution described below will no longer work in Keycloak Versions 12 or higher as the developers decided to remove all Account Rest APIs as described in this issue.

Thanks to @Radivarig for pointing this out!


Solution for Keycloak 11

Keycloak recently introduced this feature, but it's currently still in preview and therefore not documented.

To make it work, you need to activate the account_api feature by starting keycloak with the parameter -Dkeycloak.profile.feature.account_api=enabled like so:

bin/standalone.sh -Dkeycloak.profile.feature.account_api=enabled

(source: https://www.keycloak.org/docs/latest/server_installation/index.html#profiles)

After that, you can use POST /auth/realms/your-realm/account/credentials/password and provide the http Header Accept: application/json. The header will make keycloak use a RestAPI-Service which is accepting and returning JSON (instead of the default form-based one which is only accepting x-www-form-urlencoded and returns HTML.)

As Request-Body, provide a JSON like this:

{
    "currentPassword": "oldPassword",
    "newPassword": "newPassword",
    "confirmation": "newPassword"
}

A full example with curl would look like this:

curl --request POST 'https://path-to-your-host.com/auth/realms/your-realm/account/credentials/password' \
--header 'Accept: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json' \
--data-raw '{
    "currentPassword": "oldPassword",
    "newPassword": "newPassword",
    "confirmation": "newPassword"
}'

Note that - as written above - this feature is still in preview and might change in the future. So use it with caution!

like image 38
David Losert Avatar answered Oct 19 '22 08:10

David Losert