Keycloak: Disable redirect to account page after password reset and show message

Asked 18/8, 2020 at 14:39 Answered 26/4, 2022 at 17:51

authentication http-redirect keycloak forgot-password reset-password

I am using Keycloak and I want to enable Forgot password flow. I have enabled Forgot password in login and configured SMTP to send email. What I get out of the box from keycloak is the following

-> Click on Forgot password link -> Enter username or email -> User receives an Email with reset link -> Click on the link -> Reset password, then submit -> User is logged in then The user is redirected to account page.

What I want to acheive is the following

-> Click on Forgot password link -> Enter username or email -> User receives an Email with reset link -> Click on the link -> Reset password, then submit -> Display a message saying "Your password has been updated." and do not login the user. stay on that page.

The reason for this is, for my use-case, the user shouldn't access the account page on Keycloak.

In the authentication flow of reset credentials, I can only configure up to reset credentials.

Is there any way I can disable this action of logging in the user automatically after password reset, then redirecting to account page?

I have looked into several questions, but I cannot find an answer on how this can be achieved.

PS: I am using Keycloak docker image with a custom theme. If this can be configured using custom theme options, I have the chance to do it.

Thank you in advance.

Anaconda answered 18/8, 2020 at 14:39 Comment(2)

Did you find any solution ? – Mirianmirielle 12/10, 2021 at 10:34

@Anaconda Did you find the working solution for this? – Lynsey 9/11, 2022 at 6:11

We faced similar issue during keycloak usage and solved it via implementing custom Action Token and Action token handler (docs). Also check out original keycloak reset credentials action token sources:

ActionToken

ActionTokenHandler

Try to play around AbstractActionTokenHander.startFreshAuthenticationSession() there several attributes that define Keycloak behaviour during reset flow like:

authSession.setRedirectUri(token.getNote(OIDCLoginProtocol.REDIRECT_URI_PARAM));
authSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true");
authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");

Assessment answered 18/8, 2020 at 22:20 Comment(2)

Hi @Assessment can you please tell me why you added authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); twice? – Ceceliacecil 4/6, 2024 at 8:50

Hi @Prifulnath, just a copy-paste typo. I fixed my post. – Assessment 12/6, 2024 at 15:12

Go to your keaycloak admin console, Authentication and desable "Update Profile"

Hopo it helps :)

enter image description here

Nahuatlan answered 26/3, 2022 at 11:23 Comment(1)

How is this going to prevent user from successful login after password reset? this will just stop keycloak to use USER_PROFILE update, right? We won't be able to add USER_PROFILE action for user and it will still be successful login after password reset. – Ceceliacecil 4/6, 2024 at 5:28

If you're using your own client for the login page, the specified redirect, or the client default (Base URL) will direct where the user is sent after the password reset.

We did see that when using an admin-directed password reset, this behavior would occur (user sent to Keycloak account page). So, we simply adjusted the Base URL value for the account client so that it points to the home page of our primarily application.

Then, after the account client is used to reset the password, the default redirect is to our home page.

Hanghangar answered 26/4, 2022 at 17:51 Comment(0)

Recommended topics

Hot tags