How to Execute Actions Email in Keycloak

Asked 7/3, 2019 at 10:27 Answered 7/9 at 12:4

I am trying to trigger sending email using Keycloak API, but not succeeding. As described in documentation first I am getting token for my admin user:

 curl \
  -d "client_id=admin-cli" \
  -d "username=admin" \
  -d "password=admin" \
  -d "grant_type=password" \
  "http://localhost:8180/auth/realms/master/protocol/openid-connect/token"

I am successfully getting a token, which I am then using in my second call as follows:

curl -v  -X PUT -d '["UPDATE_PASSWORD"]' \
    -H "Content-Type: application/json" \
    -H "Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqZEpWUW1QdEdsT3Azd0xYV2tWWVJ2ZzJXNkRubVBPSHNGQ0t5WGQ5RkVZIn0.eyJqdGkiOiIxYTI5YmJjYi04NWQ1LTRmOWQtYWRiOC0zYzA1OTZmNjJmNGMiLCJleHAiOjE1NTE5NTM5MzUsIm5iZiI6MCwiaWF0IjoxNTUxOTUzODc1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiNDY2YTQwMDQtNDBmNy00NWZiLTk3ZTItODg2Mzg0NGVlOWU3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiM2Q0MDZmYTEtZGJhYy00NjEwLWJiMmQtMjNiYjAyNDgxNTU2IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IkdvaGFyIEdhc3BhcnlhbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6IkdvaGFyIiwiZmFtaWx5X25hbWUiOiJHYXNwYXJ5YW4iLCJlbWFpbCI6ImdvaGFyLmdhc3BhcnlhbkBsZXZlcnRvbi5haSJ9.qJJ1jMs4p8V2CbtKsaVyUhWwiQur7hAwyYi14RGx5T0on6EelRNlFtduGu0XOBeB2gZ8VwuVYgmb8SGXupvJs2LfqhXMnZIy0E7y4QX0ZJQ_YH8dzAZTU6x9cJlSmFY3tTts1CF7-ySDI-ZiaKST7eVT-lkxb5fNBj2_C-6-wwOtxmctSCrQZcdKzGxf0iAYTieaGgNTJf_e6FTusvHLzFyUCAjHszV5Gw-gkzlM7R3uE9wWxjPZgkFz5zGxgKrnijZn45r0CIDQb7kKxCalBvYb-saNscpelzyHqyEd1her90UoHcLyE0JexF37Qqz040JxeJt0I1nOOADAjO8X2Q" \
    "http://localhost:8180/auth/admin/realms/local/users/4553/execute-actions-email"

Answer I am getting is 404.

I figured that the problem is I am using user from user federation with an id from my database. If I create user in keycloak and use id that keycloak generated it will work.The thing is I need this functionality for federated users. Any hints?

Cherokee answered 7/3, 2019 at 10:27 Comment(2)

Found the answer, had to implement methods of UserQueryProvider interface. – Cherokee 7/3, 2019 at 17:14

I've exact requirement.. can you please suggest how to trigger reset password email for federated user using UserQueryProvider? – Tirado 22/3, 2020 at 18:51

As of 2022. Keycloak 19.02 the Documentation States:

Which is in fact wrong. The right api endpoint is the one mentioned by gohar.gasparyan

Edit: Which is in fact me not reading since the Documentation states at the top

The UserQueryProvider can be found in Groups

I have a user that is part of that group, logs in using username/password ( I couldn't figure out setting an access token ) and then uses the API Endpoints using a Bearer Token.

Full Script is as follows:

#!/bin/bash

KEYCLOAK_URL=http://localhost:8080/auth
KEYCLOAK_REALM=myRealmName
KEYCLOAK_CLIENT_ID=serviceAccount
KEYCLOAK_CLIENT_SECRET=serviceAccountPassword
REDIRECT_URL=http://redirect-link-after-action.com
# Realm -> Manage -> Clients -> ClientID of connected application
CLIENT_ID=ConnectApplicationClientID

set -x

export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "username=${KEYCLOAK_CLIENT_ID}" \
 -d "password=${KEYCLOAK_CLIENT_SECRET}" \
 -d 'grant_type=password' \
 -d 'client_id=admin-cli' | jq -r '.access_token')

#curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \
RAW=$(curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .)

eval "$( echo $RAW | jq -r '@sh "values=( \([.[].id]) )"' )"

REDIRECT_URI_ENCODED=$(printf %s $REDIRECT_URL | jq -sRr @uri)


for i in "${values[@]}"; do
  curl -v -X PUT "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${i}/execute-actions-email?redirect_uri=${REDIRECT_URI_ENCODED}&client_id=${CLIENT_ID}" -H "Content-Type: application/json" -H "Authorization: Bearer $TKN" -d '["UPDATE_PASSWORD"]'
done

Make sure to add the redirect_uri to the valid redirection urls in the client configuration

After all that endavour we end with the nice Link "Back to Application"

Take note that your email account update links will refer the KEYCLOAK_URL variable unless you specify a Frontend URL in the Realm -> Configure -> Realm settings

Blanchette answered 6/10, 2022 at 8:47 Comment(0)

In Keycloak 21.1, I was able to send the execute-actions-email request for the master realm users using the following endpoint:

curl --location --request PUT 'http://<your_ip>:<your_port>/auth/admin/realms/master/users/<user_id>/execute-actions-email' \
--header 'Authorization: Bearer <my_token>' \
--header 'Content-Type: application/json' \
--data '["UPDATE_PASSWORD"]'

And you'll get a 204 response (the server successfully processed the request, but is not returning any content). I was not able to do this for non-master realms. Despite having assigned the necessary roles to my client and user, I get a 400 Bad Request response.

Knowing answered 7/9 at 12:4 Comment(0)

Recommended topics

Hot tags