Obtain action token (reset password) with keycloak admin api

About

Asked 4/4, 2019 at 9:11 Answered 4/4, 2019 at 9:11

I'm trying to implement the forgot password flow with key-cloak and was able to do it with key-cloak admin UI. But now I want to do this reset flow completely inside the web application without forwarding the user to key-cloak. By observing the reset token (action token) sent to the email it shows it has attributes such as type and expiry.

{
  "jti": "xx",
  "exp": 1553850003,
  "nbf": 0,
  "iat": 1553846403,
  "iss": "xxx",
  "aud": "xxx",
  "sub": "6eabb442-d40d-4857-8b8f-xxx",
  "typ": "reset-credentials",
  "nonce": "xxx",
  "asid": "xxxx"
}

The admin Api provides an api to reset password but I cannot find an api to obtain an action token/forgot password api. Would be much obliged if I could know how to approach this workflow with key-cloak admin.

Cloudcapped answered 4/4, 2019 at 9:11 Comment(6)

So you want user to enter username and password in your application and not in the Keycloak? That is not secure and that is why it is not allowed. – Trough 4/4, 2019 at 9:28

I want the user to enter the email address in the webapp and my backend service to obtain an action token for the username and send an email to the user (url = webappurl/forogotpassword+token) and when the user clicks this url , he will be directed to the webapp with the token and will enter the new credentials. By using this action token Im trying to reset the password. – Cloudcapped 4/4, 2019 at 9:32

Did you able to generate an action token ? I am also looking to provide a similar solution. – Salomo 30/4, 2019 at 9:38

Were you able to figure out the solution ? – Undermost 11/11, 2020 at 5:29

Unfortunately not at that time, I had to write an external service, to create a jwt token with 30 mins expiry, appended to a URL, and sent as a password reset URL. When the person clicks, he is sent to our applications password reset page. Thereafter I checked the signature, expiry, and called the password set endpoint of Keycloak. Basically replicated the Keycloak service. Hope things might have changed now. – Cloudcapped 11/11, 2020 at 9:7

This is not a secure way. Did you set correct CSP headers? Did you set correct referrer-policy header? Did you prevent action tokens from appearing in logs? Do you manage sessions with the anonymous user correctly? Did you... did you... Or did you just replicate the two most obvious things that keycloak does and ignored all the others? – Klystron 13/6, 2023 at 5:41

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags