[keycloak-user] Direct access to Send reset password email

Fabricio Milone fabricio.milone at shinetech.com
Thu Dec 10 23:11:34 EST 2015 

Hi all,

I’ve been working on adding custom endpoints under the realm level to
perform some new functions like user registration and send password reset
email without going through the keycloak’s default web view. I’ve read the
discussion regarding add custom REST paths, but I wouldn’t like to go off
topic there.

Why I am doing this?

This is needed because I have to hit the keycloak server directly from the
native Android UI, without going through the Keycloak default login/reset
creds screen and get an user registered or an email to reset the password
(among other possible future use cases).

What I got so far?

I’ve added a custom endpoint class (ForgotPasswordEndpoint) to
org.keycloak.protocol.oidc.endpoints package in order to add a new path
/auth/realms/{realm}/forgotten-password-email that sends an email to the
specified user in a form attribute without going through the web view. I am
also generating a key to be able to execute a client session required
action of UPDATE_PASSWORD, so when the user clicks the link it will be
asked to update  its password.


What I’m not sure is about the approach I used to get this done. Let’s
clear that up:

   - Created a new endpoint class similar to TokenEndpoint.java which sends
   an email with a link to update the user password.
   - The link is generated using the UriBuilder for the base path and the
   ClientSessionCode class for the access code, using the given realm, session
   and any other necessary data.
   - I am adding a required action to the clientSession
   (ClientSessionModel, created with the given UserModel) of the type
   UserModel.RequiredAction.UPDATE_PASSWORD.
   - Once the user clicks on the link, the normal updated account starts,
   without any modification.

That’s the less invasive way I’ve found so far. However, today I have been
trying to implement an SPI to achieve this (still trying to understand how
to do that)

Is there a clean/proper way to generate a valid code/execution id as it is
generated on the normal forgotten password email?

What is the right way to make a direct call to get a reset password email?


Thank you in advance.

Regards,

Fabricio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/9d537abd/attachment-0001.html

More information about the keycloak-user mailing list