[keycloak-user] Reset password - direct URL

Ilya Korol llivezking at gmail.com
Tue Apr 11 19:49:16 EDT 2017


Hi. About month ago i also investigated this issue, and came to 
following solution:

I explored keycloak-github repo, for implementation of sending email 
with reset-password link. Then i slightly modified founded code:


     private String generateResetPasswordLink(UserModel user) {
         // Set params for redirecting after password updating
         // User will be redirected to his Keycloak Account application
         String clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID;
         ClientModel client = realm.getClientByClientId(clientId);
         String redirectUri = client.getBaseUrl();

         // Create user session and set that he have to set password
         ClientSessionModel clientSession = createClientSession(user, 
redirectUri, clientId);
clientSession.addRequiredAction(ClientSessionModel.Action.UPDATE_PASSWORD.name());

         if (redirectUri != null) {
clientSession.setNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, 
"true");
         }

         // Generate token which will be appended to link and will refer 
to created session for changing password
         ClientSessionCode accessCode = new ClientSessionCode(session, 
realm, clientSession);
accessCode.setAction(ClientSessionModel.Action.EXECUTE_ACTIONS.name());

         return Urls.executeActionsBuilder(uriInfo.getBaseUri())
                 .queryParam("key", accessCode.getCode())
                 .build(realm.getName())
                 .toString();
     }



     private ClientSessionModel createClientSession(UserModel user, 
String redirectUri, String clientId) {

         if (!user.isEnabled()) {
             throw new WebApplicationException(
                     ErrorResponse.error("User is disabled", 
Response.Status.BAD_REQUEST));
         }

         if (redirectUri != null && clientId == null) {
             throw new WebApplicationException(
                     ErrorResponse.error("Client id missing", 
Response.Status.BAD_REQUEST));
         }

         if (clientId == null) {
             clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID;
         }

         ClientModel client = realm.getClientByClientId(clientId);
         if (client == null || !client.isEnabled()) {
             throw new WebApplicationException(
                     ErrorResponse.error(clientId + " not enabled", 
Response.Status.BAD_REQUEST));
         }

         String redirect = null;
         if (redirectUri != null) {
             redirect = RedirectUtils.verifyRedirectUri(uriInfo, 
redirectUri, realm, client);
             if (redirect == null) {
                 throw new WebApplicationException(
                         ErrorResponse.error("Invalid redirect uri.", 
Response.Status.BAD_REQUEST));
             }
         }

         UserSessionModel userSession = 
session.sessions().createUserSession(
                 realm,
                 user,
                 user.getUsername(),
                 clientConnection.getRemoteAddr(),
                 "form",
                 false,
                 null,
                 null
         );
         userSession.setState(UserSessionModel.State.LOGGED_IN);

         ClientSessionModel clientSession = 
session.sessions().createClientSession(realm, client);
clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
         clientSession.setRedirectUri(redirect);
         clientSession.setUserSession(userSession);

         return clientSession;
     }



If you follow by link returned from generateResetPasswordLink() you will 
be prompted to type new password. But after you set you new password, 
you will not be redirected directly to account (note that we used 
ACCOUNT_CLIENT as redirectUri while constructing link). You'll see a 
link below password form that will lead you to account, but you'll have 
to type you updated credentials (i.e. you will be redirected to login 
page and only then to account page).


But we also interested if there is better solution for password setting. 
In general we interested in flow where after setting new password user 
would be automatically redirected to any specified client bypassing 
login page.

Hope it will help you, and hope my English is not so ugly)




On 11.04.2017 23:38, Mariusz Chruscielewski - Info.nl wrote:
> Hi.
>
> Is there a way to generate reset password URL without opening login page? We would like to have direct URL on our website (or app) to reset password form:
>
> http://domain/auth/realms/vi/login-actions/reset-credentials?code=5y-6gU42Vr-zp2b1mk3v-blNvrL-psc6EQcqT1dXsaw.d3370065-3965-4f81-abb8-c87d377b900e
>
> This URL is generated in UrlBean class, but I also can't get it anyway to try expose easy REST endpoint.
>
> Do you know if there is an easy way?
>
> Thanks in advance.
>
> Kind Regards,
>
> Mariusz Chruścielewski
>
> software engineer
>
> mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>
>
> info.nl <http://www.info.nl>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list