<div dir="ltr">
<p class=""><span class=""></span>Hi all,</p>
<p class=""><span class="">I’ve been working on adding custom endpoints under the realm level to perform some new functions like user registration and send password reset email without going through the keycloak’s default web view. I’ve read the discussion regarding add custom REST paths, but I wouldn’t like to go off topic there. </span></p>
<p class=""><span class="">Why I am doing this? </span></p>
<p class=""><span class="">This is needed because I have to hit the keycloak server directly from the native Android UI, without going through the Keycloak default login/reset creds screen and get an user registered or an email to reset the password (among other possible future use cases).</span></p>
<p class=""><span class="">What I got so far?</span></p>
<p class=""><span class="">I’ve added a custom endpoint class (ForgotPasswordEndpoint) to org.keycloak.protocol.oidc.endpoints package in order to add a new path /auth/realms/{realm}/forgotten-password-email that sends an email to the specified user in a form attribute without going through the web view. I am also generating a key to be able to execute a client session required action of UPDATE_PASSWORD, so when the user clicks the link it will be asked to update its password.</span></p>
<p class=""><span class=""></span><br></p>
<p class=""><span class="">What I’m not sure is about the approach I used to get this done. Let’s clear that up:</span></p>
<ul class="">
<li class=""><span class="">Created a new endpoint class similar to TokenEndpoint.java which sends an email with a link to update the user password.</span></li>
<li class=""><span class="">The link is generated using the UriBuilder for the base path and the ClientSessionCode class for the access code, using the given realm, session and any other necessary data.</span></li>
<li class=""><span class="">I am adding a required action to the clientSession (ClientSessionModel, created with the given UserModel) of the type UserModel.RequiredAction.UPDATE_PASSWORD.</span></li>
<li class=""><span class="">Once the user clicks on the link, the normal updated account starts, without any modification.</span></li></ul>
<p class=""><span class="">That’s the less invasive way I’ve found so far. However, today I have been trying to implement an SPI to achieve this (still trying to understand how to do that)</span></p>
<p class=""><span class="">Is there a clean/proper way to generate a valid code/execution id as it is generated on the normal forgotten password email?</span></p>
<p class=""><span class="">What is the right way to make a direct call to get a reset password email?</span></p><p class=""><span class=""><br></span></p><p class=""><span class="">Thank you in advance.</span></p>
<p class="">Regards,</p><p class="">Fabricio</p></div>