Quick-and-dirty workaround: try to authenticate as the user. That will either succeed, or fail, which tells you if the provided password was correct. On 21 Apr 2016 06:43, "Marek Posolda" <mposolda(a)redhat.com&gt; wrote:

It's aimed for users on our front-end integration, so we don't need to create a new theme since we don't need all the available options from the account-management page. So if the user has a valid access token with manage account role, he will be able to make request to manage account API directly? Date: Thu, 21 Apr 2016 07:31:06 +0200 From: sthorger(a)redhat.com To: guus.der.kinderen(a)gmail.com CC: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Admin client -1 That will create a user session. Add login events, etc.. It's messy.. What's the purpose of the REST API? Is it aimed at admins? If so they shouldn't know the users password in the first place. If it's aimed at users themselves make sure they have a valid access token with the manage account role. On 21 April 2016 at 07:23, Guus der Kinderen <guus.der.kinderen(a)gmail.com&gt; wrote: Quick-and-dirty workaround: try to authenticate as the user. That will either succeed, or fail, which tells you if the provided password was correct. On 21 Apr 2016 06:43, "Marek Posolda" <mposolda(a)redhat.com&gt; wrote: I think the admin client doesn't support this. If you are admin and you want to reset password of some user, you are not supposed to know the password of user anyway. Keycloak admin console also doesn't need to know existing user password when you want to reset password of user. Marek On 21/04/16 00:48, Bruno Palermo wrote: Hi, I'm trying to implement a REST API for some basic user actions, like change password and would like to know if there's any way to validate the current user password before reset his password using the provide java API. Thanks, Bruno _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

I guess it would be simpler. I will try to hide all the unneeded features, such as OTP's, on the template. Thanks! Date: Mon, 25 Apr 2016 10:45:40 +0200 Subject: Re: [keycloak-user] Admin client From: sthorger(a)redhat.com To: palermo(a)pobox.com CC: keycloak-user(a)lists.jboss.org There is not manage account API at the moment, we plan on introducing that in the future though. You'd still need to invoke the admin endpoints to do the update password, but you should check the token first to make sure the user is actually authenticated. Would it not be simpler to just use our account management console? You can hide the features you don't want, but what features are those exactly? Do you not want users to be able to update their profile? Do you not want to support OTP's? On 21 April 2016 at 14:42, Bruno Palermo <palermo(a)pobox.com&gt; wrote: It's aimed for users on our front-end integration, so we don't need to create a new theme since we don't need all the available options from the account-management page. So if the user has a valid access token with manage account role, he will be able to make request to manage account API directly? Date: Thu, 21 Apr 2016 07:31:06 +0200 From: sthorger(a)redhat.com To: guus.der.kinderen(a)gmail.com CC: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Admin client -1 That will create a user session. Add login events, etc.. It's messy.. What's the purpose of the REST API? Is it aimed at admins? If so they shouldn't know the users password in the first place. If it's aimed at users themselves make sure they have a valid access token with the manage account role. On 21 April 2016 at 07:23, Guus der Kinderen <guus.der.kinderen(a)gmail.com&gt; wrote: Quick-and-dirty workaround: try to authenticate as the user. That will either succeed, or fail, which tells you if the provided password was correct. On 21 Apr 2016 06:43, "Marek Posolda" <mposolda(a)redhat.com&gt; wrote: I think the admin client doesn't support this. If you are admin and you want to reset password of some user, you are not supposed to know the password of user anyway. Keycloak admin console also doesn't need to know existing user password when you want to reset password of user. Marek On 21/04/16 00:48, Bruno Palermo wrote: Hi, I'm trying to implement a REST API for some basic user actions, like change password and would like to know if there's any way to validate the current user password before reset his password using the provide java API. Thanks, Bruno _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Mainly because in case we support OTP's we would like to offer a method for the user to remove it by mobile SMS. Since we are in tight schedule we want to avoid it for now and leave it for the near future. Also by design requirements, we are going to keep additional information about the user profile on app. So we don't want the user to be able to change his profile on keycloak. Date: Mon, 25 Apr 2016 15:03:56 +0200 Subject: Re: [keycloak-user] Admin client From: sthorger(a)redhat.com To: palermo(a)pobox.com CC: keycloak-user(a)lists.jboss.org Question - why do you not want OTPs? On 25 April 2016 at 14:30, Bruno Palermo <palermo(a)pobox.com&gt; wrote: I guess it would be simpler. I will try to hide all the unneeded features, such as OTP's, on the template. Thanks! Date: Mon, 25 Apr 2016 10:45:40 +0200 Subject: Re: [keycloak-user] Admin client From: sthorger(a)redhat.com To: palermo(a)pobox.com CC: keycloak-user(a)lists.jboss.org There is not manage account API at the moment, we plan on introducing that in the future though. You'd still need to invoke the admin endpoints to do the update password, but you should check the token first to make sure the user is actually authenticated. Would it not be simpler to just use our account management console? You can hide the features you don't want, but what features are those exactly? Do you not want users to be able to update their profile? Do you not want to support OTP's? On 21 April 2016 at 14:42, Bruno Palermo <palermo(a)pobox.com&gt; wrote: It's aimed for users on our front-end integration, so we don't need to create a new theme since we don't need all the available options from the account-management page. So if the user has a valid access token with manage account role, he will be able to make request to manage account API directly? Date: Thu, 21 Apr 2016 07:31:06 +0200 From: sthorger(a)redhat.com To: guus.der.kinderen(a)gmail.com CC: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Admin client -1 That will create a user session. Add login events, etc.. It's messy.. What's the purpose of the REST API? Is it aimed at admins? If so they shouldn't know the users password in the first place. If it's aimed at users themselves make sure they have a valid access token with the manage account role. On 21 April 2016 at 07:23, Guus der Kinderen <guus.der.kinderen(a)gmail.com&gt; wrote: Quick-and-dirty workaround: try to authenticate as the user. That will either succeed, or fail, which tells you if the provided password was correct. On 21 Apr 2016 06:43, "Marek Posolda" <mposolda(a)redhat.com&gt; wrote: I think the admin client doesn't support this. If you are admin and you want to reset password of some user, you are not supposed to know the password of user anyway. Keycloak admin console also doesn't need to know existing user password when you want to reset password of user. Marek On 21/04/16 00:48, Bruno Palermo wrote: Hi, I'm trying to implement a REST API for some basic user actions, like change password and would like to know if there's any way to validate the current user password before reset his password using the provide java API. Thanks, Bruno _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user