[keycloak-user] User old password verification via REST admin api

Adrian Matei adrianmatei at gmail.com
Wed Mar 23 08:13:19 EDT 2016


Thanks you two for your inputs,

In the end we've decided to overwrite the passwd.ftl and use the
Keycloak-account backend functionality.

Best regards,
Adrian

On Tue, Mar 22, 2016 at 7:13 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Bear in mind that approach will result in a session being created, so I
> wouldn't recommend doing that to check password.
> On 22 Mar 2016 01:44, "Doug Szeto" <DSzeto at investlab.com> wrote:
>
>> If you already have the username and old password that you want to check,
>> I just attempt to retrieve an access token. If it works, you know the old
>> password is correct, then you can proceed in changing the password.
>>
>> POST - /auth/realms/{realm}/protocol/openid-connect/token
>>
>> headers.set("content-type", "application/x-www-form-urlencoded");
>> headers.set("accept", "application/json");
>>
>> body.add("grant_type", “password”)
>> body.add("username", username);
>> body.add("password", password);
>> body.add(“client_id”, {clientId})
>>
>> From: <keycloak-user-bounces at lists.jboss.org> on behalf of Stian
>> Thorgersen <sthorger at redhat.com>
>> Reply-To: "stian at redhat.com" <stian at redhat.com>
>> Date: Monday, March 21, 2016 at 10:11 PM
>> To: Adrian Matei <adrianmatei at gmail.com>
>> Cc: keycloak-user <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] User old password verification via REST
>> admin api
>>
>> No, with the admin endpoints you can't retrieve the password, nor can you
>> expect an admin to know the existing password so it shouldn't verify it
>> either.
>>
>> On 21 March 2016 at 14:35, Adrian Matei <adrianmatei at gmail.com> wrote:
>>
>>> Hi everyone,
>>>
>>> Use case: "reset user password via REST admin API - PUT
>>> /admin/realms/{realm}/users/{id}/reset-password"
>>>
>>> Is there a possibility to verify the user's old password before changing
>>> it, as is the case via the Account app?
>>>
>>> Thanks,
>>> Adrian
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/447c381f/attachment.html 


More information about the keycloak-user mailing list