[keycloak-user] Automatically logging in after performing an Update Password
Hynek Mlnarik
hmlnarik at redhat.com
Thu Jul 20 02:46:47 EDT 2017
There was a change in internals of authentication flows due to
cross-dc support. It seems that you need to use action token for
achieving this functionality. Action tokens have option to make them
expire after first successful use. Documentation is not rendered yet
but you can see the current version at [1]. Would something similar to
either [2] or [3] work for your case?
Note that action token API is not yet stabilized and comments to its
usability are more than welcome.
--Hynek
[1] https://github.com/keycloak/keycloak-documentation/blob/master/server_development/topics/action-token-spi.adoc
[2] https://github.com/keycloak/keycloak-quickstarts/tree/master/action-token-authenticator
[3] https://github.com/keycloak/keycloak-quickstarts/tree/master/action-token-required-action
On Wed, Jul 19, 2017 at 5:46 PM, John D. Ament <john.d.ament at gmail.com> wrote:
> Any thoughts?
>
> On Thu, Jul 13, 2017 at 10:27 PM John D. Ament <john.d.ament at gmail.com>
> wrote:
>
>> Hi,
>>
>> Based on the Required Actions guide (
>> https://keycloak.gitbooks.io/documentation/server_admin/topics/users/required-actions.html)
>> we've implemented a custom required action that acts a lot like Update
>> Password (it performs a few other sync items for us). One of our needs is
>> to automatically log the user in to their destination application upon
>> setting this password. This was working for us in 3.1 by creating a custom
>> template that was rendered upon the completion of the Update Password
>> action that forwarded the user to our application and set the necessary
>> cookies.
>>
>> This no longer works in 3.2. We believe it has to do with the ability to
>> reuse required action links. Before, the link was one time use so it was
>> only working once, however our need is to make those links work unlimited
>> times until consumed. By setting a new challenge to the user after
>> updating their password, the token is no longer being marked as consumed
>> and the link remains working.
>>
>> So I was wondering, what other ways could we achieve this behavior? It
>> sounds like a challenge isn't the right approach.
>>
>> John
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
More information about the keycloak-user
mailing list