[keycloak-user] reset password procedure without email and non visible keycloak

[Dennis Knorr]

Hi,
we want to use keycloak as OIDC Provider and are not sure how to handle
password reset (with temporary password/TOTP). But we have a few
architectural constraints. Our constraints are the following:

1. we have no email system, where we send mails to the provider. We
MIGHT have later in the process an SMS System, which could send TOTP
Token to the use
2. Because of customer requirements we shall not expose Keycloak to users.

My Question would be therefore, what is the best practice/standard way
to to password reset? is there a proxy for that which handles that? are
there REST Apis? Are there Authentication Flows for it? I did not see
anything.

Please enlighten me, i am not sure, if we do that right, Documentation
and Examples are better than for other OIDC Providers, but the concept
is still complex and complicated and i fear we could do stuff wrong.