Is there an API call for changing user password on keycloak?

Question

I am trying to implement my own form for changing a user's password. I tried to find an API for changing a user's password in Keycloak but I couldn't find anything in the documentation. Is there an API for doing it?

score 71 · Answer 1 · edited Jan 28 '19 at 14:28

71

you can use PUT /auth/admin/realms/{realm}/users/{id}/reset-password

{id} is the user id in keycloak (not the login)

Here is s sample body.

{ "type": "password", "temporary": false, "value": "my-new-password" }

edited Jan 28 '19 at 14:28

Tobias Theel

3,088
2
25
45

answered Jan 26 '16 at 13:17

Barny

1,685
1
17
25

14

That is what I used in the end but it is admin password override. I was looking for something that doesn't require using the admin privileges. – Itay k Feb 01 '16 at 16:40
4

Sorry did not find anything like that. I looked for it as well. – Barny Feb 04 '16 at 13:16

David Losert · Answer 2 · 2021-02-18T17:32:24.570

40

UPDATE Keycloak 12

The solution described below will no longer work in Keycloak Versions 12 or higher as the developers decided to remove all Account Rest APIs as described in this issue.

Thanks to @Radivarig for pointing this out!

Solution for Keycloak 11

Keycloak recently introduced this feature, but it's currently still in preview and therefore not documented.

To make it work, you need to activate the account_api feature by starting keycloak with the parameter -Dkeycloak.profile.feature.account_api=enabled like so:

bin/standalone.sh -Dkeycloak.profile.feature.account_api=enabled

(source: https://www.keycloak.org/docs/latest/server_installation/index.html#profiles)

After that, you can use POST /auth/realms/your-realm/account/credentials/password and provide the http Header Accept: application/json. The header will make keycloak use a RestAPI-Service which is accepting and returning JSON (instead of the default form-based one which is only accepting x-www-form-urlencoded and returns HTML.)

As Request-Body, provide a JSON like this:

{
    "currentPassword": "oldPassword",
    "newPassword": "newPassword",
    "confirmation": "newPassword"
}

A full example with curl would look like this:

curl --request POST 'https://path-to-your-host.com/auth/realms/your-realm/account/credentials/password' \
--header 'Accept: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json' \
--data-raw '{
    "currentPassword": "oldPassword",
    "newPassword": "newPassword",
    "confirmation": "newPassword"
}'

Note that - as written above - this feature is still in preview and might change in the future. So use it with caution!

edited Feb 18 '21 at 17:32

answered Apr 23 '20 at 13:21

David Losert

4,652
1
25
31

I tried it and returns 401. I searched for solutions but still got nothing. Do you have any idea about it? – Prasna Lukito Jun 02 '20 at 05:41
1

Hm, hard to say without more information. But as you say it is a 401, I'd suspect that the Bearer-Token you are providing might be wrong? – David Losert Jun 03 '20 at 18:40
Yes, you are right. I just found out that my bearer token has different iss and it's working well now. Thanks for your help – Prasna Lukito Jun 05 '20 at 06:02
Sure thing.Glad I could help. :) – David Losert Jun 05 '20 at 08:34
@DavidLosert do you know how to enable this when running Keycloak on Docker? Can't find the right env variable to pass. – jeudyx Sep 21 '20 at 18:07
@jeudyx : Depends on which image you are using ;). If it's the official one: According to [the documentation](https://github.com/keycloak/keycloak-containers/blob/master/server/README.md#start-a-keycloak-instance-with-custom-command-line-options), you can provide an env Variable `JAVA_OPTS_APPEND`, so I guess you could use it like: `docker run -e JAVA_OPTS_APPEND="-Dkeycloak.profile.feature.account_api=enabled" jboss/keycloak` – David Losert Sep 22 '20 at 07:59
1

That's super helpful @DavidLosert ! sometimes one can get lost in the docs. Thanks. – jeudyx Sep 23 '20 at 06:42
thanks, the API works fine but can you provide us the documentation or the commit link – Malek Zarkouna Oct 16 '20 at 10:16
Thanks! Worked for me. I use version 11.x. – Gmosy Gnaq Oct 18 '20 at 07:33
1

@MalekZarkouna : I found this solution by looking at the code of keycloak. AFAIK there is no documentation about this and I couldn't find any issue. I'd have to google it myself now - sorry :/ – David Losert Oct 19 '20 at 12:55
Which other API provided by account-API? Please share the API doc link if possible I need API to update profile info and get logged sessions. – Nitin Oct 29 '20 at 05:46
@NitinVavdiya: As written one comment above - I don't know if there is any API Documentation. I looked at the code itself to find that out and thats was also almost 6 months ago now - so I'd have to search and google myself for it now, sorry :/ – David Losert Oct 30 '20 at 14:00
I checked their documents there is no API doc. – Nitin Nov 25 '20 at 03:46
1

Is this endpoint still working? When I try to call it I get `"error": "RESTEASY003650: No resource method found for POST, return 405 with Allow header"` Note: using `POST /auth/realms/your-realm/account` to change the profile is working. – kukukk Feb 05 '21 at 08:51
I don't know about V12, didn't try ith out yet. But have you enabled the account_api as descibred above? – David Losert Feb 06 '21 at 10:50
I'm running it dockerized, and I added the `JAVA_OPTS_APPEND="-Dkeycloak.profile.feature.account_api=enabled"` environment variable. Is there a way to verify whether it is really enabled? – kukukk Feb 07 '21 at 08:19
when starting the docker , check logs you will see account_api preview enabled – valik Feb 17 '21 at 12:56
Indeed, with Keycloak 11.0.3 I see `Preview feature enabled: account_api`, but starting Keycloak 12.0.2 with the same parameters this section is missing from the log. It seems that either they removed the accunt_api, or they changed the way to enable it. – kukukk Feb 17 '21 at 20:27
I also get 405, on both version 12.0.2 and 12.0.3 but `account_api` is anabled by default in Keycloak 12.0.3 from this commit: https://github.com/keycloak/keycloak/commit/6b2e1cbc5f343c79687da5f494f8af995f9ca1f0 – Radivarig Feb 18 '21 at 12:48
Endpoints were removed and direct password change is no longer supported https://github.com/keycloak/keycloak/pull/7393#issuecomment-773502862 – Radivarig Feb 18 '21 at 13:02
1

@Radivarig: Thanks so much for pointing this out. I updated the answer above so people will not have to learn it the hard way as you did. – David Losert Feb 18 '21 at 17:33
the following change password API is not working for me. my keycloak version is 20 and it is dockerized container. If you know the answer let me know – Bennison J Feb 07 '23 at 13:59
As written in the comment above and in the answer itselfs, this only worked up until Keycloak 11, as they removed the necessary APIs in Keycloak 12. Sorry. :( – David Losert Feb 10 '23 at 12:47

shonky linux user · Answer 3 · 2019-04-17T22:57:54.810

35

Rather than specifying a new password manually a better security practice is to use the

PUT /auth/admin/realms/{realm}/users/{id}/execute-actions-email

admin call with "UPDATE_PASSWORD" as the required action. This causes Keycloak to send an email to the user that gives a magic link for the user to set a new password.

Note: {id} is the user id in keycloak (not the login)

edited Apr 17 '19 at 22:57

answered Nov 01 '16 at 06:49

shonky linux user

6,131
4
46
73

You are right, but there are still a few users, who prefer to get the password told by phone and then be forced to change it instead of searching for an email. – Barny Apr 04 '18 at 09:36
5

@ChristianKaiser Keycloak doesn't support flows that aren't secure, in your case someone knows the user's password for a while – kinjelom Dec 23 '18 at 11:09
@shonky, Is there any way to modify Keycloak's email template? – Dreamer Mar 25 '19 at 14:47
1

@Dreamer yes, but it would be best to ask a specific question rather than hijack the this one. Answer is here: https://stackoverflow.com/questions/30057786/keycloak-freemarker-email – shonky linux user Mar 25 '19 at 22:46
Example for a use-case, where this is useful: I'm building an email service where people login using OIDC via Keycloak. If the user has his account email address on the email service, then sending a link to the email address will not solve the issue, since the user doesn't have access to the account. In this situation I would establish an alternative authentication mechanism (e.g. something like backup codes) in the mail service UI which eventually sets the user password to a temporary password in Keycloak and forces a password change upon next login. – pschichtel Jun 27 '21 at 21:29

score 7 · Answer 4 · answered Apr 26 '21 at 21:46

7

As Keycloak Admin REST API suggests you can send a PUT requqest to keycloakEndpoint/auth/{realm}/users/{id}/execute-actions-email to execute actions against user. you need to obtain an admin access token as described here

answered Apr 26 '21 at 21:46

Mehrdad Shokri

1,974
2
29
45

Is there any documentation available for the 'actions' parameter? What to put there? – Hassan Raza Feb 23 '23 at 07:33
1

@HassanRaza I found a list in javadoc of UserResource: `VERIFY_EMAIL, UPDATE_PROFILE, CONFIGURE_TOTP, UPDATE_PASSWORD, TERMS_AND_CONDITIONS`. It's probably not complete but couldn't find any other official documentation. Hope it helps. – Alexandru Severin May 08 '23 at 08:46

score 4 · Answer 5 · answered Jan 05 '22 at 20:46

4

TL;DR: The better way to do it via web app

keycloak.login({
    action: "UPDATE_PASSWORD",
})

For more info: https://www.keycloak.org/docs/latest/securing_apps/#login-options

answered Jan 05 '22 at 20:46

Kev Aldasoro

1,699
1
7
3

Can you give an curl example? – GerardNorton Feb 13 '22 at 20:39
That's a method from the JS library (Keycloak Client Adapter) – Kev Aldasoro Feb 14 '22 at 21:05
1

this should be the top answer. no point in trying to implement your own messy password change with the admin API when keycloak literally providers a flow for you. – Krusty the Clown Nov 06 '22 at 18:48

GerardNorton · Answer 6 · 2022-02-13T20:36:22.677

:-)

#!/bin/bash
#CHANGE ADMIN PASSWORD

apt update
apt install -y curl jq

KEYCLOAK_HOST=http://127.0.0.1:8080
ADMIN_USER_OLD_PASSWORD=
ADMIN_USER_NEW_PASSWORD=
TOKEN=$(curl -s -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d "username=admin&password=$ADMIN_USER_OLD_PASSWORD&client_id=admin-cli&grant_type=password" "$KEYCLOAK_HOST/auth/realms/master/protocol/openid-connect/token" | jq -r ".access_token" ;)
ADMIN_USER_ID=$(curl -s -X GET -H "Authorization: Bearer $TOKEN" -H "Content-type: application/json;charset=UTF-8" -H 'Accept: application/json' "$KEYCLOAK_HOST/auth/admin/realms/master/users" | jq -r '.[] | select(.username=="admin") | .id' )
curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-type: application/json;charset=UTF-8" -H 'Accept: application/json' "$KEYCLOAK_HOST/auth/admin/realms/master/users/$ADMIN_USER_ID/reset-password" -d "{\"type\":\"password\",\"value\":\"$ADMIN_USER_NEW_PASSWORD\",\"temporary\":false}"

score 0 · Answer 7 · edited Aug 24 '22 at 08:36

0

   constructor(
        private keycloakService: KeycloakService,
        ) { }
    
    onPasswordChangeButtonClick(){
      this.keycloakService.login({
          action: "UPDATE_PASSWORD",
      });
    }

please try this approach to change the password

edited Aug 24 '22 at 08:36

vimuth

5,064
33
79
116

answered Aug 18 '22 at 11:05

Shahul Sajjad

1

1

Thanks for contributing. Here at SO code only answers are **not considered good answers**, though, and are likely to be downvoted and/or deleted because they are **less useful** to a community of learners. Answers with an explanation are always more helpful. The solution may be obvious to you. To others it may not. Please explain what it does, and how it's different from existing answers. Otherwise this answer may be flagged as [Low Quality](https://stackoverflow.com/help/review-low-quality). – Jan Aug 23 '22 at 06:08

score 0 · Answer 8 · answered Aug 31 '22 at 13:38

0

This worked for me: https://github.com/keycloak/keycloak/pull/7393#issuecomment-1103532595

But you have to see if you can use a custom theme, if you want a different form than the default from keycloak.

answered Aug 31 '22 at 13:38

seby598

141
4
11

score 0 · Answer 9 · edited Mar 11 '23 at 13:38

0

You can use set_user_password function of class keycloak_admin to reset a normal user password.

Example:

keycloak_admin = keycloak_login("YOUR REALM NAME")
keycloak_admin.set_user_password(user_id, password, temporary=False)

Used function:

from keycloak import KeycloakAdmin for keycloak_login  (To import this install keycloak lib)

edited Mar 11 '23 at 13:38

Adrian Mole

49,934
160
51
83

answered Mar 06 '23 at 13:25

Ankit Jha

1

Sergey Ponomarev · Answer 10 · 2019-07-05T22:44:09.340

No, OAuth and OpenID Connect protocols doesn't define such feature and Keycloak also doesn't have ability to do this on user's behalf. There is a server-to-Server Admin API that alows to change the user's password or reset it but you can't call it from GUI. But the Keycloak provides some kind of "My Account Page" by url like http://localhost:8080/auth/realms/your-realm/account/ - replace your-realm part of URL and just redirect a user to it.

In documentation it called User Account Service

Also if you use auto discovery you can obtain the url by reading account-service from JSON by URL http://localhost:8080/auth/realms/your-realm

Keycloak does provide an API which is authenticated through a token. — vikas027, Jul 30 '18 at 10:04

Is there an API call for changing user password on keycloak?

10 Answers10

UPDATE Keycloak 12

Solution for Keycloak 11

Linked