I am trying something dirty on keycloak. I have a realm level 90 days password expiry for user credentials, but I am trying to find an way to go around that for a few users of my choosing (my own service accounts).
I am able to work on the DB to update the creation date of the credentials I want a not-expired timestam, no problem.
I still have an issue with user with already expired passwords (I can update you guys later if this works with non-expired - I am still testing).
Lets say user A has an expired password, but hasnt tried to use it since it expired:
- I can see that both in the UI or in the user_required_action DB Table: there is no req_action in there.
- I update the credential created_date to Now()
- If I try to get a token: I have the regular expired password error "Account not fully setup"
- Now I can see a Required action both in the UI and int the DB
I delete the req_action from the DB and I refesh the UI: the required actin is still there. And if I try to get a token, i get a "Account not fully setup" error again.
Now, if I delete the reuqired action from the UI. Then I am able to get a token.
So in some ways, deleting a user action from the DB only is not enough. Would anyone have any suggestions? Is there a cache, is the action still referecnes somewhere in another table?
PS: I know I am not supposed to user "users" for service accounts! I need to get around to change that. Please dont judge!
