Is there an API call for changing user password on keycloak?

Question

I am trying to implement my own form for changing a user's password. I tried to find an API for changing a user's password in Keycloak but I couldn't find anything in the documentation. Is there an API for doing it?

Answer 1

You can use set_user_password function of class keycloak_admin to reset a normal user password.

Example:

keycloak_admin = keycloak_login("YOUR REALM NAME")
keycloak_admin.set_user_password(user_id, password, temporary=False)

Used function:

from keycloak import KeycloakAdmin for keycloak_login  (To import this install keycloak lib)

Answer 2

This worked for me: https://github.com/keycloak/keycloak/pull/7393#issuecomment-1103532595

But you have to see if you can use a custom theme, if you want a different form than the default from keycloak.

Answer 3

   constructor(
        private keycloakService: KeycloakService,
        ) { }
    
    onPasswordChangeButtonClick(){
      this.keycloakService.login({
          action: "UPDATE_PASSWORD",
      });
    }

please try this approach to change the password

Answer 4

:-)

#!/bin/bash
#CHANGE ADMIN PASSWORD

apt update
apt install -y curl jq

KEYCLOAK_HOST=http://127.0.0.1:8080
ADMIN_USER_OLD_PASSWORD=
ADMIN_USER_NEW_PASSWORD=
TOKEN=$(curl -s -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d "username=admin&password=$ADMIN_USER_OLD_PASSWORD&client_id=admin-cli&grant_type=password" "$KEYCLOAK_HOST/auth/realms/master/protocol/openid-connect/token" | jq -r ".access_token" ;)
ADMIN_USER_ID=$(curl -s -X GET -H "Authorization: Bearer $TOKEN" -H "Content-type: application/json;charset=UTF-8" -H 'Accept: application/json' "$KEYCLOAK_HOST/auth/admin/realms/master/users" | jq -r '.[] | select(.username=="admin") | .id' )
curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-type: application/json;charset=UTF-8" -H 'Accept: application/json' "$KEYCLOAK_HOST/auth/admin/realms/master/users/$ADMIN_USER_ID/reset-password" -d "{\"type\":\"password\",\"value\":\"$ADMIN_USER_NEW_PASSWORD\",\"temporary\":false}"

Answer 5

TL;DR: The better way to do it via web app

keycloak.login({
    action: "UPDATE_PASSWORD",
})

For more info: https://www.keycloak.org/docs/latest/securing_apps/#login-options

Answer 6

As Keycloak Admin REST API suggests you can send a PUT requqest to keycloakEndpoint/auth/{realm}/users/{id}/execute-actions-email to execute actions against user. you need to obtain an admin access token as described here

Answer 7

UPDATE Keycloak 12

The solution described below will no longer work in Keycloak Versions 12 or higher as the developers decided to remove all Account Rest APIs as described in this issue.

Thanks to @Radivarig for pointing this out!

---

Solution for Keycloak 11

Keycloak recently introduced this feature, but it's currently still in preview and therefore not documented.

To make it work, you need to activate the account_api feature by starting keycloak with the parameter -Dkeycloak.profile.feature.account_api=enabled like so:

bin/standalone.sh -Dkeycloak.profile.feature.account_api=enabled

(source: https://www.keycloak.org/docs/latest/server_installation/index.html#profiles)

After that, you can use POST /auth/realms/your-realm/account/credentials/password and provide the http Header Accept: application/json. The header will make keycloak use a RestAPI-Service which is accepting and returning JSON (instead of the default form-based one which is only accepting x-www-form-urlencoded and returns HTML.)

As Request-Body, provide a JSON like this:

{
    "currentPassword": "oldPassword",
    "newPassword": "newPassword",
    "confirmation": "newPassword"
}

A full example with curl would look like this:

curl --request POST 'https://path-to-your-host.com/auth/realms/your-realm/account/credentials/password' \
--header 'Accept: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json' \
--data-raw '{
    "currentPassword": "oldPassword",
    "newPassword": "newPassword",
    "confirmation": "newPassword"
}'

Note that - as written above - this feature is still in preview and might change in the future. So use it with caution!

Answer 8

No, OAuth and OpenID Connect protocols doesn't define such feature and Keycloak also doesn't have ability to do this on user's behalf. There is a server-to-Server Admin API that alows to change the user's password or reset it but you can't call it from GUI. But the Keycloak provides some kind of "My Account Page" by url like http://localhost:8080/auth/realms/your-realm/account/ - replace your-realm part of URL and just redirect a user to it.

In documentation it called User Account Service

Also if you use auto discovery you can obtain the url by reading account-service from JSON by URL http://localhost:8080/auth/realms/your-realm

Answer 9

Rather than specifying a new password manually a better security practice is to use the

PUT /auth/admin/realms/{realm}/users/{id}/execute-actions-email

admin call with "UPDATE_PASSWORD" as the required action. This causes Keycloak to send an email to the user that gives a magic link for the user to set a new password.

Note: {id} is the user id in keycloak (not the login)

Answer 10

you can use PUT /auth/admin/realms/{realm}/users/{id}/reset-password

• {id} is the user id in keycloak (not the login)

Here is s sample body.

{ "type": "password", "temporary": false, "value": "my-new-password" }