Reputation: 3090
KeyCloak user role: reset password endpoint for own account only
For a user to receive a "reset password" email, we call upon the KeyCloak API as follows:
PUT <keycloak>/admin/realms/<realm>/users/<userId>/reset-password-email?client_id=<clientId>&redirect_uri=http://localhost:3000/
If that user has the user role [real-management] manage-users or [real-management] realm-admin this works.
However, with this user role the user can not only call upon the endpoint for their own account but also for other users, which is not what we want.
Q: What user roles should we give to allow the user to call upon the above endpoint ONLY for their own account?
I assume this would be an account user role. But even a user with all of the account user roles below, calling upon the above endpoint still returns a 403 error.
I'm sending the access token in the authorization header after signing in using authorization_code grant type. Am I perhaps calling upon the wrong API for making changes to the user's account only?
Keycloak 21.0.1
Upvotes: 4
Views: 1807
Answers (1)
Reputation: 29243
Account recovery options should not require any application code. Instead they should be handled solely by configuring the authorization server (AS) to use a particular authentication method. In KeyCloak there is a configuration option to enable this, after which the user should see the relevant options if struggling to sign in.
User management APIs may be used as a more specialized option. For example the AS may support the System for Cross Domain Identity Management (SCIM), which has both a schema and API endpoints. Essentially though, SCIM is just a REST API that provides access to user accounts, and should support your use cases.
As an example, SCIM might be used as the backend for an Edit Profile screen in an application. In which case the AS would need to be able to restrict access to user account data to the current user, based on the access token presented. To enable this, a client would be granted a scope such as accounts and a claim such as sub. The AS would then need to restrict access to identity resources using these token values. Not all authorization servers support this.
Upvotes: 1
Related Questions
- How to enable users to delete their own Keycloak account using API?
- Get user list in my keycloak (18.0) realm with client roles
- Grant a Keycloak client service account permissions to create realm users without using the broad manage-users role
- Keycloak Rest Api Reset password via Postman
- Keycloak API get each role for a specific user
- Keycloak REST API Unable to Delete client-level roles from user role mapping
- How to generate and use login action token for Keycloak user update profile in external mail template