Is there an API call for changing user password on keycloak?
Solution 1:
you can use PUT /auth/admin/realms/{realm}/users/{id}/reset-password
- {id} is the user id in keycloak (not the login)
Here is s sample body.
{ "type": "password", "temporary": false, "value": "my-new-password" }
Solution 2:
UPDATE Keycloak 12
The solution described below will no longer work in Keycloak Versions 12 or higher as the developers decided to remove all Account Rest APIs as described in this issue.
Thanks to @Radivarig for pointing this out!
Solution for Keycloak 11
Keycloak recently introduced this feature, but it's currently still in preview and therefore not documented.
To make it work, you need to activate the account_api
feature by starting keycloak with the parameter -Dkeycloak.profile.feature.account_api=enabled
like so:
bin/standalone.sh -Dkeycloak.profile.feature.account_api=enabled
(source: https://www.keycloak.org/docs/latest/server_installation/index.html#profiles)
After that, you can use POST /auth/realms/your-realm/account/credentials/password
and provide the http Header Accept: application/json
. The header will make keycloak use a RestAPI-Service which is accepting and returning JSON (instead of the default form-based one which is only accepting x-www-form-urlencoded
and returns HTML.)
As Request-Body, provide a JSON like this:
{
"currentPassword": "oldPassword",
"newPassword": "newPassword",
"confirmation": "newPassword"
}
A full example with curl would look like this:
curl --request POST 'https://path-to-your-host.com/auth/realms/your-realm/account/credentials/password' \
--header 'Accept: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json' \
--data-raw '{
"currentPassword": "oldPassword",
"newPassword": "newPassword",
"confirmation": "newPassword"
}'
Note that - as written above - this feature is still in preview and might change in the future. So use it with caution!
Solution 3:
Rather than specifying a new password manually a better security practice is to use the
PUT /auth/admin/realms/{realm}/users/{id}/execute-actions-email
admin call with "UPDATE_PASSWORD"
as the required action. This causes Keycloak to send an email to the user that gives a magic link for the user to set a new password.
Note: {id} is the user id in keycloak (not the login)
Solution 4:
As Keycloak Admin REST API suggests you can send a PUT
requqest to keycloakEndpoint/auth/{realm}/users/{id}/execute-actions-email
to execute actions against user. you need to obtain an admin access token as described here
Solution 5:
TL;DR: The better way to do it via web app
keycloak.login({
action: "UPDATE_PASSWORD",
})
For more info: https://www.keycloak.org/docs/latest/securing_apps/#login-options