[英]Is there an API call for changing user password on keycloak?
I am trying to implement my own form for changing a user's password.我正在尝试实现我自己的表单来更改用户的密码。 I tried to find an API for changing a user's password in Keycloak but I couldn't find anything in the documentation.
我试图找到一个 API 来更改 Keycloak 中的用户密码,但我在文档中找不到任何内容。 Is there an API for doing it?
是否有 API 可以这样做?
you can use PUT /auth/admin/realms/{realm}/users/{id}/reset-password
你可以使用
PUT /auth/admin/realms/{realm}/users/{id}/reset-password
Here is s sample body.这是样本体。
{ "type": "password", "temporary": false, "value": "my-new-password" }
The solution described below will no longer work in Keycloak Versions 12 or higher as the developers decided to remove all Account Rest APIs as described in this issue .下面描述的解决方案将不再适用于 Keycloak 版本 12 或更高版本,因为开发人员决定删除所有帐户休息 API ,如本期所述。
Thanks to @Radivarig for pointing this out!感谢@Radivarig 指出这一点!
Keycloak recently introduced this feature, but it's currently still in preview and therefore not documented. Keycloak 最近引入了此功能,但目前仍处于预览阶段,因此没有记录。
To make it work, you need to activate the account_api
feature by starting keycloak with the parameter -Dkeycloak.profile.feature.account_api=enabled
like so:要使其工作,您需要通过使用参数
-Dkeycloak.profile.feature.account_api=enabled
启动 keycloak 来激活account_api
功能,如下所示:
bin/standalone.sh -Dkeycloak.profile.feature.account_api=enabled
(source: https://www.keycloak.org/docs/latest/server_installation/index.html#profiles ) (来源: https : //www.keycloak.org/docs/latest/server_installation/index.html#profiles )
After that, you can use POST /auth/realms/your-realm/account/credentials/password
and provide the http Header Accept: application/json
.之后,您可以使用
POST /auth/realms/your-realm/account/credentials/password
并提供 http Header Accept: application/json
。 The header will make keycloak use a RestAPI-Service which is accepting and returning JSON (instead of the default form-based one which is only accepting x-www-form-urlencoded
and returns HTML.)标头将使 keycloak 使用接受并返回 JSON 的 RestAPI-Service(而不是仅接受
x-www-form-urlencoded
并返回 HTML 的基于表单的默认服务。)
As Request-Body , provide a JSON like this:作为Request-Body ,提供这样的 JSON:
{
"currentPassword": "oldPassword",
"newPassword": "newPassword",
"confirmation": "newPassword"
}
A full example with curl would look like this: curl 的完整示例如下所示:
curl --request POST 'https://path-to-your-host.com/auth/realms/your-realm/account/credentials/password' \
--header 'Accept: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json' \
--data-raw '{
"currentPassword": "oldPassword",
"newPassword": "newPassword",
"confirmation": "newPassword"
}'
Note that - as written above - this feature is still in preview and might change in the future.请注意 - 如上所述 - 此功能仍处于预览阶段,将来可能会发生变化。 So use it with caution!
所以请谨慎使用!
Rather than specifying a new password manually a better security practice is to use the与手动指定新密码相比,更好的安全做法是使用
PUT /auth/admin/realms/{realm}/users/{id}/execute-actions-email
admin call with "UPDATE_PASSWORD"
as the required action.使用
"UPDATE_PASSWORD"
作为所需操作的管理员调用。 This causes Keycloak to send an email to the user that gives a magic link for the user to set a new password.这会导致 Keycloak 向用户发送一封电子邮件,为用户提供一个神奇的链接来设置新密码。
Note: {id} is the user id in keycloak (not the login)注意:{id} 是 keycloak 中的用户 ID(不是登录名)
As Keycloak Admin REST API suggests you can send a PUT
requqest to keycloakEndpoint/auth/{realm}/users/{id}/execute-actions-email
to execute actions against user.由于Keycloak Admin REST API建议您可以将
PUT
请求发送到keycloakEndpoint/auth/{realm}/users/{id}/execute-actions-email
以对用户执行操作。 you need to obtain an admin access token as described here您需要获取此处所述的管理员访问令牌
TL;DR: The better way to do it via web app TL;DR:通过 Web 应用程序实现的更好方法
keycloak.login({
action: "UPDATE_PASSWORD",
})
For more info: https://www.keycloak.org/docs/latest/securing_apps/#login-options欲了解更多信息: https : //www.keycloak.org/docs/latest/securing_apps/#login-options
:-) :-)
#!/bin/bash
#CHANGE ADMIN PASSWORD
apt update
apt install -y curl jq
KEYCLOAK_HOST=http://127.0.0.1:8080
ADMIN_USER_OLD_PASSWORD=
ADMIN_USER_NEW_PASSWORD=
TOKEN=$(curl -s -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d "username=admin&password=$ADMIN_USER_OLD_PASSWORD&client_id=admin-cli&grant_type=password" "$KEYCLOAK_HOST/auth/realms/master/protocol/openid-connect/token" | jq -r ".access_token" ;)
ADMIN_USER_ID=$(curl -s -X GET -H "Authorization: Bearer $TOKEN" -H "Content-type: application/json;charset=UTF-8" -H 'Accept: application/json' "$KEYCLOAK_HOST/auth/admin/realms/master/users" | jq -r '.[] | select(.username=="admin") | .id' )
curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-type: application/json;charset=UTF-8" -H 'Accept: application/json' "$KEYCLOAK_HOST/auth/admin/realms/master/users/$ADMIN_USER_ID/reset-password" -d "{\"type\":\"password\",\"value\":\"$ADMIN_USER_NEW_PASSWORD\",\"temporary\":false}"
constructor(
private keycloakService: KeycloakService,
) { }
onPasswordChangeButtonClick(){
this.keycloakService.login({
action: "UPDATE_PASSWORD",
});
}
please try this approach to change the password请尝试此方法更改密码
This worked for me: https://github.com/keycloak/keycloak/pull/7393#issuecomment-1103532595这对我有用:https://github.com/keycloak/keycloak/pull/7393#issuecomment-1103532595
But you have to see if you can use a custom theme, if you want a different form than the default from keycloak.但是你必须看看你是否可以使用自定义主题,如果你想要一个不同于 keycloak 默认的形式。
No, OAuth and OpenID Connect protocols doesn't define such feature and Keycloak also doesn't have ability to do this on user's behalf.不,OAuth 和 OpenID Connect 协议未定义此类功能,Keycloak 也无法代表用户执行此操作。 There is a server-to-Server Admin API that alows to change the user's password or reset it but you can't call it from GUI.
有一个服务器到服务器管理 API,允许更改用户密码或重置密码,但您不能从 GUI 调用它。 But the Keycloak provides some kind of "My Account Page" by url like
http://localhost:8080/auth/realms/your-realm/account/
- replace your-realm
part of URL and just redirect a user to it.但是 Keycloak 通过像
http://localhost:8080/auth/realms/your-realm/account/
这样的 url 提供某种“我的帐户页面” - 替换 URL 的your-realm
部分并将用户重定向到它。
In documentation it called User Account Service在文档中它称为用户帐户服务
Also if you use auto discovery you can obtain the url by reading account-service
from JSON by URL http://localhost:8080/auth/realms/your-realm
此外,如果您使用自动发现,您可以通过 URL
http://localhost:8080/auth/realms/your-realm
从 JSON 读取account-service
来获取 URL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.