Keycloak Action Tokens：当用户请求多个（例如重置密码）时如何使用户之前的操作无效

Question

I want to be able to invalidate any action token for a user within an authentication flow.

The scenario is the user sends a reset password and receives an email with an associated action token. The user then sends another reset password and gets another email with a different action token associated. For the length of the first action token expiry time the user can utilise the links in both emails - however I'd like to be able to identify within my custom reset password authentication flow that the user is requesting a duplicate action request and invalidate their earlier action token(s) so that only their latest reset password link works.

I've been looking at the below objects but had no luck finding an action token store associated with all the user's activity rather than just their current authenticated session.

AuthenticationFlowContext context;

            List<UserSessionModel> sessions = context.getSession().sessions().getUserSessions(context.getRealm(), user);

            RootAuthenticationSessionModel parentSessions = context.getAuthenticationSession().getParentSession();

            ActionTokenStoreProvider actionTokenStore = session.getProvider(ActionTokenStoreProvider.class);

Thanks in advance.

Answer 1

I've resolved this by maintaining a Table of users and action tokens per flow. This means when the user initiates a new action flow I can grab the previous token if still valid and use the ActionTokenStoreProvider to invalidate it replacing it with the new token. I am still hoping keycloak has some internal mechanism to manage this rather than my own custom code. Drop a solution if you know of this!