I am using Keyclaok 18.0.2 and when a user clicks on "Forgot Password?" it receives an email for the password update. The problem is that after the new password is created, the user is automatically being login. I am trying to avoid that and try to make the login manually. Because there is no option to do it via the Keycloak manager, I tried to use SPI, and listen for the event responsible for that.
What I did is to remove the session for the specific realm and user. Unfortunately, nothing happened.
public class PasswordResetEventListenerProvider implements EventListenerProvider {
private final KeycloakSession session;
private final RealmModel realm;
public PasswordResetEventListenerProvider(KeycloakSession session) {
this.session = session;
this.realm = session.getContext().getRealm();
}
@Override
public void onEvent(Event event) {
if (event.getType() == EventType.LOGIN) {
UserModel user = session.users().getUserById(event.getUserId(), session.getContext().getRealm());
session.sessions().removeUserSessions(realm,user);
}
}
}
Then I tried to remove all the authentication directly by removing the cookies. But still nothing happened as if I was trying to get the request and response from the context, it was returning java.lang.NullPointerException. I tried to find a different way to get them, but I could not find one for Keycloak version 18.0.2
for (Cookie cookie : request.getCookies()) {
if (cookie.getName().startsWith("KEYCLOAK_")) {
cookie.setValue("");
cookie.setMaxAge(0);
cookie.setPath("/");
cookie.setHttpOnly(true);
cookie.setSecure(request.isSecure());
response.addCookie(cookie);
}
}
HttpSession httpSession = request.getSession(false);
if (httpSession != null) {
httpSession.invalidate();
}
Do you think that this one of this cases is a good approach. Is there another way to make the user login manually after the password reset?
