KeyCloak user role: reset password endpoint for own account only

Question

For a user to receive a "reset password" email, we call upon the KeyCloak API as follows:

PUT <keycloak>/admin/realms/<realm>/users/<userId>/reset-password-email?client_id=<clientId>&redirect_uri=http://localhost:3000/

If that user has the user role [real-management] manage-users or [real-management] realm-admin this works.

However, with this user role the user can not only call upon the endpoint for their own account but also for other users, which is not what we want.

Q: What user roles should we give to allow the user to call upon the above endpoint ONLY for their own account?

I assume this would be an account user role. But even a user with all of the account user roles below, calling upon the above endpoint still returns a 403 error.

I'm sending the access token in the authorization header after signing in using authorization_code grant type. Am I perhaps calling upon the wrong API for making changes to the user's account only?

Keycloak 21.0.1

Answer 1

The API endpoint /admin/realms/{realm}/users/{id}/reset-password-email you are calling is part of Keycloak's Admin API, which is primarily intended for administrative purposes.

Typically, these administrative actions are supposed to be performed by highly privileged users and not by individual account holders. That is why the roles you have described ([real-management] manage-users and [real-management] realm-admin) allow access to manage multiple users, and it is not feasible to restrict them to just one specific user account.

So I do not think such a role would exist, for a user to reset only their own account.
Plus, I do not see /reset-password-email in the 21.0.1 Keycloak's Admin API, only /resetpassword

For users to reset their own passwords, it is usually not advisable to use the Admin API; rather, Keycloak provides account management features out-of-the-box through its own user interface. Users can navigate to the Account Management console and trigger a password reset from there.
It is illustrated for instance in "Is there an API call for changing user password on Keycloak?"

It is a user form which then perform the API call with the right role.

Alternatively, you can utilize Keycloak's built-in forgot-password feature. Users can initiate this from the login page, and they will receive an email with reset instructions.

---

However, if you are developing a custom application, and you want to integrate this feature within your own user interface, you could potentially set up a separate backend service that exposes a password-reset endpoint. That service would then call the Keycloak Admin API on behalf of the user, but would only allow the logged-in user to reset their own password.

Answer 2

Account recovery options should not require any application code. Instead they should be handled solely by configuring the authorization server (AS) to use a particular authentication method. In KeyCloak there is a configuration option to enable this, after which the user should see the relevant options if struggling to sign in.

User management APIs may be used as a more specialized option. For example the AS may support the System for Cross Domain Identity Management (SCIM), which has both a schema and API endpoints. Essentially though, SCIM is just a REST API that provides access to user accounts, and should support your use cases.

As an example, SCIM might be used as the backend for an Edit Profile screen in an application. In which case the AS would need to be able to restrict access to user account data to the current user, based on the access token presented. To enable this, a client would be granted a scope such as accounts and a claim such as sub. The AS would then need to restrict access to identity resources using these token values. Not all authorization servers support this.