Keycloak - Calling Required Actions directly

October 3, 2023

Tags: #keycloak #requiredaction

Did you know, that you call (most of) the Required Actions in KEYCLOAK directly with an URL parameter?

Let’s take for example the UPDATE_PASSWORD action, which allows users to update their password credential. As all required actions, which are bound to the user or to the current authentication session will be executed after a successful authentication flow, you can just call the authorization endpoint to initialize an authentication and add the query parameter kc_action with the value of the desired Required Action ID: in our case, this is kc_action=UPDATE_PASSWORD.

The whole URL to point the browser to looks like this:


Be sure to use the authorization_endpoint value from the /.well-known/openid-configuration document as the base URL part (up to …/auth), don’t hardcode it manually!

When having Keycloak running locally on my machine and using the account console as a test client, the working URL looks like this:


If the user is already authenticated (and the authentication is not older than 5 minutes or the max-auth-age of the required action is not overwritten), the user is automatically redirected to the update password form, where he/she can change their credentials. If the user is not already authenticated, he/she has to authenticate first.

For your own custom Required Actions, you can get this feature, to be able to call the action directly in the browser, by just imlementing this method in your action provider class:

    public InitiatedActionSupport initiatedActionSupport() {
      return InitiatedActionSupport.SUPPORTED;

Du bist auf der Suche nach Keycloak Beratung, Unterstützung, Workshops oder Trainings?

Nimm Kontakt mit mir auf!

« Keycloak - Tuning Database Settings when experiencing Transaction timeouts Keycloak Discourse Community Forum Revived »