Change radius password via email

[Zlateshkin1337]

Is your feature request related to a problem? Please describe. I was faced with one task of changing the password in keycloak via email and realized that it was impossible to change the radius password in this way. There is no such step in flow keycloak.

Describe the solution you'd like I need that when users change their password via email, in addition to the main password, they can also change the radius password. This can be implemented by adding to reset credentials flow action Update radius password.

Thank you in advance!

[elkman]

Is this a functionality which already was there in an earlier version? I never used / setup this feature, so I may have to setup a testcase first to check this.

I didn't used/setup this "radius password" feature yet. As far as I understand, a user can change her password or radius password (if enabled) in the account management anytime and independently. If a user recovers her (real) password via a password reset e-mail, the radius password can be changed in the account management afterwards. But this is not part of the password reset flow and you want it to be included there, right?

I'm not sure if it is a good idea to integrate the "real password" reset with the "radius password", because the users may use the same password for both, which is not what you want in the most cases.

[Zlateshkin1337]

You got it right, but I don't understand why this is a bad idea. The user will be able to configure whether he needs to reset the radius password and the normal password as needed. Now the password reset looks like this:

1. The user clicks the "Forgot password" checkbox
2. Enters mail
3. A link is sent to the email and the user clicks on it
4. The link leads to a window for entering a new password and confirming it This is configured in flow reset credentials. If you implement the password radius reset function, then in addition to the window for entering a new password, a fifth step will be added with entering and confirming the password radius. This can be added to the flow, or it can not be added; the user will decide for himself whether he needs it or not.

[Zlateshkin1337]

Now the process of resetting a password via email looks like this. If you implement the password radius reset feature, the user will be able to choose whether to add this step here or not

[elkman]

Ok, by "user will be able to choose " you mean that the administrator can choose. This decision may depend on the use of this radius password (I would assume it is to be used for WiFi access or something similar. What is your use case?).

You're right, implementing a radius password reset feature as an optional step would make sense. From a security perspective, this could depend on the scenario and be left to the realm administrator.

Since I'm pretty limited on time, and just maintaining the code base and keeping up with new Keycloak versions takes its time. I'd make this a low-proi feature request, but I don't think I can provide a solution anytime soon. Anyone who could submit a patch is more than welcome 😀

[Zlateshkin1337]

I use this plugin to access VPN in Mikrotik (local resources). I understand that this will most likely take a lot of time and you are not in a hurry, but it would be great if someday you can implement the functionality I proposed. Thanks for your feedback!

[Zlateshkin1337]

In principle, I can talk to my management about paying for the implementation of this functionality in an hourly format. If this option can speed up the process, let me know.

[elkman]

Thank you for your patience and the offer. I'm already working on this in a paid context, so it would be difficult. But perhaps you will find someone or someone will get in touch with you who can realize this feature and provide a PR.