Keycloak Password Reset

autoearth

When users register an account in Keycloak, they have an email address from mailcow, also in order to login via SSO. Now if a user wants to reset his password, he receives an email in the mailbox of mailcow, but since he cannot login anymore with his password, he is not able to access the password reset link in the mail.

Did anyone solve this problem and if so how?

esackbauer

That is only affecting the UI login password, and thats another reason to use app passwords for client software. So he would still be able to see the password reset mail on his mobile device or Thunderbird/outlook.

autoearth

ok that could be a way to solve this. Login to mailcow.tld/user, generate an app password, configure Thunderbird or any other client with that app password. I have to propose this. For, well let’s say non-technical users, the workflow might be confusing.

esackbauer

autoearth the workflow might be confusing.

Security comes at the price of inconvenience 😉
2FA and such app passwords are best practices.
With Passkeys then could login even without username/password, so that would make every day task easier.

autoearth

We discussed that with the app passwords, but since users are not even using mail clients except web interfaces anymore, we decided to disable SSO altogether. Now users can use the recovery email setting.