Description

We don't have documentation for AIA, which were added in https://issues.redhat.com/browse/KEYCLOAK-9366 . So this task is about documentation for AIA.

Additional notes

The AIA is used under the covers by the new account console. Hence it is tested in our testsuite and as such, it is guaranteed to work. Hence I think it is considered supported.

On the other hand, it is possible that the API (of how to trigger action etc) will change in the future and maybe that's the reason why it is still not officially documented anywhere.

I am adding this as "rfe" to make sure that we properly document it, so we can claim it as officially fully supported.

The usage of the AIA is relatively simple: In your application, you need to open normal OIDC login URL (same URL like when client application wants to use Keycloak for authentication), however there is one additional parameter "kc_action", which should be added to the URL. The value of the parameter is the name of the action. So for example when parameter is used like "kc_action=UPDATE_PASSWORD", then user will be redirected from the application to the Keycloak URL where he would need to update his password. Then he would be redirected back to your application.

The Keycloak may require user to authentication (or re-authenticate) before he can update the password (or do any other requested action in case the action is different than UPDATE_PASSWORD). Currently it is hardcoded interval for 300 seconds for re-authentication when doing the AIA action. In other words, user is not required to re-authenticate in case he authenticated shorter than 300 seconds ago. Just users, who authenticated 300 seconds or more ago are required to re-authenticate. This hardcoded interval is maybe one of the reason why we still don't officially support AIA officially (I already saw a requirements from our users/customers to always require re-authentication for example).

At the time of this writing, we have password policy, which allows to specify the time when updating password (so action is UPDATE_PASSWORD) - https://www.keycloak.org/docs/23.0.0/release_notes/index.html#password-policy-for-specify-maximum-authentication-time . But for other actions, there is not additional flexibility and time is hardcoded to 300 seconds.