Check credential confirmation on server side.

services/src/main/java/org/keycloak/services/resources/account/AccountCredentialResource.java

@@ -1,6 +1,5 @@
 package org.keycloak.services.resources.account;
 
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import org.keycloak.credential.CredentialModel;
 import org.keycloak.credential.CredentialProvider;
 import org.keycloak.credential.PasswordCredentialProvider;
@@ -66,6 +65,15 @@ public class AccountCredentialResource {
             event.error(org.keycloak.events.Errors.INVALID_USER_CREDENTIALS);
             return ErrorResponse.error(Messages.INVALID_PASSWORD_EXISTING, Response.Status.BAD_REQUEST);
         }
+        
+        if (update.getNewPassword() == null) {
+            return ErrorResponse.error(Messages.INVALID_PASSWORD_EXISTING, Response.Status.BAD_REQUEST);
+        }
+        
+        String confirmation = update.getConfirmation();
+        if ((confirmation != null) && !update.getNewPassword().equals(confirmation)) {
+            return ErrorResponse.error(Messages.NOTMATCH_PASSWORD, Response.Status.BAD_REQUEST);
+        }
 
         try {
             session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password(update.getNewPassword(), false));
@@ -99,11 +107,11 @@ public class AccountCredentialResource {
 
     }
 
-    @JsonIgnoreProperties(ignoreUnknown=true)
     public static class PasswordUpdate {
 
         private String currentPassword;
         private String newPassword;
+        private String confirmation;
 
         public String getCurrentPassword() {
             return currentPassword;
@@ -120,6 +128,14 @@ public class AccountCredentialResource {
         public void setNewPassword(String newPassword) {
             this.newPassword = newPassword;
         }
+        
+        public String getConfirmation() {
+            return confirmation;
+        }
+
+        public void setConfirmation(String confirmation) {
+            this.confirmation = confirmation;
+        }
 
     }
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountRestServiceTest.java

@@ -219,6 +219,13 @@ public class AccountRestServiceTest extends AbstractTestRealmKeycloakTest {
         //Change the password back
         updatePassword("Str0ng3rP4ssw0rd", "password", 200);
    }
+    
+    @Test
+    public void testPasswordConfirmation() throws IOException {
+        updatePassword("password", "Str0ng3rP4ssw0rd", "confirmationDoesNotMatch", 400);
+        
+        updatePassword("password", "Str0ng3rP4ssw0rd", "Str0ng3rP4ssw0rd", 200);
+    }
 
     private AccountCredentialResource.PasswordDetails getPasswordDetails() throws IOException {
         AccountCredentialResource.PasswordDetails details = SimpleHttp.doGet(getAccountUrl("credentials/password"), client).auth(tokenUtil.getToken()).asJson(new TypeReference<AccountCredentialResource.PasswordDetails>() {});
@@ -228,9 +235,14 @@ public class AccountRestServiceTest extends AbstractTestRealmKeycloakTest {
     }
 
     private void updatePassword(String currentPass, String newPass, int expectedStatus) throws IOException {
+        updatePassword(currentPass, newPass, null, expectedStatus);
+    }
+        
+    private void updatePassword(String currentPass, String newPass, String confirmation, int expectedStatus) throws IOException {
         AccountCredentialResource.PasswordUpdate passwordUpdate = new AccountCredentialResource.PasswordUpdate();
         passwordUpdate.setCurrentPassword(currentPass);
         passwordUpdate.setNewPassword(newPass);
+        passwordUpdate.setConfirmation(confirmation);
         int status = SimpleHttp.doPost(getAccountUrl("credentials/password"), client).auth(tokenUtil.getToken()).json(passwordUpdate).asStatus();
         assertEquals(expectedStatus, status);
     }