Avoid using methods on UserCredentialStoreManager

2022-05-05 10:35:51 +02:00 · 2022-05-05 10:35:51 +02:00 · 6f287e7ded
commit 6f287e7ded
parent bc8fd21dc6
63 changed files with 258 additions and 274 deletions
--- a/examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionCredentialProvider.java
+++ b/examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionCredentialProvider.java
@ -44,11 +44,6 @@ public class SecretQuestionCredentialProvider implements CredentialProvider<Secr
        this.session = session;
    }
    private UserCredentialStore getCredentialStore() {
        return session.userCredentialManager();
    }
    @Override
    public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
        if (!(input instanceof UserCredentialModel)) {
@ -62,7 +57,7 @@ public class SecretQuestionCredentialProvider implements CredentialProvider<Secr
        if (challengeResponse == null) {
            return false;
        }
-        CredentialModel credentialModel = getCredentialStore().getStoredCredentialById(realm, user, input.getCredentialId());
+        CredentialModel credentialModel = user.getUserCredentialManager().getStoredCredentialById(input.getCredentialId());
        SecretQuestionCredentialModel sqcm = getCredentialFromModel(credentialModel);
        return sqcm.getSecretQuestionSecretData().getAnswer().equals(challengeResponse);
    }
@ -75,7 +70,7 @@ public class SecretQuestionCredentialProvider implements CredentialProvider<Secr
    @Override
    public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType) {
        if (!supportsCredentialType(credentialType)) return false;
-        return getCredentialStore().getStoredCredentialsByTypeStream(realm, user, credentialType).count() > 0;
+        return user.getUserCredentialManager().getStoredCredentialsByTypeStream(credentialType).findAny().isPresent();
    }
    @Override
@ -83,12 +78,12 @@ public class SecretQuestionCredentialProvider implements CredentialProvider<Secr
        if (credentialModel.getCreatedDate() == null) {
            credentialModel.setCreatedDate(Time.currentTimeMillis());
        }
-        return getCredentialStore().createCredential(realm, user, credentialModel);
+        return user.getUserCredentialManager().createStoredCredential(credentialModel);
    }
    @Override
    public boolean deleteCredential(RealmModel realm, UserModel user, String credentialId) {
-        return getCredentialStore().removeStoredCredential(realm, user, credentialId);
+        return user.getUserCredentialManager().removeStoredCredentialById(credentialId);
    }
    @Override
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/SingleUserCredentialManagerCacheAdapter.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/SingleUserCredentialManagerCacheAdapter.java
@ -3,7 +3,6 @@ package org.keycloak.models.cache.infinispan;
 import org.keycloak.credential.CredentialInput;
 import org.keycloak.credential.CredentialModel;
 import org.keycloak.models.SingleUserCredentialManager;
 import org.keycloak.models.UserModel;
 import java.util.List;
 import java.util.stream.Stream;
@ -107,8 +106,8 @@ public abstract class SingleUserCredentialManagerCacheAdapter implements SingleU
    }
    @Override
-    public Stream<String> getConfiguredUserStorageCredentialTypesStream(UserModel user) {
+    public Stream<String> getConfiguredUserStorageCredentialTypesStream() {
-        return singleUserCredentialManager.getConfiguredUserStorageCredentialTypesStream(user);
+        return singleUserCredentialManager.getConfiguredUserStorageCredentialTypesStream();
    }
    @Override
--- a/model/legacy/src/main/java/org/keycloak/credential/LegacySingleUserCredentialManager.java
+++ b/model/legacy/src/main/java/org/keycloak/credential/LegacySingleUserCredentialManager.java
@ -34,15 +34,9 @@ import java.util.Objects;
 import java.util.stream.Stream;
 /**
- * Handling credentials for a given user.
+ * Handling credentials for a given user for the legacy store.
 *
- * This serves as a wrapper to specific strategies. The wrapping code implements the logic for {@link CredentialInputUpdater}s
+ * Its companion is the MapSingleUserCredentialManagerStrategy that doesn't contain storage related elements.
 * and {@link CredentialInputValidator}s. Storage specific strategies can be added like for example in
 * org.keycloak.models.map.credential.MapSingleUserCredentialManagerStrategy.
 *
 * I tried to extract the federation specific parts to the {@link LegacySingleUserCredentialManagerStrategy} but the control
 * flow in the existing logic: if <code>model == null || !model.isEnabled()</code>, the code will directly return, while
 * the behavior of the strategy is to continue if it returns false and it will then try other providers.
 *
 * @author Alexander Schwartz
 */
@ -218,7 +212,7 @@ public class LegacySingleUserCredentialManager extends AbstractStorageManager<Us
    }
    @Override
-    public Stream<String> getConfiguredUserStorageCredentialTypesStream(UserModel user) {
+    public Stream<String> getConfiguredUserStorageCredentialTypesStream() {
        return getCredentialProviders(session, CredentialProvider.class).map(CredentialProvider::getType)
                .filter(credentialType -> UserStorageCredentialConfigured.CONFIGURED == isConfiguredThroughUserStorage(realm, user, credentialType));
    }
--- a/model/map/src/main/java/org/keycloak/models/map/credential/MapSingleUserCredentialManager.java
+++ b/model/map/src/main/java/org/keycloak/models/map/credential/MapSingleUserCredentialManager.java
@ -40,8 +40,8 @@ import java.util.stream.Stream;
 * Handling credentials for a given user.
 *
 * This serves as a wrapper to specific strategies. The wrapping code implements the logic for {@link CredentialInputUpdater}s
- * and {@link CredentialInputValidator}s. Storage specific strategies can be added like for example in
+ * and {@link CredentialInputValidator}s. Storage specific strategies can be added, like for example, in
- * org.keycloak.models.map.credential.MapSingleUserCredentialManagerStrategy.
+ * {@link MapSingleUserCredentialManagerStrategy}.
 *
 * @author Alexander Schwartz
 */
@ -162,7 +162,7 @@ public class MapSingleUserCredentialManager implements SingleUserCredentialManag
    }
    @Override
-    public Stream<String> getConfiguredUserStorageCredentialTypesStream(UserModel user) {
+    public Stream<String> getConfiguredUserStorageCredentialTypesStream() {
        // TODO ask the store
        return getCredentialProviders(session, CredentialProvider.class).map(CredentialProvider::getType)
                .filter(credentialType -> UserStorageCredentialConfigured.CONFIGURED == isConfiguredThroughUserStorage(realm, user, credentialType));
--- a/server-spi-private/src/main/java/org/keycloak/authentication/CredentialValidator.java
+++ b/server-spi-private/src/main/java/org/keycloak/authentication/CredentialValidator.java
@ -12,7 +12,7 @@ import java.util.stream.Collectors;
 public interface CredentialValidator<T extends CredentialProvider> {
    T getCredentialProvider(KeycloakSession session);
    default List<CredentialModel> getCredentials(KeycloakSession session, RealmModel realm, UserModel user) {
-        return session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, getCredentialProvider(session).getType())
+        return user.getUserCredentialManager().getStoredCredentialsByTypeStream(getCredentialProvider(session).getType())
                .collect(Collectors.toList());
    }
    default String getType(KeycloakSession session) {
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
@ -220,9 +220,9 @@ public class ModelToRepresentation {
        rep.setEmail(user.getEmail());
        rep.setEnabled(user.isEnabled());
        rep.setEmailVerified(user.isEmailVerified());
-        rep.setTotp(session.userCredentialManager().isConfiguredFor(realm, user, OTPCredentialModel.TYPE));
+        rep.setTotp(user.getUserCredentialManager().isConfiguredFor(OTPCredentialModel.TYPE));
-        rep.setDisableableCredentialTypes(session.userCredentialManager()
+        rep.setDisableableCredentialTypes(user.getUserCredentialManager()
-                .getDisableableCredentialTypesStream(realm, user).collect(Collectors.toSet()));
+                .getDisableableCredentialTypesStream().collect(Collectors.toSet()));
        rep.setFederationLink(user.getFederationLink());
        rep.setNotBefore(session.users().getNotBeforeOfUser(realm, user));
        rep.setRequiredActions(user.getRequiredActionsStream().collect(Collectors.toList()));
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@ -779,21 +779,21 @@ public class RepresentationToModel {
        convertDeprecatedCredentialsFormat(userRep);
        if (userRep.getCredentials() != null) {
            for (CredentialRepresentation cred : userRep.getCredentials()) {
-                if (cred.getId() != null && session.userCredentialManager().getStoredCredentialById(realm, user, cred.getId()) != null) {
+                if (cred.getId() != null && user.getUserCredentialManager().getStoredCredentialById(cred.getId()) != null) {
                    continue;
                }
                if (cred.getValue() != null && !cred.getValue().isEmpty()) {
                    RealmModel origRealm = session.getContext().getRealm();
                    try {
                        session.getContext().setRealm(realm);
-                        session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password(cred.getValue(), false));
+                        user.getUserCredentialManager().updateCredential(UserCredentialModel.password(cred.getValue(), false));
                    } catch (ModelException ex) {
                        throw new PasswordPolicyNotMetException(ex.getMessage(), user.getUsername(), ex);
                    } finally {
                        session.getContext().setRealm(origRealm);
                    }
                } else {
-                    session.userCredentialManager().createCredentialThroughProvider(realm, user, toModel(cred));
+                    user.getUserCredentialManager().createCredentialThroughProvider(toModel(cred));
                }
            }
        }
--- a/server-spi-private/src/main/java/org/keycloak/policy/HistoryPasswordPolicyProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/policy/HistoryPasswordPolicyProvider.java
@ -52,7 +52,7 @@ public class HistoryPasswordPolicyProvider implements PasswordPolicyProvider {
        PasswordPolicy policy = session.getContext().getRealm().getPasswordPolicy();
        int passwordHistoryPolicyValue = policy.getPolicyConfig(PasswordPolicy.PASSWORD_HISTORY_ID);
        if (passwordHistoryPolicyValue != -1) {
-            if (session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, PasswordCredentialModel.TYPE)
+            if (user.getUserCredentialManager().getStoredCredentialsByTypeStream(PasswordCredentialModel.TYPE)
                    .map(PasswordCredentialModel::createFromCredentialModel)
                    .anyMatch(passwordCredential -> {
                        PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class,
@ -63,7 +63,7 @@ public class HistoryPasswordPolicyProvider implements PasswordPolicyProvider {
            }
            if (passwordHistoryPolicyValue > 0) {
-                if (this.getRecent(session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, PasswordCredentialModel.PASSWORD_HISTORY),
+                if (this.getRecent(user.getUserCredentialManager().getStoredCredentialsByTypeStream(PasswordCredentialModel.PASSWORD_HISTORY),
                        passwordHistoryPolicyValue - 1)
                        .map(PasswordCredentialModel::createFromCredentialModel)
                        .anyMatch(passwordCredential -> {
--- a/server-spi-private/src/main/java/org/keycloak/utils/CredentialHelper.java
+++ b/server-spi-private/src/main/java/org/keycloak/utils/CredentialHelper.java
@ -100,7 +100,7 @@ public class CredentialHelper {
        String totpSecret = credentialModel.getOTPSecretData().getValue();
        UserCredentialModel otpUserCredential = new UserCredentialModel("", realm.getOTPPolicy().getType(), totpSecret);
-        boolean userStorageCreated = session.userCredentialManager().updateCredential(realm, user, otpUserCredential);
+        boolean userStorageCreated = user.getUserCredentialManager().updateCredential(otpUserCredential);
        String credentialId = null;
        if (userStorageCreated) {
@ -112,7 +112,7 @@ public class CredentialHelper {
        //If the type is HOTP, call verify once to consume the OTP used for registration and increase the counter.
        UserCredentialModel credential = new UserCredentialModel(credentialId, otpCredentialProvider.getType(), totpCode);
-        return session.userCredentialManager().isValid(realm, user, credential);
+        return user.getUserCredentialManager().isValid(credential);
    }
    public static void deleteOTPCredential(KeycloakSession session, RealmModel realm, UserModel user, String credentialId) {
@ -122,7 +122,7 @@ public class CredentialHelper {
        // This can usually happened when credential is stored in the userStorage. Propagate to "disable" credential in the userStorage
        if (!removed) {
            logger.debug("Removing OTP credential from userStorage");
-            session.userCredentialManager().disableCredentialType(realm, user, OTPCredentialModel.TYPE);
+            user.getUserCredentialManager().disableCredentialType(OTPCredentialModel.TYPE);
        }
    }
--- a/server-spi/src/main/java/org/keycloak/credential/CredentialProvider.java
+++ b/server-spi/src/main/java/org/keycloak/credential/CredentialProvider.java
@ -43,7 +43,7 @@ public interface CredentialProvider<T extends CredentialModel> extends Provider
    T getCredentialFromModel(CredentialModel model);
    default T getDefaultCredential(KeycloakSession session, RealmModel realm, UserModel user) {
-        CredentialModel model = session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, getType())
+        CredentialModel model = user.getUserCredentialManager().getStoredCredentialsByTypeStream(getType())
                .findFirst().orElse(null);
        return model != null ? getCredentialFromModel(model) : null;
    }
--- a/server-spi/src/main/java/org/keycloak/credential/UserCredentialStore.java
+++ b/server-spi/src/main/java/org/keycloak/credential/UserCredentialStore.java
@ -46,7 +46,7 @@ public interface UserCredentialStore extends Provider {
    CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id);
    /**
-     * @deprecated Use {@link #getStoredCredentialsStream(RealmModel, UserModel) getStoredCredentialsStream} instead.
+     * @deprecated Use {@link org.keycloak.models.SingleUserCredentialManager#getStoredCredentialsStream()} instead.
     */
    @Deprecated
    List<CredentialModel> getStoredCredentials(RealmModel realm, UserModel user);
@ -64,7 +64,7 @@ public interface UserCredentialStore extends Provider {
    }
    /**
-     * @deprecated Use {@link #getStoredCredentialsByTypeStream(RealmModel, UserModel, String) getStoredCredentialsByTypeStream}
+     * @deprecated Use {@link org.keycloak.models.SingleUserCredentialManager#getStoredCredentialsByTypeStream(String)}
     * instead.
     */
    @Deprecated
@ -79,7 +79,7 @@ public interface UserCredentialStore extends Provider {
     * @return a non-null {@link Stream} of credentials.
     */
    default Stream<CredentialModel> getStoredCredentialsByTypeStream(RealmModel realm, UserModel user, String type) {
-        List<CredentialModel> result = this.getStoredCredentialsByType(realm, user, type);
+        List<CredentialModel> result = user.getUserCredentialManager().getStoredCredentialsByTypeStream(type).collect(Collectors.toList());
        return result != null ? result.stream() : Stream.empty();
    }
@ -98,7 +98,7 @@ public interface UserCredentialStore extends Provider {
    interface Streams extends UserCredentialStore {
        @Override
        default List<CredentialModel> getStoredCredentials(RealmModel realm, UserModel user) {
-            return this.getStoredCredentialsStream(realm, user).collect(Collectors.toList());
+            return user.getUserCredentialManager().getStoredCredentialsStream().collect(Collectors.toList());
        }
        @Override
@ -106,7 +106,7 @@ public interface UserCredentialStore extends Provider {
        @Override
        default List<CredentialModel> getStoredCredentialsByType(RealmModel realm, UserModel user, String type) {
-            return this.getStoredCredentialsByTypeStream(realm, user, type).collect(Collectors.toList());
+            return user.getUserCredentialManager().getStoredCredentialsByTypeStream(type).collect(Collectors.toList());
        }
        @Override
--- a/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java
+++ b/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java
@ -248,9 +248,10 @@ public interface KeycloakSession {
    /**
     * Service that allows you to valid and update credentials for a user
-     *
+     * @deprecated Use {@link UserModel#getUserCredentialManager()} instead.
     * @return
     */
    @Deprecated
    UserCredentialManager userCredentialManager();
    /**
--- a/server-spi/src/main/java/org/keycloak/models/SingleUserCredentialManager.java
+++ b/server-spi/src/main/java/org/keycloak/models/SingleUserCredentialManager.java
@ -20,6 +20,7 @@ package org.keycloak.models;
 import org.keycloak.credential.CredentialInput;
 import org.keycloak.credential.CredentialModel;
 import java.util.Arrays;
 import java.util.List;
 import java.util.stream.Stream;
@ -30,6 +31,10 @@ public interface SingleUserCredentialManager {
     */
    boolean isValid(List<CredentialInput> inputs);
    default boolean isValid(CredentialInput... inputs) {
        return isValid(Arrays.asList(inputs));
    }
    /**
     * Updates a credentials of the user.
     */
@ -63,7 +68,7 @@ public interface SingleUserCredentialManager {
    @Deprecated
    boolean isConfiguredLocally(String type);
-    Stream<String> getConfiguredUserStorageCredentialTypesStream(UserModel user);
+    Stream<String> getConfiguredUserStorageCredentialTypesStream();
    CredentialModel createCredentialThroughProvider(CredentialModel model);
 }
--- a/server-spi/src/main/java/org/keycloak/models/UserCredentialManager.java
+++ b/server-spi/src/main/java/org/keycloak/models/UserCredentialManager.java
@ -26,9 +26,13 @@ import java.util.stream.Collectors;
 import java.util.stream.Stream;
 /**
 * Manage the credentials for a user.
 *
 * @deprecated Instead of this class, use {@link UserModel#getUserCredentialManager()} instead.
 * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
 * @version $Revision: 1 $
 */
@Deprecated
 public interface UserCredentialManager extends UserCredentialStore {
    /**
@ -97,14 +101,13 @@ public interface UserCredentialManager extends UserCredentialStore {
     * @param realm
     * @param user
     * @return
-     * @deprecated Use {@link #getDisableableCredentialTypesStream(RealmModel, UserModel) getDisableableCredentialTypesStream}
+     * @deprecated Use {@link UserModel#getUserCredentialManager()} and {@link SingleUserCredentialManager#getDisableableCredentialTypesStream()} instead.
     * instead.
     */
    @Deprecated
    Set<String> getDisableableCredentialTypes(RealmModel realm, UserModel user);
    /**
-     * Obtains the credential types that can be disabled by means of the {@link #disableCredentialType(RealmModel, UserModel, String)}
+     * Obtains the credential types that can be disabled.
     * method.
     *
     * @param realm a reference to the realm.
@ -112,8 +115,7 @@ public interface UserCredentialManager extends UserCredentialStore {
     * @return a non-null {@link Stream} of credential types.
     */
    default Stream<String> getDisableableCredentialTypesStream(RealmModel realm, UserModel user) {
-        Set<String> result = this.getDisableableCredentialTypes(realm, user);
+        return user.getUserCredentialManager().getDisableableCredentialTypesStream();
        return result != null ? result.stream() : Stream.empty();
    }
    /**
@ -156,8 +158,7 @@ public interface UserCredentialManager extends UserCredentialStore {
     * Return credential types, which are provided by the user storage where user is stored. Returned values can contain for example "password", "otp" etc.
     * This will always return empty list for "local" users, which are not backed by any user storage
     *
-     * @return
+     * @deprecated Use {@link UserModel#getUserCredentialManager()} and then call {@link SingleUserCredentialManager#getConfiguredUserStorageCredentialTypesStream()}
     * @deprecated Use {@link #getConfiguredUserStorageCredentialTypesStream(RealmModel, UserModel) getConfiguredUserStorageCredentialTypesStream}
     * instead.
     */
    @Deprecated
@ -174,8 +175,7 @@ public interface UserCredentialManager extends UserCredentialStore {
     * @return a non-null {@link Stream} of credential types.
     */
    default Stream<String> getConfiguredUserStorageCredentialTypesStream(RealmModel realm, UserModel user) {
-        List<String> result = this.getConfiguredUserStorageCredentialTypes(realm, user);
+        return user.getUserCredentialManager().getConfiguredUserStorageCredentialTypesStream();
        return result != null ? result.stream() : Stream.empty();
    }
    /**
@ -188,7 +188,7 @@ public interface UserCredentialManager extends UserCredentialStore {
    interface Streams extends UserCredentialManager, UserCredentialStore.Streams {
        @Override
        default Set<String> getDisableableCredentialTypes(RealmModel realm, UserModel user) {
-            return this.getDisableableCredentialTypesStream(realm, user).collect(Collectors.toSet());
+            return user.getUserCredentialManager().getDisableableCredentialTypesStream().collect(Collectors.toSet());
        }
        @Override
@ -196,7 +196,7 @@ public interface UserCredentialManager extends UserCredentialStore {
        @Override
        default List<String> getConfiguredUserStorageCredentialTypes(RealmModel realm, UserModel user) {
-            return this.getConfiguredUserStorageCredentialTypesStream(realm, user).collect(Collectors.toList());
+            return user.getUserCredentialManager().getConfiguredUserStorageCredentialTypesStream().collect(Collectors.toList());
        }
        @Override
--- a/services/src/main/java/org/keycloak/authentication/AuthenticationSelectionResolver.java
+++ b/services/src/main/java/org/keycloak/authentication/AuthenticationSelectionResolver.java
@ -80,13 +80,10 @@ class AuthenticationSelectionResolver {
            if (processor.getAuthenticationSession().getAuthenticatedUser() != null) {
                authenticationSelectionList =
                        Stream.concat(
-                            processor.getSession().userCredentialManager()
+                            processor.getAuthenticationSession().getAuthenticatedUser().getUserCredentialManager().getStoredCredentialsStream()
                                .getStoredCredentialsStream(processor.getRealm(), processor.getAuthenticationSession().getAuthenticatedUser())
                                .map(CredentialModel::getType),
-                            processor.getSession().userCredentialManager()
+                            processor.getAuthenticationSession().getAuthenticatedUser().getUserCredentialManager()
-                                .getConfiguredUserStorageCredentialTypesStream(
+                                .getConfiguredUserStorageCredentialTypesStream())
                                    processor.getRealm(),
                                    processor.getAuthenticationSession().getAuthenticatedUser()))
                        .distinct()
                        .filter(typeAuthExecMap::containsKey)
                        .map(credentialType -> new AuthenticationSelectionOption(processor.getSession(), typeAuthExecMap.get(credentialType)))
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
@ -226,7 +226,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
        if (isDisabledByBruteForce(context, user)) return false;
-        if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, UserCredentialModel.password(password))) {
+        if (password != null && !password.isEmpty() && user.getUserCredentialManager().isValid(UserCredentialModel.password(password))) {
            return true;
        } else {
            return badPasswordHandler(context, user, clearUser,false);
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/OTPFormAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/OTPFormAuthenticator.java
@ -97,8 +97,7 @@ public class OTPFormAuthenticator extends AbstractUsernameFormAuthenticator impl
            context.challenge(challengeResponse);
            return;
        }
-        boolean valid = context.getSession().userCredentialManager().isValid(context.getRealm(),context.getUser(),
+        boolean valid = context.getUser().getUserCredentialManager().isValid(new UserCredentialModel(credentialId, getCredentialProvider(context.getSession()).getType(), otp));
                new UserCredentialModel(credentialId, getCredentialProvider(context.getSession()).getType(), otp));
        if (!valid) {
            context.getEvent().user(userModel)
                    .error(Errors.INVALID_USER_CREDENTIALS);
@ -131,7 +130,7 @@ public class OTPFormAuthenticator extends AbstractUsernameFormAuthenticator impl
    @Override
    public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
-        return session.userCredentialManager().isConfiguredFor(realm, user, getCredentialProvider(session).getType());
+        return user.getUserCredentialManager().isConfiguredFor(getCredentialProvider(session).getType());
    }
    @Override
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/PasswordForm.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/PasswordForm.java
@ -44,7 +44,7 @@ public class PasswordForm extends UsernamePasswordForm implements CredentialVali
    @Override
    public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
-        return session.userCredentialManager().isConfiguredFor(realm, user, getCredentialProvider(session).getType());
+        return user.getUserCredentialManager().isConfiguredFor(getCredentialProvider(session).getType());
    }
    @Override
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/RecoveryAuthnCodesFormAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/RecoveryAuthnCodesFormAuthenticator.java
@ -28,10 +28,7 @@ import static org.keycloak.services.validation.Validation.FIELD_USERNAME;
 public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
    private final UserCredentialManager userCredentialManager;
    public RecoveryAuthnCodesFormAuthenticator(KeycloakSession keycloakSession) {
        this.userCredentialManager = keycloakSession.userCredentialManager();
    }
    @Override
@ -61,7 +58,7 @@ public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
        RealmModel targetRealm = authnFlowContext.getRealm();
        UserModel authenticatedUser = authnFlowContext.getUser();
        if (!isDisabledByBruteForce(authnFlowContext, authenticatedUser)) {
-            boolean isValid = this.userCredentialManager.isValid(targetRealm, authenticatedUser,
+            boolean isValid = authenticatedUser.getUserCredentialManager().isValid(
                    UserCredentialModel.buildFromBackupAuthnCode(recoveryAuthnCodeUserInput.replace("-", "")));
            if (!isValid) {
                Response responseChallenge = createLoginForm(authnFlowContext, true,
@ -70,14 +67,14 @@ public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
                authnFlowContext.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, responseChallenge);
            } else {
                result = true;
-                Optional<CredentialModel> optUserCredentialFound = this.userCredentialManager.getStoredCredentialsByTypeStream(targetRealm,
+                Optional<CredentialModel> optUserCredentialFound = authenticatedUser.getUserCredentialManager().getStoredCredentialsByTypeStream(
-                        authenticatedUser, RecoveryAuthnCodesCredentialModel.TYPE).findFirst();
+                        RecoveryAuthnCodesCredentialModel.TYPE).findFirst();
                RecoveryAuthnCodesCredentialModel recoveryCodeCredentialModel = null;
                if (optUserCredentialFound.isPresent()) {
                    recoveryCodeCredentialModel = RecoveryAuthnCodesCredentialModel
                            .createFromCredentialModel(optUserCredentialFound.get());
                    if (recoveryCodeCredentialModel.allCodesUsed()) {
-                        this.userCredentialManager.removeStoredCredential(targetRealm, authenticatedUser,
+                        authenticatedUser.getUserCredentialManager().removeStoredCredentialById(
                                recoveryCodeCredentialModel.getId());
                    }
                }
@ -137,7 +134,7 @@ public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
    @Override
    public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
-        return session.userCredentialManager().isConfiguredFor(realm, user, RecoveryAuthnCodesCredentialModel.TYPE);
+        return user.getUserCredentialManager().isConfiguredFor(RecoveryAuthnCodesCredentialModel.TYPE);
    }
    @Override
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/WebAuthnAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/WebAuthnAuthenticator.java
@ -215,7 +215,7 @@ public class WebAuthnAuthenticator implements Authenticator, CredentialValidator
        boolean result = false;
        try {
-            result = session.userCredentialManager().isValid(context.getRealm(), user, cred);
+            result = user.getUserCredentialManager().isValid(cred);
        } catch (WebAuthnException wae) {
            setErrorResponse(context, WEBAUTHN_ERROR_AUTH_VERIFICATION, wae.getMessage());
            return;
@ -243,7 +243,7 @@ public class WebAuthnAuthenticator implements Authenticator, CredentialValidator
    }
    public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
-        return session.userCredentialManager().isConfiguredFor(realm, user, getCredentialType());
+        return user.getUserCredentialManager().isConfiguredFor(getCredentialType());
    }
    public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
--- a/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidatePassword.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidatePassword.java
@ -44,7 +44,7 @@ public class ValidatePassword extends AbstractDirectGrantAuthenticator {
    @Override
    public void authenticate(AuthenticationFlowContext context) {
        String password = retrievePassword(context);
-        boolean valid = context.getSession().userCredentialManager().isValid(context.getRealm(), context.getUser(), UserCredentialModel.password(password));
+        boolean valid = context.getUser().getUserCredentialManager().isValid(UserCredentialModel.password(password));
        if (!valid) {
            context.getEvent().user(context.getUser());
            context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
--- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java
@ -40,7 +40,7 @@ public class ResetPassword extends AbstractSetRequiredActionAuthenticator {
    }
    protected boolean configuredFor(AuthenticationFlowContext context) {
-        return context.getSession().userCredentialManager().isConfiguredFor(context.getRealm(), context.getUser(), PasswordCredentialModel.TYPE);
+        return context.getUser().getUserCredentialManager().isConfiguredFor(PasswordCredentialModel.TYPE);
    }
    @Override
--- a/services/src/main/java/org/keycloak/authentication/forms/RegistrationPassword.java
+++ b/services/src/main/java/org/keycloak/authentication/forms/RegistrationPassword.java
@ -93,7 +93,7 @@ public class RegistrationPassword implements FormAction, FormActionFactory {
        String password = formData.getFirst(RegistrationPage.FIELD_PASSWORD);
        UserModel user = context.getUser();
        try {
-            context.getSession().userCredentialManager().updateCredential(context.getRealm(), user, UserCredentialModel.password(formData.getFirst("password"), false));
+            user.getUserCredentialManager().updateCredential(UserCredentialModel.password(formData.getFirst("password"), false));
        } catch (Exception me) {
            user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
--- a/services/src/main/java/org/keycloak/authentication/requiredactions/ConsoleUpdatePassword.java
+++ b/services/src/main/java/org/keycloak/authentication/requiredactions/ConsoleUpdatePassword.java
@ -83,7 +83,7 @@ public class ConsoleUpdatePassword extends UpdatePassword implements RequiredAct
        }
        try {
-            context.getSession().userCredentialManager().updateCredential(context.getRealm(), context.getUser(), UserCredentialModel.password(passwordNew, false));
+            context.getUser().getUserCredentialManager().updateCredential(UserCredentialModel.password(passwordNew, false));
            context.success();
        } catch (ModelException me) {
            errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED);
--- a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java
+++ b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java
@ -139,7 +139,7 @@ public class UpdatePassword implements RequiredActionProvider, RequiredActionFac
        }
        try {
-            session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password(passwordNew, false));
+            user.getUserCredentialManager().updateCredential(UserCredentialModel.password(passwordNew, false));
            context.success();
        } catch (ModelException me) {
            errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED);
--- a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateTotp.java
+++ b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateTotp.java
@ -96,7 +96,7 @@ public class UpdateTotp implements RequiredActionProvider, RequiredActionFactory
        }
        OTPCredentialProvider otpCredentialProvider = (OTPCredentialProvider) context.getSession().getProvider(CredentialProvider.class, "keycloak-otp");
        final Stream<CredentialModel> otpCredentials  = (otpCredentialProvider.isConfiguredFor(context.getRealm(), context.getUser()))
-            ? context.getSession().userCredentialManager().getStoredCredentialsByTypeStream(context.getRealm(), context.getUser(), OTPCredentialModel.TYPE)
+            ? context.getUser().getUserCredentialManager().getStoredCredentialsByTypeStream(OTPCredentialModel.TYPE)
            : Stream.empty();
        if (otpCredentials.count() >= 1 && Validation.isBlank(userLabel)) {
            Response challenge = context.form()
--- a/services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java
+++ b/services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java
@ -132,7 +132,7 @@ public class WebAuthnRegister implements RequiredActionProvider, CredentialRegis
        String excludeCredentialIds = "";
        if (avoidSameAuthenticatorRegister) {
-            excludeCredentialIds = session.userCredentialManager().getStoredCredentialsByTypeStream(context.getRealm(), userModel, getCredentialType())
+            excludeCredentialIds = userModel.getUserCredentialManager().getStoredCredentialsByTypeStream(getCredentialType())
                    .map(credentialModel -> {
                        WebAuthnCredentialModel credModel = WebAuthnCredentialModel.createFromCredentialModel(credentialModel);
                        return Base64Url.encodeBase64ToBase64Url(credModel.getWebAuthnCredentialData().getCredentialId());
--- a/services/src/main/java/org/keycloak/credential/OTPCredentialProvider.java
+++ b/services/src/main/java/org/keycloak/credential/OTPCredentialProvider.java
@ -42,26 +42,6 @@ public class OTPCredentialProvider implements CredentialProvider<OTPCredentialMo
    protected KeycloakSession session;
    /*protected List<CredentialModel> getCachedCredentials(UserModel user, String type) {
        if (!(user instanceof CachedUserModel)) return null;
        CachedUserModel cached = (CachedUserModel)user;
        if (cached.isMarkedForEviction()) return null;
        List<CredentialModel> rtn = (List<CredentialModel>)cached.getCachedWith().get(getType());
        if (rtn == null) return Collections.EMPTY_LIST;
        return rtn;
    }*/
    private UserCredentialStore getCredentialStore() {
        return session.userCredentialManager();
    }
    /*@Override
    public void onCache(RealmModel realm, CachedUserModel user, UserModel delegate) {
        List<CredentialModel> creds = getCredentialStore().getStoredCredentialsByType(realm, user, getType());
        user.getCachedWith().put(getType(), creds);
    }*/
    public OTPCredentialProvider(KeycloakSession session) {
        this.session = session;
    }
@ -71,12 +51,12 @@ public class OTPCredentialProvider implements CredentialProvider<OTPCredentialMo
        if (credentialModel.getCreatedDate() == null) {
            credentialModel.setCreatedDate(Time.currentTimeMillis());
        }
-        return getCredentialStore().createCredential(realm, user, credentialModel);
+        return user.getUserCredentialManager().createStoredCredential(credentialModel);
    }
    @Override
    public boolean deleteCredential(RealmModel realm, UserModel user, String credentialId) {
-        return getCredentialStore().removeStoredCredential(realm, user, credentialId);
+        return user.getUserCredentialManager().removeStoredCredentialById(credentialId);
    }
    @Override
@ -92,7 +72,7 @@ public class OTPCredentialProvider implements CredentialProvider<OTPCredentialMo
    @Override
    public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType) {
        if (!supportsCredentialType(credentialType)) return false;
-        return getCredentialStore().getStoredCredentialsByTypeStream(realm, user, credentialType).count() > 0;
+        return user.getUserCredentialManager().getStoredCredentialsByTypeStream(credentialType).findAny().isPresent();
    }
    public boolean isConfiguredFor(RealmModel realm, UserModel user){
@ -115,7 +95,7 @@ public class OTPCredentialProvider implements CredentialProvider<OTPCredentialMo
            return false;
        }
-        CredentialModel credential = getCredentialStore().getStoredCredentialById(realm, user, credentialInput.getCredentialId());
+        CredentialModel credential = user.getUserCredentialManager().getStoredCredentialById(credentialInput.getCredentialId());
        OTPCredentialModel otpCredentialModel = OTPCredentialModel.createFromCredentialModel(credential);
        OTPSecretData secretData = otpCredentialModel.getOTPSecretData();
        OTPCredentialData credentialData = otpCredentialModel.getOTPCredentialData();
@ -127,7 +107,7 @@ public class OTPCredentialProvider implements CredentialProvider<OTPCredentialMo
                return false;
            }
            otpCredentialModel.updateCounter(counter);
-            getCredentialStore().updateCredential(realm, user, otpCredentialModel);
+            user.getUserCredentialManager().updateStoredCredential(otpCredentialModel);
            return true;
        } else if (OTPCredentialModel.TOTP.equals(credentialData.getSubType())) {
            TimeBasedOTP validator = new TimeBasedOTP(credentialData.getAlgorithm(), credentialData.getDigits(), credentialData.getPeriod(), policy.getLookAheadWindow());
--- a/services/src/main/java/org/keycloak/credential/PasswordCredentialProvider.java
+++ b/services/src/main/java/org/keycloak/credential/PasswordCredentialProvider.java
@ -48,12 +48,8 @@ public class PasswordCredentialProvider implements CredentialProvider<PasswordCr
        this.session = session;
    }
    protected UserCredentialStore getCredentialStore() {
        return session.userCredentialManager();
    }
    public PasswordCredentialModel getPassword(RealmModel realm, UserModel user) {
-        List<CredentialModel> passwords = getCredentialStore().getStoredCredentialsByTypeStream(realm, user, getType()).collect(Collectors.toList());
+        List<CredentialModel> passwords = user.getUserCredentialManager().getStoredCredentialsByTypeStream(getType()).collect(Collectors.toList());
        if (passwords.isEmpty()) return null;
        return PasswordCredentialModel.createFromCredentialModel(passwords.get(0));
    }
@ -87,34 +83,34 @@ public class PasswordCredentialProvider implements CredentialProvider<PasswordCr
            credentialModel.setCreatedDate(Time.currentTimeMillis());
        }
        if (oldPassword == null) { // no password exists --> create new
-            createdCredential = getCredentialStore().createCredential(realm, user, credentialModel);
+            createdCredential = user.getUserCredentialManager().createStoredCredential(credentialModel);
        } else { // password exists --> update existing
            credentialModel.setId(oldPassword.getId());
-            getCredentialStore().updateCredential(realm, user, credentialModel);
+            user.getUserCredentialManager().updateStoredCredential(credentialModel);
            createdCredential = credentialModel;
            // 2) add a password history item based on the old password
            if (expiredPasswordsPolicyValue > 1) {
                oldPassword.setId(null);
                oldPassword.setType(PasswordCredentialModel.PASSWORD_HISTORY);
-                getCredentialStore().createCredential(realm, user, oldPassword);
+                user.getUserCredentialManager().createStoredCredential(oldPassword);
            }
        }
        // 3) remove old password history items
        final int passwordHistoryListMaxSize = Math.max(0, expiredPasswordsPolicyValue - 1);
-        getCredentialStore().getStoredCredentialsByTypeStream(realm, user, PasswordCredentialModel.PASSWORD_HISTORY)
+        user.getUserCredentialManager().getStoredCredentialsByTypeStream(PasswordCredentialModel.PASSWORD_HISTORY)
                .sorted(CredentialModel.comparingByStartDateDesc())
                .skip(passwordHistoryListMaxSize)
                .collect(Collectors.toList())
-                .forEach(p -> getCredentialStore().removeStoredCredential(realm, user, p.getId()));
+                .forEach(p -> user.getUserCredentialManager().removeStoredCredentialById(p.getId()));
        return createdCredential;
    }
    @Override
    public boolean deleteCredential(RealmModel realm, UserModel user, String credentialId) {
-        return getCredentialStore().removeStoredCredential(realm, user, credentialId);
+        return user.getUserCredentialManager().removeStoredCredentialById(credentialId);
    }
    @Override
@ -198,7 +194,7 @@ public class PasswordCredentialProvider implements CredentialProvider<PasswordCr
        newPassword.setId(password.getId());
        newPassword.setCreatedDate(password.getCreatedDate());
        newPassword.setUserLabel(password.getUserLabel());
-        getCredentialStore().updateCredential(realm, user, newPassword);
+        user.getUserCredentialManager().updateStoredCredential(newPassword);
        return true;
    }
@ -219,7 +215,7 @@ public class PasswordCredentialProvider implements CredentialProvider<PasswordCr
        // Check if we are creating or updating password
        UserModel user = metadataContext.getUser();
-        if (user != null && session.userCredentialManager().isConfiguredFor(session.getContext().getRealm(), user, getType())) {
+        if (user != null && user.getUserCredentialManager().isConfiguredFor(getType())) {
            metadataBuilder.updateAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
        } else {
            metadataBuilder.createAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
--- a/services/src/main/java/org/keycloak/credential/RecoveryAuthnCodesCredentialProvider.java
+++ b/services/src/main/java/org/keycloak/credential/RecoveryAuthnCodesCredentialProvider.java
@ -39,15 +39,15 @@ public class RecoveryAuthnCodesCredentialProvider
    public CredentialModel createCredential(RealmModel realm, UserModel user,
            RecoveryAuthnCodesCredentialModel credentialModel) {
-        session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, getType()).findFirst()
+        user.getUserCredentialManager().getStoredCredentialsByTypeStream(getType()).findFirst()
                .ifPresent(model -> deleteCredential(realm, user, model.getId()));
-        return session.userCredentialManager().createCredential(realm, user, credentialModel);
+        return user.getUserCredentialManager().createStoredCredential(credentialModel);
    }
    @Override
    public boolean deleteCredential(RealmModel realm, UserModel user, String credentialId) {
-        return session.userCredentialManager().removeStoredCredential(realm, user, credentialId);
+        return user.getUserCredentialManager().removeStoredCredentialById(credentialId);
    }
    @Override
@ -95,14 +95,13 @@ public class RecoveryAuthnCodesCredentialProvider
    @Override
    public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType) {
-        return session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, credentialType).anyMatch(Objects::nonNull);
+        return user.getUserCredentialManager().getStoredCredentialsByTypeStream(credentialType).anyMatch(Objects::nonNull);
    }
    @Override
    public boolean isValid(RealmModel realm, UserModel user, CredentialInput credentialInput) {
        String rawInputRecoveryAuthnCode = credentialInput.getChallengeResponse();
-        Optional<CredentialModel> credential = session.userCredentialManager()
+        Optional<CredentialModel> credential = user.getUserCredentialManager().getStoredCredentialsByTypeStream(getType()).findFirst();
                .getStoredCredentialsByTypeStream(realm, user, getType()).findFirst();
        if (credential.isPresent()) {
            RecoveryAuthnCodesCredentialModel credentialModel = RecoveryAuthnCodesCredentialModel
                    .createFromCredentialModel(credential.get());
@ -112,7 +111,7 @@ public class RecoveryAuthnCodesCredentialProvider
                    String nextRecoveryCode = nextRecoveryAuthnCode.get().getEncodedHashedValue();
                    if (RecoveryAuthnCodesUtils.verifyRecoveryCodeInput(rawInputRecoveryAuthnCode, nextRecoveryCode)) {
                        credentialModel.removeRecoveryAuthnCode();
-                        session.userCredentialManager().updateCredential(realm, user, credentialModel);
+                        user.getUserCredentialManager().updateStoredCredential(credentialModel);
                        return true;
                    }
--- a/services/src/main/java/org/keycloak/credential/UserCredentialStoreManager.java
+++ b/services/src/main/java/org/keycloak/credential/UserCredentialStoreManager.java
@ -24,12 +24,9 @@ import org.keycloak.models.UserCredentialManager;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.cache.CachedUserModel;
 import org.keycloak.models.cache.OnUserCache;
 import org.keycloak.storage.DatastoreProvider;
 import org.keycloak.storage.StorageId;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
 import java.util.stream.Stream;
 /**
@ -48,77 +45,90 @@ public class UserCredentialStoreManager
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public void updateCredential(RealmModel realm, UserModel user, CredentialModel cred) {
        // TODO: no longer used in non-legacy code, can be removed
        user.getUserCredentialManager().updateStoredCredential(cred);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel cred) {
        // TODO: no longer used in non-legacy code, can be removed
        return user.getUserCredentialManager().createStoredCredential(cred);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public boolean removeStoredCredential(RealmModel realm, UserModel user, String id) {
        // TODO: no longer used in non-legacy code, can be removed
        return user.getUserCredentialManager().removeStoredCredentialById(id);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public CredentialModel getStoredCredentialById(RealmModel realm, UserModel user, String id) {
        // TODO: no longer used in non-legacy code, can be removed
        return user.getUserCredentialManager().getStoredCredentialById(id);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public Stream<CredentialModel> getStoredCredentialsStream(RealmModel realm, UserModel user) {
        // TODO: no longer used in non-legacy code, can be removed
        return user.getUserCredentialManager().getStoredCredentialsStream();
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public Stream<CredentialModel> getStoredCredentialsByTypeStream(RealmModel realm, UserModel user, String type) {
        // TODO: no longer used in non-legacy code, can be removed
        return user.getUserCredentialManager().getStoredCredentialsByTypeStream(type);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public CredentialModel getStoredCredentialByNameAndType(RealmModel realm, UserModel user, String name, String type) {
        // TODO: no longer used in non-legacy code, can be removed
        return user.getUserCredentialManager().getStoredCredentialByNameAndType(name, type);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public boolean moveCredentialTo(RealmModel realm, UserModel user, String id, String newPreviousCredentialId){
        // TODO: no longer used, can be removed
        return user.getUserCredentialManager().moveStoredCredentialTo(id, newPreviousCredentialId);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public boolean isValid(RealmModel realm, UserModel user, CredentialInput... inputs) {
        // TODO: no longer used, can be removed
        return isValid(realm, user, Arrays.asList(inputs));
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public CredentialModel createCredentialThroughProvider(RealmModel realm, UserModel user, CredentialModel model){
        // TODO: no longer used, can be removed
        return user.getUserCredentialManager().createCredentialThroughProvider(model);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public void updateCredentialLabel(RealmModel realm, UserModel user, String credentialId, String userLabel){
        // TODO: no longer used, can be removed
        user.getUserCredentialManager().updateCredentialLabel(credentialId, userLabel);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public boolean isValid(RealmModel realm, UserModel user, List<CredentialInput> inputs) {
        // TODO: no longer used, can be removed
        return user.getUserCredentialManager().isValid(inputs);
    }
    @Deprecated // Keep this up to and including Keycloak 19, then inline
    public static <T> Stream<T> getCredentialProviders(KeycloakSession session, Class<T> type) {
        // TODO: no longer used, can be removed
        return session.getKeycloakSessionFactory().getProviderFactoriesStream(CredentialProvider.class)
                .filter(f -> Types.supports(type, f, CredentialProviderFactory.class))
                .map(f -> (T) session.getProvider(CredentialProvider.class, f.getId()));
@ -127,24 +137,28 @@ public class UserCredentialStoreManager
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
        // TODO: no longer used, can be removed
        return user.getUserCredentialManager().updateCredential(input);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public void disableCredentialType(RealmModel realm, UserModel user, String credentialType) {
        // TODO: no longer used, can be removed
        user.getUserCredentialManager().disableCredentialType(credentialType);
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public Stream<String> getDisableableCredentialTypesStream(RealmModel realm, UserModel user) {
        // TODO: no longer used, can be removed
        return user.getUserCredentialManager().getDisableableCredentialTypesStream();
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public boolean isConfiguredFor(RealmModel realm, UserModel user, String type) {
        // TODO: no longer used, can be removed
        return user.getUserCredentialManager().isConfiguredFor(type);
    }
@ -165,13 +179,15 @@ public class UserCredentialStoreManager
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, then remove it together with the OnUserCache class
    public void onCache(RealmModel realm, CachedUserModel user, UserModel delegate) {
        // TODO: only called from legacy code (infinispan), can be removed
        getCredentialProviders(session, OnUserCache.class).forEach(validator -> validator.onCache(realm, user, delegate));
    }
    @Override
    @Deprecated // Keep this up to and including Keycloak 19, the use methods on user.getUserCredentialManager() instead
    public Stream<String> getConfiguredUserStorageCredentialTypesStream(RealmModel realm, UserModel user) {
-        return user.getUserCredentialManager().getConfiguredUserStorageCredentialTypesStream(user);
+        // TODO: no longer used, can be removed
        return user.getUserCredentialManager().getConfiguredUserStorageCredentialTypesStream();
    }
    @Override
--- a/services/src/main/java/org/keycloak/credential/WebAuthnCredentialProvider.java
+++ b/services/src/main/java/org/keycloak/credential/WebAuthnCredentialProvider.java
@ -65,23 +65,19 @@ public class WebAuthnCredentialProvider implements CredentialProvider<WebAuthnCr
            attestationStatementConverter = new AttestationStatementConverter(objectConverter);
    }
    private UserCredentialStore getCredentialStore() {
        return session.userCredentialManager();
    }
    @Override
    public CredentialModel createCredential(RealmModel realm, UserModel user, WebAuthnCredentialModel credentialModel) {
        if (credentialModel.getCreatedDate() == null) {
            credentialModel.setCreatedDate(Time.currentTimeMillis());
        }
-        return getCredentialStore().createCredential(realm, user, credentialModel);
+        return user.getUserCredentialManager().createStoredCredential(credentialModel);
    }
    @Override
    public boolean deleteCredential(RealmModel realm, UserModel user, String credentialId) {
        logger.debugv("Delete WebAuthn credential. username = {0}, credentialId = {1}", user.getUsername(), credentialId);
-        return getCredentialStore().removeStoredCredential(realm, user, credentialId);
+        return user.getUserCredentialManager().removeStoredCredentialById(credentialId);
    }
    @Override
@ -174,7 +170,7 @@ public class WebAuthnCredentialProvider implements CredentialProvider<WebAuthnCr
    @Override
    public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType) {
        if (!supportsCredentialType(credentialType)) return false;
-        return session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, credentialType).count() > 0;
+        return user.getUserCredentialManager().getStoredCredentialsByTypeStream(credentialType).count() > 0;
    }
@ -212,7 +208,7 @@ public class WebAuthnCredentialProvider implements CredentialProvider<WebAuthnCr
                    logger.debugv("response.getAuthenticatorData().getFlags() = {0}", authenticationData.getAuthenticatorData().getFlags());
-                    CredentialModel credModel = getCredentialStore().getStoredCredentialById(realm, user, auth.getCredentialDBId());
+                    CredentialModel credModel = user.getUserCredentialManager().getStoredCredentialById(auth.getCredentialDBId());
                    WebAuthnCredentialModel webAuthnCredModel = getCredentialFromModel(credModel);
                    // update authenticator counter
@ -221,7 +217,7 @@ public class WebAuthnCredentialProvider implements CredentialProvider<WebAuthnCr
                    long count = auth.getCount();
                    if (count > 0) {
                        webAuthnCredModel.updateCounter(count + 1);
-                        getCredentialStore().updateCredential(realm, user, webAuthnCredModel);
+                        user.getUserCredentialManager().updateStoredCredential(webAuthnCredModel);
                    }
                    logger.debugf("Successfully validated WebAuthn credential for user %s", user.getUsername());
@ -246,7 +242,7 @@ public class WebAuthnCredentialProvider implements CredentialProvider<WebAuthnCr
    private List<WebAuthnCredentialModelInput> getWebAuthnCredentialModelList(RealmModel realm, UserModel user) {
-        return session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, getType())
+        return user.getUserCredentialManager().getStoredCredentialsByTypeStream(getType())
                .map(this::getCredentialInputFromCredentialModel)
                .collect(Collectors.toList());
    }
--- a/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
+++ b/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
@ -498,7 +498,7 @@ public class ExportUtils {
        // Credentials - extra security, do not export credentials if service accounts
        if (internal) {
-            List<CredentialRepresentation> credReps = session.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialRepresentation> credReps = user.getUserCredentialManager().getStoredCredentialsStream()
                    .map(ExportUtils::exportCredential).collect(Collectors.toList());
            userRep.setCredentials(credReps);
        }
--- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/TotpBean.java
+++ b/services/src/main/java/org/keycloak/forms/account/freemarker/model/TotpBean.java
@ -51,10 +51,9 @@ public class TotpBean {
    public TotpBean(KeycloakSession session, RealmModel realm, UserModel user, UriBuilder uriBuilder) {
        this.uriBuilder = uriBuilder;
-        this.enabled = session.userCredentialManager().isConfiguredFor(realm, user, OTPCredentialModel.TYPE);
+        this.enabled = user.getUserCredentialManager().isConfiguredFor(OTPCredentialModel.TYPE);
        if (enabled) {
-            List<CredentialModel> otpCredentials = session.userCredentialManager()
+            List<CredentialModel> otpCredentials = user.getUserCredentialManager().getStoredCredentialsByTypeStream(OTPCredentialModel.TYPE).collect(Collectors.toList());
                    .getStoredCredentialsByTypeStream(realm, user, OTPCredentialModel.TYPE).collect(Collectors.toList());
            if (otpCredentials.isEmpty()) {
                // Credential is configured on userStorage side. Create the "fake" credential similar like we do for the new account console
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/RecoveryAuthnCodeInputLoginBean.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/RecoveryAuthnCodeInputLoginBean.java
@ -11,10 +11,7 @@ public class RecoveryAuthnCodeInputLoginBean {
    private final int codeNumber;
    public RecoveryAuthnCodeInputLoginBean(KeycloakSession session, RealmModel realm, UserModel user) {
-        CredentialModel credentialModel = session.userCredentialManager()
+        CredentialModel credentialModel = user.getUserCredentialManager().getStoredCredentialsByTypeStream(RecoveryAuthnCodesCredentialModel.TYPE)
                                                 .getStoredCredentialsByTypeStream(realm,
                                                                                   user,
                                                                                   RecoveryAuthnCodesCredentialModel.TYPE)
                                                 .findFirst().get();
        RecoveryAuthnCodesCredentialModel recoveryCodeCredentialModel = RecoveryAuthnCodesCredentialModel.createFromCredentialModel(credentialModel);
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/TotpBean.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/TotpBean.java
@ -48,9 +48,9 @@ public class TotpBean {
    public TotpBean(KeycloakSession session, RealmModel realm, UserModel user, UriBuilder uriBuilder) {
        this.realm = realm;
        this.uriBuilder = uriBuilder;
-        this.enabled = session.userCredentialManager().isConfiguredFor(realm, user, OTPCredentialModel.TYPE);
+        this.enabled = user.getUserCredentialManager().isConfiguredFor(OTPCredentialModel.TYPE);
        if (enabled) {
-            otpCredentials = session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, OTPCredentialModel.TYPE)
+            otpCredentials = user.getUserCredentialManager().getStoredCredentialsByTypeStream(OTPCredentialModel.TYPE)
                    .collect(Collectors.toList());
        } else {
            otpCredentials = Collections.EMPTY_LIST;
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/TotpLoginBean.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/TotpLoginBean.java
@ -43,7 +43,7 @@ public class TotpLoginBean {
    public TotpLoginBean(KeycloakSession session, RealmModel realm, UserModel user, String selectedCredentialId) {
-        this.userOtpCredentials = session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, OTPCredentialModel.TYPE)
+        this.userOtpCredentials = user.getUserCredentialManager().getStoredCredentialsByTypeStream(OTPCredentialModel.TYPE)
                .map(OTPCredential::new)
                .collect(Collectors.toList());
--- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/WebAuthnAuthenticatorsBean.java
+++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/WebAuthnAuthenticatorsBean.java
@ -38,7 +38,7 @@ public class WebAuthnAuthenticatorsBean {
    public WebAuthnAuthenticatorsBean(KeycloakSession session, RealmModel realm, UserModel user, String credentialType) {
        // should consider multiple credentials in the future, but only single credential supported now.
-        this.authenticators = session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, credentialType)
+        this.authenticators = user.getUserCredentialManager().getStoredCredentialsByTypeStream(credentialType)
                .map(WebAuthnCredentialModel::createFromCredentialModel)
                .map(webAuthnCredential -> {
                    String credentialId = Base64Url.encodeBase64ToBase64Url(webAuthnCredential.getWebAuthnCredentialData().getCredentialId());
--- a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java
+++ b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java
@ -42,7 +42,7 @@ public class HttpBasicAuthenticator implements Authenticator {
            if (user != null) {
                final String password = usernameAndPassword[1];
-                final boolean valid = context.getSession().userCredentialManager().isValid(realm, user, UserCredentialModel.password(password));
+                final boolean valid = user.getUserCredentialManager().isValid(UserCredentialModel.password(password));
                if (valid) {
                    if (isTemporarilyDisabledByBruteForce(context, user)) {
--- a/services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java
+++ b/services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java
@ -104,7 +104,7 @@ public class ApplianceBootstrap {
        adminUser.setEnabled(true);
        UserCredentialModel usrCredModel = UserCredentialModel.password(password);
-        session.userCredentialManager().updateCredential(realm, adminUser, usrCredModel);
+        adminUser.getUserCredentialManager().updateCredential(usrCredModel);
        RoleModel adminRole = realm.getRole(AdminRoles.ADMIN);
        adminUser.grantRole(adminRole);
--- a/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java
+++ b/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java
@ -140,7 +140,7 @@ public class AccountConsole {
            boolean isTotpConfigured = false;
            boolean deleteAccountAllowed = false;
            if (user != null) {
-                isTotpConfigured = session.userCredentialManager().isConfiguredFor(realm, user, realm.getOTPPolicy().getType());
+                isTotpConfigured = user.getUserCredentialManager().isConfiguredFor(realm.getOTPPolicy().getType());
                RoleModel deleteAccountRole = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.DELETE_ACCOUNT);
                deleteAccountAllowed = deleteAccountRole != null && user.hasRole(deleteAccountRole) && realm.getRequiredActionProviderByAlias(DeleteAccount.PROVIDER_ID).isEnabled();
            }
--- a/services/src/main/java/org/keycloak/services/resources/account/AccountCredentialResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/account/AccountCredentialResource.java
@ -5,12 +5,13 @@ import org.jboss.logging.Logger;
 import org.jboss.resteasy.annotations.cache.NoCache;
 import org.keycloak.authentication.Authenticator;
 import org.keycloak.authentication.AuthenticatorFactory;
 import org.keycloak.common.util.reflections.Types;
 import org.keycloak.credential.CredentialMetadata;
 import org.keycloak.credential.CredentialModel;
 import org.keycloak.credential.CredentialProvider;
 import org.keycloak.credential.CredentialProviderFactory;
 import org.keycloak.credential.CredentialTypeMetadata;
 import org.keycloak.credential.CredentialTypeMetadataContext;
 import org.keycloak.credential.UserCredentialStoreManager;
 import org.keycloak.models.AccountRoles;
 import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.AuthenticationFlowModel;
@ -168,11 +169,13 @@ public class AccountCredentialResource {
        boolean includeUserCredentials = userCredentials == null || userCredentials;
-        List<CredentialProvider> credentialProviders = UserCredentialStoreManager.getCredentialProviders(session, CredentialProvider.class)
+        List<CredentialProvider> credentialProviders = session.getKeycloakSessionFactory().getProviderFactoriesStream(CredentialProvider.class)
                .filter(f -> Types.supports(CredentialProvider.class, f, CredentialProviderFactory.class))
                .map(f -> session.getProvider(CredentialProvider.class, f.getId()))
                .collect(Collectors.toList());
        Set<String> enabledCredentialTypes = getEnabledCredentialTypes(credentialProviders);
-        Stream<CredentialModel> modelsStream = includeUserCredentials ? session.userCredentialManager().getStoredCredentialsStream(realm, user) : Stream.empty();
+        Stream<CredentialModel> modelsStream = includeUserCredentials ? user.getUserCredentialManager().getStoredCredentialsStream() : Stream.empty();
        List<CredentialModel> models = modelsStream.collect(Collectors.toList());
        Function<CredentialProvider, CredentialContainer> toCredentialContainer = (credentialProvider) -> {
@ -201,7 +204,7 @@ public class AccountCredentialResource {
                userCredentialMetadataModels = credentialMetadataList.stream().map(ModelToRepresentation::toRepresentation).collect(Collectors.toList());
                if (userCredentialMetadataModels.isEmpty() &&
-                        session.userCredentialManager().isConfiguredFor(realm, user, credentialProvider.getType())) {
+                        user.getUserCredentialManager().isConfiguredFor(credentialProvider.getType())) {
                    // In case user is federated in the userStorage, he may have credential configured on the userStorage side. We're
                    // creating "dummy" credential representing the credential provided by userStorage
                    CredentialMetadataRepresentation metadataRepresentation = new CredentialMetadataRepresentation();
@ -276,11 +279,11 @@ public class AccountCredentialResource {
    @NoCache
    public void removeCredential(final @PathParam("credentialId") String credentialId) {
        auth.require(AccountRoles.MANAGE_ACCOUNT);
-        CredentialModel credential = session.userCredentialManager().getStoredCredentialById(realm, user, credentialId);
+        CredentialModel credential = user.getUserCredentialManager().getStoredCredentialById(credentialId);
        if (credential == null) {
            throw new NotFoundException("Credential not found");
        }
-        session.userCredentialManager().removeStoredCredential(realm, user, credentialId);
+        user.getUserCredentialManager().removeStoredCredentialById(credentialId);
    }
@ -296,14 +299,14 @@ public class AccountCredentialResource {
    @NoCache
    public void setLabel(final @PathParam("credentialId") String credentialId, String userLabel) {
        auth.require(AccountRoles.MANAGE_ACCOUNT);
-        CredentialModel credential = session.userCredentialManager().getStoredCredentialById(realm, user, credentialId);
+        CredentialModel credential = user.getUserCredentialManager().getStoredCredentialById(credentialId);
        if (credential == null) {
            throw new NotFoundException("Credential not found");
        }
        try {
            String label = JsonSerialization.readValue(userLabel, String.class);
-            session.userCredentialManager().updateCredentialLabel(realm, user, credentialId, label);
+            user.getUserCredentialManager().updateCredentialLabel(credentialId, label);
        } catch (IOException ioe) {
            throw new ErrorResponseException(ErrorResponse.error(Messages.INVALID_REQUEST, Response.Status.BAD_REQUEST));
        }
--- a/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java
+++ b/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java
@ -600,7 +600,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
            }
            UserCredentialModel cred = UserCredentialModel.password(password);
-            if (!session.userCredentialManager().isValid(realm, user, cred)) {
+            if (!user.getUserCredentialManager().isValid(cred)) {
                setReferrerOnPage();
                errorEvent.error(Errors.INVALID_USER_CREDENTIALS);
                return account.setError(Status.OK, Messages.INVALID_PASSWORD_EXISTING).createResponse(AccountPages.PASSWORD);
@ -620,7 +620,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
        }
        try {
-            session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password(passwordNew, false));
+            user.getUserCredentialManager().updateCredential(UserCredentialModel.password(passwordNew, false));
        } catch (ReadOnlyException mre) {
            setReferrerOnPage();
            errorEvent.error(Errors.NOT_ALLOWED);
@ -1028,7 +1028,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
    }
    public static boolean isPasswordSet(KeycloakSession session, RealmModel realm, UserModel user) {
-        return session.userCredentialManager().isConfiguredFor(realm, user, PasswordCredentialModel.TYPE);
+        return user.getUserCredentialManager().isConfiguredFor(PasswordCredentialModel.TYPE);
    }
    private String[] getReferrer() {
--- a/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java
@ -245,7 +245,7 @@ public class LinkedAccountsResource {
    }
    private boolean isPasswordSet() {
-        return session.userCredentialManager().isConfiguredFor(realm, user, PasswordCredentialModel.TYPE);
+        return user.getUserCredentialManager().isConfiguredFor(PasswordCredentialModel.TYPE);
    }
    private boolean isValidProvider(String providerId) {
--- a/services/src/main/java/org/keycloak/services/resources/account/PasswordUtil.java
+++ b/services/src/main/java/org/keycloak/services/resources/account/PasswordUtil.java
@ -7,16 +7,27 @@ import org.keycloak.models.credential.PasswordCredentialModel;
 public class PasswordUtil {
-    private KeycloakSession session;
+    private final UserModel user;
    private UserModel user;
    @Deprecated
    public PasswordUtil(KeycloakSession session, UserModel user) {
        this.session = session;
        this.user = user;
    }
    public PasswordUtil(UserModel user) {
        this.user = user;
    }
    /**
     * @deprecated Instead, use {@link #isConfigured()}
     */
    @Deprecated
    public boolean isConfigured(KeycloakSession session, RealmModel realm, UserModel user) {
-        return session.userCredentialManager().isConfiguredFor(realm, user, PasswordCredentialModel.TYPE);
+        return user.getUserCredentialManager().isConfiguredFor(PasswordCredentialModel.TYPE);
    }
    public boolean isConfigured() {
        return user.getUserCredentialManager().isConfiguredFor(PasswordCredentialModel.TYPE);
    }
    public void update() {
--- a/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
@ -587,7 +587,7 @@ public class UserResource {
        auth.users().requireManage(user);
        if (credentialTypes == null) return;
        for (String type : credentialTypes) {
-            session.userCredentialManager().disableCredentialType(realm, user, type);
+            user.getUserCredentialManager().disableCredentialType(type);
        }
    }
@ -610,7 +610,7 @@ public class UserResource {
        }
        try {
-            session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password(cred.getValue(), false));
+            user.getUserCredentialManager().updateCredential(UserCredentialModel.password(cred.getValue(), false));
        } catch (IllegalStateException ise) {
            throw new BadRequestException("Resetting to N old passwords is not allowed.");
        } catch (ReadOnlyException mre) {
@ -638,7 +638,7 @@ public class UserResource {
    @Produces(MediaType.APPLICATION_JSON)
    public Stream<CredentialRepresentation> credentials(){
        auth.users().requireManage(user);
-        return session.userCredentialManager().getStoredCredentialsStream(realm, user)
+        return user.getUserCredentialManager().getStoredCredentialsStream()
                .map(ModelToRepresentation::toRepresentation)
                .peek(credentialRepresentation -> credentialRepresentation.setSecretData(null));
    }
@ -658,7 +658,7 @@ public class UserResource {
        // This has "requireManage" due the compatibility with "credentials()" endpoint. Strictly said, it is reading endpoint, not writing,
        // so may be revisited if to rather use "requireView" here in the future.
        auth.users().requireManage(user);
-        return session.userCredentialManager().getConfiguredUserStorageCredentialTypesStream(realm, user);
+        return user.getUserCredentialManager().getConfiguredUserStorageCredentialTypesStream();
    }
@ -671,13 +671,13 @@ public class UserResource {
    @NoCache
    public void removeCredential(final @PathParam("credentialId") String credentialId) {
        auth.users().requireManage(user);
-        CredentialModel credential = session.userCredentialManager().getStoredCredentialById(realm, user, credentialId);
+        CredentialModel credential = user.getUserCredentialManager().getStoredCredentialById(credentialId);
        if (credential == null) {
            // we do this to make sure somebody can't phish ids
            if (auth.users().canQuery()) throw new NotFoundException("Credential not found");
            else throw new ForbiddenException();
        }
-        session.userCredentialManager().removeStoredCredential(realm, user, credentialId);
+        user.getUserCredentialManager().removeStoredCredentialById(credentialId);
        adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).success();
    }
@ -689,13 +689,13 @@ public class UserResource {
    @Path("credentials/{credentialId}/userLabel")
    public void setCredentialUserLabel(final @PathParam("credentialId") String credentialId, String userLabel) {
        auth.users().requireManage(user);
-        CredentialModel credential = session.userCredentialManager().getStoredCredentialById(realm, user, credentialId);
+        CredentialModel credential = user.getUserCredentialManager().getStoredCredentialById(credentialId);
        if (credential == null) {
            // we do this to make sure somebody can't phish ids
            if (auth.users().canQuery()) throw new NotFoundException("Credential not found");
            else throw new ForbiddenException();
        }
-        session.userCredentialManager().updateCredentialLabel(realm, user, credentialId, userLabel);
+        user.getUserCredentialManager().updateCredentialLabel(credentialId, userLabel);
    }
    /**
@ -717,13 +717,13 @@ public class UserResource {
    @POST
    public void moveCredentialAfter(final @PathParam("credentialId") String credentialId, final @PathParam("newPreviousCredentialId") String newPreviousCredentialId){
        auth.users().requireManage(user);
-        CredentialModel credential = session.userCredentialManager().getStoredCredentialById(realm, user, credentialId);
+        CredentialModel credential = user.getUserCredentialManager().getStoredCredentialById(credentialId);
        if (credential == null) {
            // we do this to make sure somebody can't phish ids
            if (auth.users().canQuery()) throw new NotFoundException("Credential not found");
            else throw new ForbiddenException();
        }
-        session.userCredentialManager().moveCredentialTo(realm, user, credentialId, newPreviousCredentialId);
+        user.getUserCredentialManager().moveStoredCredentialTo(credentialId, newPreviousCredentialId);
    }
    /**
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java
@ -631,7 +631,7 @@ public class TestingResourceProvider implements RealmResourceProvider {
        if (realm == null) return false;
        UserProvider userProvider = session.getProvider(UserProvider.class);
        UserModel user = userProvider.getUserByUsername(realm, userName);
-        return session.userCredentialManager().isValid(realm, user, UserCredentialModel.password(password));
+        return user.getUserCredentialManager().isValid(UserCredentialModel.password(password));
    }
    @GET
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/runonserver/RunHelpers.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/runonserver/RunHelpers.java
@ -56,8 +56,7 @@ public class RunHelpers {
                return (FetchOnServer) session -> {
                    RealmModel realm = session.getContext().getRealm();
                    UserModel user = session.users().getUserByUsername(realm, username);
-                    List<CredentialModel> storedCredentialsByType = session.userCredentialManager()
+                    List<CredentialModel> storedCredentialsByType = user.getUserCredentialManager().getStoredCredentialsByTypeStream(CredentialRepresentation.PASSWORD)
                            .getStoredCredentialsByTypeStream(realm, user, CredentialRepresentation.PASSWORD)
                            .collect(Collectors.toList());
                    System.out.println(storedCredentialsByType.size());
                    return storedCredentialsByType.get(0);
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/util/LDAPTestUtils.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/util/LDAPTestUtils.java
@ -70,7 +70,7 @@ public class LDAPTestUtils {
        UserCredentialModel creds = UserCredentialModel.password(password);
-        session.userCredentialManager().updateCredential(realm, user, creds);
+        user.getUserCredentialManager().updateCredential(creds);
        return user;
    }
@ -83,7 +83,7 @@ public class LDAPTestUtils {
        if (password == null) {
            return;
        }
-        session.userCredentialManager().updateCredential(appRealm, user, (UserCredentialModel) UserCredentialModel.password(username));
+        user.getUserCredentialManager().updateCredential((UserCredentialModel) UserCredentialModel.password(username));
    }
    public static LDAPObject addLDAPUser(LDAPStorageProvider ldapProvider, RealmModel realm, final String username,
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java
@ -487,8 +487,7 @@ public class AccountFormServiceTest extends AbstractTestRealmKeycloakTest {
            RealmModel realm = session.getContext().getRealm();
            UserModel user = session.users().getUserById(realm, uId);
            assertThat(user, Matchers.notNullValue());
-            List<CredentialModel> storedCredentials = session.userCredentialManager()
+            List<CredentialModel> storedCredentials = user.getUserCredentialManager().getStoredCredentialsStream().collect(Collectors.toList());
                    .getStoredCredentialsStream(realm, user).collect(Collectors.toList());
            assertThat(storedCredentials, Matchers.hasSize(expectedNumberOfStoredCredentials));
        });
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
@ -115,11 +115,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        UserModel admin = session.users().addUser(realm, "salesManager");
        admin.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
+        admin.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        admin = session.users().addUser(realm, "sales-admin");
        admin.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
+        admin.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        UserModel user = session.users().addUser(realm, "salesman");
        user.setEnabled(true);
@ -217,32 +217,32 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        UserModel nomapAdmin = session.users().addUser(realm, "nomap-admin");
        nomapAdmin.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, nomapAdmin, UserCredentialModel.password("password"));
+        nomapAdmin.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        nomapAdmin.grantRole(adminRole);
        UserModel anotherAdmin = session.users().addUser(realm, "anotherAdmin");
        anotherAdmin.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, anotherAdmin, UserCredentialModel.password("password"));
+        anotherAdmin.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        anotherAdmin.grantRole(adminRole);
        UserModel authorizedUser = session.users().addUser(realm, "authorized");
        authorizedUser.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, authorizedUser, UserCredentialModel.password("password"));
+        authorizedUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        authorizedUser.grantRole(mapperRole);
        authorizedUser.grantRole(managerRole);
        UserModel authorizedComposite = session.users().addUser(realm, "authorizedComposite");
        authorizedComposite.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, authorizedComposite, UserCredentialModel.password("password"));
+        authorizedComposite.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        authorizedComposite.grantRole(compositeRole);
        UserModel unauthorizedUser = session.users().addUser(realm, "unauthorized");
        unauthorizedUser.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, unauthorizedUser, UserCredentialModel.password("password"));
+        unauthorizedUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        UserModel unauthorizedMapper = session.users().addUser(realm, "unauthorizedMapper");
        unauthorizedMapper.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, unauthorizedMapper, UserCredentialModel.password("password"));
+        unauthorizedMapper.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        unauthorizedMapper.grantRole(managerRole);
        UserModel user1 = session.users().addUser(realm, "user1");
@ -260,11 +260,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        groupManager.grantRole(queryUsersRole);
        groupManager.setEnabled(true);
        groupManager.grantRole(mapperRole);
-        session.userCredentialManager().updateCredential(realm, groupManager, UserCredentialModel.password("password"));
+        groupManager.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        UserModel groupManagerNoMapper = session.users().addUser(realm, "noMapperGroupManager");
        groupManagerNoMapper.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, groupManagerNoMapper, UserCredentialModel.password("password"));
+        groupManagerNoMapper.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        groupManagerNoMapper.grantRole(queryGroupsRole);
        groupManagerNoMapper.grantRole(queryUsersRole);
@ -282,7 +282,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        clientMapper.setEnabled(true);
        clientMapper.grantRole(managerRole);
        clientMapper.grantRole(queryUsersRole);
-        session.userCredentialManager().updateCredential(realm, clientMapper, UserCredentialModel.password("password"));
+        clientMapper.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        Policy clientMapperPolicy = permissions.clients().mapRolesPermission(client);
        UserPolicyRepresentation userRep = new UserPolicyRepresentation();
        userRep.setName("userClientMapper");
@ -293,7 +293,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        UserModel clientManager = session.users().addUser(realm, "clientManager");
        clientManager.setEnabled(true);
        clientManager.grantRole(queryClientsRole);
-        session.userCredentialManager().updateCredential(realm, clientManager, UserCredentialModel.password("password"));
+        clientManager.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        Policy clientManagerPolicy = permissions.clients().managePermission(client);
        userRep = new UserPolicyRepresentation();
@ -306,7 +306,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        UserModel clientConfigurer = session.users().addUser(realm, "clientConfigurer");
        clientConfigurer.setEnabled(true);
        clientConfigurer.grantRole(queryClientsRole);
-        session.userCredentialManager().updateCredential(realm, clientConfigurer, UserCredentialModel.password("password"));
+        clientConfigurer.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        Policy clientConfigurePolicy = permissions.clients().configurePermission(client);
        userRep = new UserPolicyRepresentation();
@ -320,7 +320,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        groupViewer.grantRole(queryGroupsRole);
        groupViewer.grantRole(queryUsersRole);
        groupViewer.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, groupViewer, UserCredentialModel.password("password"));
+        groupViewer.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        UserPolicyRepresentation groupViewMembersRep = new UserPolicyRepresentation();
        groupViewMembersRep.setName("groupMemberViewers");
@ -778,7 +778,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        UserModel realmUser = session.users().addUser(realm, "realm-admin");
        realmUser.grantRole(realmAdminRole);
        realmUser.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, realmUser, UserCredentialModel.password("password"));
+        realmUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
    }
    // KEYCLOAK-5152
@ -977,12 +977,12 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            GroupModel customerAGroup = session.groups().createGroup(realm, "Customer A");
            UserModel customerAManager = session.users().addUser(realm, "customer-a-manager");
-            session.userCredentialManager().updateCredential(realm, customerAManager, UserCredentialModel.password("password"));
+            customerAManager.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
            ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
            customerAManager.grantRole(realmAdminClient.getRole(AdminRoles.QUERY_USERS));
            customerAManager.setEnabled(true);
            UserModel regularAdminUser = session.users().addUser(realm, "regular-admin-user");
-            session.userCredentialManager().updateCredential(realm, regularAdminUser, UserCredentialModel.password("password"));
+            regularAdminUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
            regularAdminUser.grantRole(realmAdminClient.getRole(AdminRoles.VIEW_USERS));
            regularAdminUser.setEnabled(true);
@ -1073,7 +1073,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
            UserModel regularAdminUser = session.users().addUser(realm, "regular-admin-user");
-            session.userCredentialManager().updateCredential(realm, regularAdminUser, UserCredentialModel.password("password"));
+            regularAdminUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
            regularAdminUser.grantRole(realmAdminClient.getRole(AdminRoles.QUERY_CLIENTS));
            regularAdminUser.setEnabled(true);
@ -1253,7 +1253,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
            UserModel regularAdminUser = session.users().addUser(realm, "regular-admin-user");
-            session.userCredentialManager().updateCredential(realm, regularAdminUser, UserCredentialModel.password("password"));
+            regularAdminUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
            regularAdminUser.grantRole(realmAdminClient.getRole(AdminRoles.QUERY_CLIENTS));
            regularAdminUser.setEnabled(true);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IllegalAdminUpgradeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IllegalAdminUpgradeTest.java
@ -82,27 +82,27 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
        UserModel realmUser = session.users().addUser(realm, "userAdmin");
        realmUser.grantRole(realmManageUsers);
        realmUser.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, realmUser, UserCredentialModel.password("password"));
+        realmUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        UserModel masterUser = session.users().addUser(master, "userAdmin");
        masterUser.grantRole(masterManageUsers);
        masterUser.setEnabled(true);
-        session.userCredentialManager().updateCredential(master, masterUser, UserCredentialModel.password("password"));
+        masterUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        UserModel masterAdmin = session.users().addUser(master, "masterAdmin");
        masterAdmin.grantRole(masterMasterManageUSers);
        masterAdmin.setEnabled(true);
-        session.userCredentialManager().updateCredential(master, masterAdmin, UserCredentialModel.password("password"));
+        masterAdmin.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        UserModel user = session.users().addUser(master, "user");
        user.grantRole(masterManageUsers);
        user.setEnabled(true);
-        session.userCredentialManager().updateCredential(master, user, UserCredentialModel.password("password"));
+        user.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        user = session.users().addUser(realm, "user");
        user.grantRole(realmManageUsers);
        user.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password("password"));
+        user.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
    }
    //@Test
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPProvidersIntegrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPProvidersIntegrationTest.java
@ -778,7 +778,7 @@ public class LDAPProvidersIntegrationTest extends AbstractLDAPTest {
            }
            try {
                UserCredentialModel cred = UserCredentialModel.password("PoopyPoop1", true);
-                session.userCredentialManager().updateCredential(appRealm, user, cred);
+                user.getUserCredentialManager().updateCredential(cred);
                Assert.fail("should fail");
            } catch (ReadOnlyException e) {
@ -953,13 +953,12 @@ public class LDAPProvidersIntegrationTest extends AbstractLDAPTest {
            Assert.assertEquals(user.getFederationLink(), ctx.getLdapModel().getId());
            UserCredentialModel cred = UserCredentialModel.password("Candycand1", true);
-            session.userCredentialManager().updateCredential(appRealm, user, cred);
+            user.getUserCredentialManager().updateCredential(cred);
-            CredentialModel userCredentialValueModel = session.userCredentialManager()
+            CredentialModel userCredentialValueModel = user.getUserCredentialManager().getStoredCredentialsByTypeStream(PasswordCredentialModel.TYPE)
                .getStoredCredentialsByTypeStream(appRealm, user, PasswordCredentialModel.TYPE)
                .findFirst().orElse(null);
            Assert.assertNotNull(userCredentialValueModel);
            Assert.assertEquals(PasswordCredentialModel.TYPE, userCredentialValueModel.getType());
-            Assert.assertTrue(session.userCredentialManager().isValid(appRealm, user, cred));
+            Assert.assertTrue(user.getUserCredentialManager().isValid(cred));
            // LDAP password is still unchanged
            try {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPUserMultipleCredentialTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPUserMultipleCredentialTest.java
@ -96,7 +96,7 @@ public class LDAPUserMultipleCredentialTest extends AbstractLDAPTest {
            LDAPTestUtils.updateLDAPPassword(ctx.getLdapProvider(), user2, "some-other-password");
            UserModel userWithOtp = session.users().getUserByUsername(appRealm, "test-user-with-otp");
            OTPCredentialModel otpCredential = OTPCredentialModel.createHOTP("DJmQfC73VGFhw7D4QJ8A", 6, 0, "HmacSHA1");
-            session.userCredentialManager().createCredential(appRealm, userWithOtp, otpCredential);
+            userWithOtp.getUserCredentialManager().createStoredCredential(otpCredential);
        });
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/BackwardsCompatibilityUserStorageTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/BackwardsCompatibilityUserStorageTest.java
@ -292,8 +292,7 @@ public class BackwardsCompatibilityUserStorageTest extends AbstractAuthTest {
        testingClient.server().run(session -> {
            RealmModel realm1 = session.realms().getRealmByName("test");
            UserModel user1 = session.users().getUserByUsername(realm1, "otp1");
-            Assert.assertEquals(0, session.userCredentialManager()
+            Assert.assertEquals(0, user1.getUserCredentialManager().getStoredCredentialsStream().count());
                    .getStoredCredentialsStream(realm1, user1).count());
        });
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/UserStorageTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/UserStorageTest.java
@ -14,9 +14,11 @@ import org.keycloak.admin.client.resource.UserResource;
 import org.keycloak.common.Profile;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.common.util.ObjectUtil;
 import org.keycloak.common.util.reflections.Types;
 import org.keycloak.credential.CredentialAuthentication;
 import org.keycloak.credential.CredentialModel;
-import org.keycloak.credential.UserCredentialStoreManager;
+import org.keycloak.credential.CredentialProvider;
 import org.keycloak.credential.CredentialProviderFactory;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
@ -229,7 +231,9 @@ public class UserStorageTest extends AbstractAuthTest {
    @Test
    @ModelTest
    public void testCast(KeycloakSession session) throws Exception {
-        UserCredentialStoreManager.getCredentialProviders(session, CredentialAuthentication.class).collect(Collectors.toList());
+        session.getKeycloakSessionFactory().getProviderFactoriesStream(CredentialProvider.class)
                .filter(f -> Types.supports(CredentialAuthentication.class, f, CredentialProviderFactory.class))
                .map(f -> (CredentialAuthentication) session.getProvider(CredentialProvider.class, f.getId())).collect(Collectors.toList());
    }
    @Test
@ -883,19 +887,19 @@ public class UserStorageTest extends AbstractAuthTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "thor");
            Assert.assertFalse(StorageId.isLocalStorage(user));
-            Stream<CredentialModel> credentials = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user);
+            Stream<CredentialModel> credentials = user.getUserCredentialManager().getStoredCredentialsStream();
            org.keycloak.testsuite.Assert.assertEquals(0, credentials.count());
            // Create password
            CredentialModel passwordCred = PasswordCredentialModel.createFromValues("my-algorithm", "theSalt".getBytes(), 22, "ABC");
-            passwordCred = currentSession.userCredentialManager().createCredential(realm, user, passwordCred);
+            passwordCred = user.getUserCredentialManager().createStoredCredential(passwordCred);
            passwordId.set(passwordCred.getId());
            // Create Password and 2 OTP credentials (password was already created)
            CredentialModel otp1 = OTPCredentialModel.createFromPolicy(realm, "secret1");
            CredentialModel otp2 = OTPCredentialModel.createFromPolicy(realm, "secret2");
-            otp1 = currentSession.userCredentialManager().createCredential(realm, user, otp1);
+            otp1 = user.getUserCredentialManager().createStoredCredential(otp1);
-            otp2 = currentSession.userCredentialManager().createCredential(realm, user, otp2);
+            otp2 = user.getUserCredentialManager().createStoredCredential(otp2);
            otp1Id.set(otp1.getId());
            otp2Id.set(otp2.getId());
        });
@ -906,18 +910,18 @@ public class UserStorageTest extends AbstractAuthTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "thor");
            // Assert priorities: password, otp1, otp2
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, passwordId.get(), otp1Id.get(), otp2Id.get());
            // Assert can't move password when newPreviousCredential not found
-            assertFalse(currentSession.userCredentialManager().moveCredentialTo(realm, user, passwordId.get(), "not-known"));
+            assertFalse(user.getUserCredentialManager().moveStoredCredentialTo(passwordId.get(), "not-known"));
            // Assert can't move credential when not found
-            assertFalse(currentSession.userCredentialManager().moveCredentialTo(realm, user, "not-known", otp2Id.get()));
+            assertFalse(user.getUserCredentialManager().moveStoredCredentialTo("not-known", otp2Id.get()));
            // Move otp2 up
-            assertTrue(currentSession.userCredentialManager().moveCredentialTo(realm, user, otp2Id.get(), passwordId.get()));
+            assertTrue(user.getUserCredentialManager().moveStoredCredentialTo(otp2Id.get(), passwordId.get()));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -925,12 +929,12 @@ public class UserStorageTest extends AbstractAuthTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "thor");
            // Assert priorities: password, otp2, otp1
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, passwordId.get(), otp2Id.get(), otp1Id.get());
            // Move otp2 to the top
-            org.keycloak.testsuite.Assert.assertTrue(currentSession.userCredentialManager().moveCredentialTo(realm, user, otp2Id.get(), null));
+            org.keycloak.testsuite.Assert.assertTrue(user.getUserCredentialManager().moveStoredCredentialTo(otp2Id.get(), null));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -938,12 +942,12 @@ public class UserStorageTest extends AbstractAuthTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "thor");
            // Assert priorities: otp2, password, otp1
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, otp2Id.get(), passwordId.get(), otp1Id.get());
            // Move password down
-            assertTrue(currentSession.userCredentialManager().moveCredentialTo(realm, user, passwordId.get(), otp1Id.get()));
+            assertTrue(user.getUserCredentialManager().moveStoredCredentialTo(passwordId.get(), otp1Id.get()));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -951,12 +955,12 @@ public class UserStorageTest extends AbstractAuthTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "thor");
            // Assert priorities: otp2, otp1, password
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, otp2Id.get(), otp1Id.get(), passwordId.get());
            // Remove otp2 down two positions
-            assertTrue(currentSession.userCredentialManager().moveCredentialTo(realm, user, otp2Id.get(), passwordId.get()));
+            assertTrue(user.getUserCredentialManager().moveStoredCredentialTo(otp2Id.get(), passwordId.get()));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -964,12 +968,12 @@ public class UserStorageTest extends AbstractAuthTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "thor");
            // Assert priorities: otp2, otp1, password
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, otp1Id.get(), passwordId.get(), otp2Id.get());
            // Remove password
-            assertTrue(currentSession.userCredentialManager().removeStoredCredential(realm, user, passwordId.get()));
+            assertTrue(user.getUserCredentialManager().removeStoredCredentialById(passwordId.get()));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -977,7 +981,7 @@ public class UserStorageTest extends AbstractAuthTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "thor");
            // Assert priorities: otp2, password
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, otp1Id.get(), otp2Id.get());
        });
@ -993,7 +997,7 @@ public class UserStorageTest extends AbstractAuthTest {
            Assert.assertFalse(StorageId.isLocalStorage(user));
            CredentialModel otp1 = OTPCredentialModel.createFromPolicy(realm, "secret1");
-            session.userCredentialManager().createCredential(realm, user, otp1);
+            user.getUserCredentialManager().createStoredCredential(otp1);
        });
        UserResource user1 = ApiUtil.findUserByUsernameId(testRealmResource(), "thor");
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/PasswordHashingTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/PasswordHashingTest.java
@ -242,7 +242,7 @@ public class PasswordHashingTest extends AbstractTestRealmKeycloakTest {
        return testingClient.server("test").fetch(session -> {
            RealmModel realm = session.getContext().getRealm();
            UserModel user = session.users().getUserByUsername(realm, username);
-            return session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, CredentialRepresentation.PASSWORD)
+            return user.getUserCredentialManager().getStoredCredentialsByTypeStream(CredentialRepresentation.PASSWORD)
                    .findFirst().orElse(null);
        }, CredentialModel.class);
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RecoveryAuthnCodesAuthenticatorTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RecoveryAuthnCodesAuthenticatorTest.java
@ -120,7 +120,7 @@ public class RecoveryAuthnCodesAuthenticatorTest extends AbstractTestRealmKeyclo
                        generatedRecoveryAuthnCodes,
                        System.currentTimeMillis(),
                        null);
-                session.userCredentialManager().createCredential(realm, user, recoveryAuthnCodesCred);
+                user.getUserCredentialManager().createStoredCredential(recoveryAuthnCodesCred);
            });
            passwordPage.clickTryAnotherWayLink();
            selectAuthenticatorPage.assertCurrent();
@ -194,7 +194,7 @@ public class RecoveryAuthnCodesAuthenticatorTest extends AbstractTestRealmKeyclo
                        generatedRecoveryAuthnCodes,
                        System.currentTimeMillis(),
                        null);
-                session.userCredentialManager().createCredential(realm, user, recoveryAuthnCodesCred);
+                user.getUserCredentialManager().createStoredCredential(recoveryAuthnCodesCred);
            });
            passwordPage.clickTryAnotherWayLink();
            selectAuthenticatorPage.assertCurrent();
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/model/CredentialModelTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/model/CredentialModelTest.java
@ -42,7 +42,7 @@ public class CredentialModelTest extends AbstractTestRealmKeycloakTest {
            RealmModel realm = currentSession.realms().getRealmByName("test");
            UserModel user = currentSession.users().getUserByUsername(realm, "test-user@localhost");
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            Assert.assertEquals(1, list.size());
            passwordId.set(list.get(0).getId());
@ -50,8 +50,8 @@ public class CredentialModelTest extends AbstractTestRealmKeycloakTest {
            // Create 2 OTP credentials (password was already created)
            CredentialModel otp1 = OTPCredentialModel.createFromPolicy(realm, "secret1");
            CredentialModel otp2 = OTPCredentialModel.createFromPolicy(realm, "secret2");
-            otp1 = currentSession.userCredentialManager().createCredential(realm, user, otp1);
+            otp1 = user.getUserCredentialManager().createStoredCredential(otp1);
-            otp2 = currentSession.userCredentialManager().createCredential(realm, user, otp2);
+            otp2 = user.getUserCredentialManager().createStoredCredential(otp2);
            otp1Id.set(otp1.getId());
            otp2Id.set(otp2.getId());
        });
@ -62,18 +62,18 @@ public class CredentialModelTest extends AbstractTestRealmKeycloakTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "test-user@localhost");
            // Assert priorities: password, otp1, otp2
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, passwordId.get(), otp1Id.get(), otp2Id.get());
            // Assert can't move password when newPreviousCredential not found
-            Assert.assertFalse(currentSession.userCredentialManager().moveCredentialTo(realm, user, passwordId.get(), "not-known"));
+            Assert.assertFalse(user.getUserCredentialManager().moveStoredCredentialTo(passwordId.get(), "not-known"));
            // Assert can't move credential when not found
-            Assert.assertFalse(currentSession.userCredentialManager().moveCredentialTo(realm, user, "not-known", otp2Id.get()));
+            Assert.assertFalse(user.getUserCredentialManager().moveStoredCredentialTo("not-known", otp2Id.get()));
            // Move otp2 up 1 position
-            Assert.assertTrue(currentSession.userCredentialManager().moveCredentialTo(realm, user, otp2Id.get(), passwordId.get()));
+            Assert.assertTrue(user.getUserCredentialManager().moveStoredCredentialTo(otp2Id.get(), passwordId.get()));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -81,12 +81,12 @@ public class CredentialModelTest extends AbstractTestRealmKeycloakTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "test-user@localhost");
            // Assert priorities: password, otp2, otp1
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, passwordId.get(), otp2Id.get(), otp1Id.get());
            // Move otp2 to the top
-            Assert.assertTrue(currentSession.userCredentialManager().moveCredentialTo(realm, user, otp2Id.get(), null));
+            Assert.assertTrue(user.getUserCredentialManager().moveStoredCredentialTo(otp2Id.get(), null));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -94,12 +94,12 @@ public class CredentialModelTest extends AbstractTestRealmKeycloakTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "test-user@localhost");
            // Assert priorities: otp2, password, otp1
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, otp2Id.get(), passwordId.get(), otp1Id.get());
            // Move password down
-            Assert.assertTrue(currentSession.userCredentialManager().moveCredentialTo(realm, user, passwordId.get(), otp1Id.get()));
+            Assert.assertTrue(user.getUserCredentialManager().moveStoredCredentialTo(passwordId.get(), otp1Id.get()));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -107,12 +107,12 @@ public class CredentialModelTest extends AbstractTestRealmKeycloakTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "test-user@localhost");
            // Assert priorities: otp2, otp1, password
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, otp2Id.get(), otp1Id.get(), passwordId.get());
            // Remove otp2 down two positions
-            Assert.assertTrue(currentSession.userCredentialManager().moveCredentialTo(realm, user, otp2Id.get(), passwordId.get()));
+            Assert.assertTrue(user.getUserCredentialManager().moveStoredCredentialTo(otp2Id.get(), passwordId.get()));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -120,12 +120,12 @@ public class CredentialModelTest extends AbstractTestRealmKeycloakTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "test-user@localhost");
            // Assert priorities: otp2, otp1, password
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, otp1Id.get(), passwordId.get(), otp2Id.get());
            // Remove password
-            Assert.assertTrue(currentSession.userCredentialManager().removeStoredCredential(realm, user, passwordId.get()));
+            Assert.assertTrue(user.getUserCredentialManager().removeStoredCredentialById(passwordId.get()));
        });
        KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession currentSession) -> {
@ -133,7 +133,7 @@ public class CredentialModelTest extends AbstractTestRealmKeycloakTest {
            UserModel user = currentSession.users().getUserByUsername(realm, "test-user@localhost");
            // Assert priorities: otp2, password
-            List<CredentialModel> list = currentSession.userCredentialManager().getStoredCredentialsStream(realm, user)
+            List<CredentialModel> list = user.getUserCredentialManager().getStoredCredentialsStream()
                    .collect(Collectors.toList());
            assertOrder(list, otp1Id.get(), otp2Id.get());
        });
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/model/MultipleRealmsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/model/MultipleRealmsTest.java
@ -88,13 +88,13 @@ public class MultipleRealmsTest extends AbstractTestRealmKeycloakTest {
            Assert.assertNotEquals(r1user1.getId(), r2user1.getId());
            // Test password
-            currentSession.userCredentialManager().updateCredential(realm1, r1user1, UserCredentialModel.password("pass1"));
+            r1user1.getUserCredentialManager().updateCredential(UserCredentialModel.password("pass1"));
-            currentSession.userCredentialManager().updateCredential(realm2, r2user1, UserCredentialModel.password("pass2"));
+            r2user1.getUserCredentialManager().updateCredential(UserCredentialModel.password("pass2"));
-            Assert.assertTrue(currentSession.userCredentialManager().isValid(realm1, r1user1, UserCredentialModel.password("pass1")));
+            Assert.assertTrue(r1user1.getUserCredentialManager().isValid(UserCredentialModel.password("pass1")));
-            Assert.assertFalse(currentSession.userCredentialManager().isValid(realm1, r1user1, UserCredentialModel.password("pass2")));
+            Assert.assertFalse(r1user1.getUserCredentialManager().isValid(UserCredentialModel.password("pass2")));
-            Assert.assertFalse(currentSession.userCredentialManager().isValid(realm2, r2user1, UserCredentialModel.password("pass1")));
+            Assert.assertFalse(r2user1.getUserCredentialManager().isValid(UserCredentialModel.password("pass1")));
-            Assert.assertTrue(currentSession.userCredentialManager().isValid(realm2, r2user1, UserCredentialModel.password("pass2")));
+            Assert.assertTrue(r2user1.getUserCredentialManager().isValid(UserCredentialModel.password("pass2")));
            // Test searching
            Assert.assertEquals(2, currentSession.users().searchForUserStream(realm1, "user").count());
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeSAML2Test.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeSAML2Test.java
@ -224,13 +224,13 @@ public class ClientTokenExchangeSAML2Test extends AbstractKeycloakTest {
        UserModel user = session.users().addUser(realm, "user");
        user.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password("password"));
+        user.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        user.grantRole(exampleRole);
        user.grantRole(impersonateRole);
        UserModel bad = session.users().addUser(realm, "bad-impersonator");
        bad.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, bad, UserCredentialModel.password("password"));
+        bad.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
    }
    @Override
@ -704,7 +704,7 @@ public class ClientTokenExchangeSAML2Test extends AbstractKeycloakTest {
        UserModel impersonatedUser = session.users().addUser(realm, "impersonated-user");
        impersonatedUser.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, impersonatedUser, UserCredentialModel.password("password"));
+        impersonatedUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        impersonatedUser.grantRole(exampleRole);
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
@ -237,13 +237,13 @@ public class ClientTokenExchangeTest extends AbstractKeycloakTest {
        UserModel user = session.users().addUser(realm, "user");
        user.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password("password"));
+        user.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        user.grantRole(exampleRole);
        user.grantRole(impersonateRole);
        UserModel bad = session.users().addUser(realm, "bad-impersonator");
        bad.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, bad, UserCredentialModel.password("password"));
+        bad.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
    }
    public static void setUpUserImpersonatePermissions(KeycloakSession session) {
@ -863,7 +863,7 @@ public class ClientTokenExchangeTest extends AbstractKeycloakTest {
        UserModel impersonatedUser = session.users().addUser(realm, "impersonated-user");
        impersonatedUser.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, impersonatedUser, UserCredentialModel.password("password"));
+        impersonatedUser.getUserCredentialManager().updateCredential(UserCredentialModel.password("password"));
        impersonatedUser.grantRole(exampleRole);
    }
--- a/testsuite/utils/src/main/java/org/keycloak/testsuite/util/cli/UserCommands.java
+++ b/testsuite/utils/src/main/java/org/keycloak/testsuite/util/cli/UserCommands.java
@ -77,7 +77,7 @@ public class UserCommands {
                user.setEnabled(true);
                user.setEmail(username + "@keycloak.org");
                UserCredentialModel passwordCred = UserCredentialModel.password(password);
-                session.userCredentialManager().updateCredential(realm, user, passwordCred);
+                user.getUserCredentialManager().updateCredential(passwordCred);
                for (RoleModel role : roles) {
                    user.grantRole(role);