Keycloak admin routines

Recurring Keycloak operations on the d-centralize realm. These run through the onboarding-sync service account, so a checkout of dc scripts handles authentication for you (the client secret is pulled from Bitwarden).

Resend a password reset / invite

Use this when a user cannot log in: they set a new password but it doesn’t work, never received the original invite, or the action link expired. It re-sends the Keycloak action email (Update Password + Verify Email) with onboarding/sync_users.py:

# preview — prints the address the email will be sent to, sends nothing
uv run onboarding/sync_users.py --only <localpart> --service keycloak --resend-invite

# send it
uv run onboarding/sync_users.py --only <localpart> --service keycloak --resend-invite --apply

Caution

The email goes to the user’s current Keycloak email. For someone who hasn’t finished onboarding that is still their private address, not <localpart>@d-centralize.nl. The preview prints the target address — check it before sending. If it’s wrong, correct the user’s email in Keycloak admin first, then resend.