forked from keycloak/keycloak
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new password policy to validate passwords on login
Previously, Keycloak would only validate the password policy for new users and password changes. However, it may be desired to force all existing users to update their passwords when the password policy has changed. To accomplish this, this adds a new ValidateOnLogin password policy that can be configured per realm much like the existing password policies. When this policy is present, the password of the user will be validated against the current password policy on each login. This can be done for both, local users and users in the LDAP. Closes keycloak#14150 Signed-off-by: Tobias Kantusch <[email protected]>
- Loading branch information
Showing
11 changed files
with
181 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
...-spi-private/src/main/java/org/keycloak/policy/ValidateOnLoginPasswordPolicyProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
package org.keycloak.policy; | ||
|
||
import org.keycloak.models.RealmModel; | ||
import org.keycloak.models.UserModel; | ||
|
||
public class ValidateOnLoginPasswordPolicyProvider implements PasswordPolicyProvider { | ||
@Override | ||
public PolicyError validate(RealmModel realm, UserModel user, String password) { | ||
return null; | ||
} | ||
|
||
@Override | ||
public PolicyError validate(String user, String password) { | ||
return null; | ||
} | ||
|
||
@Override | ||
public Object parseConfig(String value) { | ||
return null; | ||
} | ||
|
||
@Override | ||
public void close() { | ||
|
||
} | ||
} |
54 changes: 54 additions & 0 deletions
54
...ivate/src/main/java/org/keycloak/policy/ValidateOnLoginPasswordPolicyProviderFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package org.keycloak.policy; | ||
|
||
import org.keycloak.Config; | ||
import org.keycloak.models.KeycloakSession; | ||
import org.keycloak.models.KeycloakSessionFactory; | ||
import org.keycloak.models.PasswordPolicy; | ||
|
||
public class ValidateOnLoginPasswordPolicyProviderFactory implements PasswordPolicyProviderFactory { | ||
|
||
@Override | ||
public String getDisplayName() { | ||
return "Validate Policy on Login"; | ||
} | ||
|
||
@Override | ||
public String getConfigType() { | ||
return null; | ||
} | ||
|
||
@Override | ||
public String getDefaultConfigValue() { | ||
return null; | ||
} | ||
|
||
@Override | ||
public boolean isMultiplSupported() { | ||
return false; | ||
} | ||
|
||
@Override | ||
public PasswordPolicyProvider create(KeycloakSession session) { | ||
return new ValidateOnLoginPasswordPolicyProvider(); | ||
} | ||
|
||
@Override | ||
public void init(Config.Scope config) { | ||
|
||
} | ||
|
||
@Override | ||
public void postInit(KeycloakSessionFactory factory) { | ||
|
||
} | ||
|
||
@Override | ||
public void close() { | ||
|
||
} | ||
|
||
@Override | ||
public String getId() { | ||
return PasswordPolicy.VALIDATE_ON_LOGIN_ID; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
themes/src/main/resources/theme/base/login/login-policy-error.ftl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<#import "template.ftl" as layout> | ||
<@layout.registrationLayout displayMessage=false; section> | ||
<#if section = "header"> | ||
${msg("passwordPolicyErrorTitle")} | ||
<#elseif section = "form"> | ||
<div id="kc-terms-text"> | ||
${kcSanitize(msg("passwordPolicyErrorMessage"))?no_esc} | ||
</div> | ||
<form class="form-actions" action="${url.loginAction}" method="POST"> | ||
<input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonLargeClass!}" name="continueToUpdate" id="kc-accept" type="submit" value="${msg("doContinue")}"/> | ||
<input class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!}" name="cancelUpdate" id="kc-decline" type="submit" value="${msg("doCancel")}"/> | ||
</form> | ||
<div class="clearfix"></div> | ||
</#if> | ||
</@layout.registrationLayout> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters