Password policy change not forcing users to update password #14150
Comments
|
Preliminary adding this to Keycloak 22 to doublecheck. On the other hand, it is possible that it would be postponed further. If anyone from the community is able to fix this before, it will be welcome! Please comment here that you want to work on this issue. See "Contributors" section under https://www.keycloak.org/community for more details. |
|
remark: implementing what the doc says is a end-user visible change, touching all users; it may useful to add a warning in the UI when saving the password policy change? |
|
Hello, @mposolda I would like to try to work on this issue. I am thinking that the best approach is to check the password policies during the login time and if doesn't match, redirect to update the password. OR just letting the user know that the password isn't ok. |
mposolda
added
kind/feature
|
I am sorry for the confusion around this. Keycloak never worked in a way that when password policy is added/updated, existing users are enforced to update their password during login. So the docs is incorrect about this. I've created separate issue to clearify the docs #19363 . Also changed this to "Feature" as we can potentially improve this and make something to enforce behaviour for existing users. IMO it should be configurable somehow (not yet sure if at the authenticator configuration level or at the realm level - new option at password policies). |
|
Hi @pedro-hos did you already start working on this issue? Otherwise, I'd like to contribute this feature @mposolda . I agree that this should be made configurable at the realm level. Then, the |
|
Hi @sirkrypt0 No, you can go ahead and work on this. No problem, just confirm with @mposolda if it's ok also. |
Previously, Keycloak would only validate the password policy for new users and password changes. However, it may be desired to force all existing users to update their passwords when the password policy has changed. To accomplish this, this adds a new ValidateOnLogin password policy that can be configured per realm much like the existing password policies. When this policy is present, the password of the user will be validated against the current password policy on each login. This can be done for both, local users and users in the LDAP. Closes keycloak#14150 Signed-off-by: Tobias Kantusch <[email protected]>
Previously, Keycloak would only validate the password policy for new users and password changes. However, it may be desired to force all existing users to update their passwords when the password policy has changed. To accomplish this, this adds a new ValidateOnLogin password policy that can be configured per realm much like the existing password policies. When this policy is present, the password of the user will be validated against the current password policy on each login. This can be done for both, local users and users in the LDAP. When the LDAP is in read-only mode and the password no longer matches the policy, an error is shown, but the user is not given the option to update their password, as that doesn't work with read-only LDAP. Administrators with a read-only LDAP are free to disable the policy on login to avoid this. Currently, users are only shown a generic error message that their password no longer matches the policy, but not the exact error. This is because I didn't find a way to properly pass the PolicyError up to the authenticator which handles the password validation, as the policy errors contain parameters (like minimum lower case chars) and their error messages are localized based on the users locale. Closes keycloak#14150 Signed-off-by: Tobias Kantusch <[email protected]>
Previously, Keycloak would only validate the password policy for new users and password changes. However, it may be desired to force all existing users to update their passwords when the password policy has changed. To accomplish this, this adds a new ValidateOnLogin password policy that can be configured per realm much like the existing password policies. When this policy is present, the password of the user will be validated against the current password policy on each login. This can be done for both, local users and users in the LDAP. When the LDAP is in read-only mode and the password no longer matches the policy, an error is shown, but the user is not given the option to update their password, as that doesn't work with read-only LDAP. Administrators with a read-only LDAP are free to disable the policy on login to avoid this. Currently, users are only shown a generic error message that their password no longer matches the policy, but not the exact error. This is because I didn't find a way to properly pass the PolicyError up to the authenticator which handles the password validation, as the policy errors contain parameters (like minimum lower case chars) and their error messages are localized based on the users locale. Closes keycloak#14150 Signed-off-by: Tobias Kantusch <[email protected]>
Previously, Keycloak would only validate the password policy for new users and password changes. However, it may be desired to force all existing users to update their passwords when the password policy has changed. To accomplish this, this adds a new ValidateOnLogin password policy that can be configured per realm much like the existing password policies. When this policy is present, the password of the user will be validated against the current password policy on each login. This can be done for both, local users and users in the LDAP. When the LDAP is in read-only mode and the password no longer matches the policy, an error is shown, but the user is not given the option to update their password, as that doesn't work with read-only LDAP. Administrators with a read-only LDAP are free to disable the policy on login to avoid this. Currently, users are only shown a generic error message that their password no longer matches the policy, but not the exact error. This is because I didn't find a way to properly pass the PolicyError up to the authenticator which handles the password validation, as the policy errors contain parameters (like minimum lower case chars) and their error messages are localized based on the users locale. Closes keycloak#14150 Signed-off-by: Tobias Kantusch <[email protected]>
Describe the bug
The Keycloak 18/19 documentation states the following in the section on password policies:
After saving the policy, Keycloak enforces the policy for new users and sets an Update Password action for existing users to ensure they change their password the next time they log in.
This does not appear to work as stated. I tried it with both version 18 and 19 Keycloak servers freshly downloaded and running locally. I can create a new user with a password then add a new more restrictive password policy to the realm. The user can still log in with the original password and it does not present me with the update password form. If I create a new user the new password policy does apply correctly.
Am I missing some other configuration step for this feature or is this a defect?
Version
18.0.2 and 19.0.1
Expected behavior
After making the password policy more restrictive a user logging in with a noncompliant password would be forced to change their password after next login.
Actual behavior
The user logs in successfully but no change password form is presented.
How to Reproduce?
Anything else?
No response
The text was updated successfully, but these errors were encountered: