Add new password policy to validate passwords on login #1
Conversation
| // TODO: Do we want to support read-only LDAP? How to handle this then? Leave the decision to whoever evaluates the | ||
| // password policy result, so e.g. show a warning in the browser authenticators / deny authentication? |
There was a problem hiding this comment.
Thoughts on this?
There was a problem hiding this comment.
I would propose to enforce the policy and deny authentication in read only mode. If admins don't want that behavior they easily can disable the password policy but they cannot enforce them otherwise. However, there should be a error message to the user imho
| // TODO: Do we want to support read-only LDAP? How to handle this then? Leave the decision to whoever evaluates the | ||
| // password policy result, so e.g. show a warning in the browser authenticators / deny authentication? |
There was a problem hiding this comment.
I would propose to enforce the policy and deny authentication in read only mode. If admins don't want that behavior they easily can disable the password policy but they cannot enforce them otherwise. However, there should be a error message to the user imho
| } | ||
|
|
||
| @Override | ||
| public void close() { |
There was a problem hiding this comment.
| public void close() { | |
| public void close() {} |
I personally like this style more, but I am not sure what the Keycloak style guidelines say.
There was a problem hiding this comment.
I looked at similar implementations and mainly found the current variant. Sometimes, the empty line is removed, like this:
public void close() {
}| return true; | ||
| } | ||
| if(inputData.containsKey("cancelUpdate")) { | ||
| return badPasswordHandler(context, user, clearUser, false); |
There was a problem hiding this comment.
Is this proper use? The password itself was ok, wasn't it?
This would also send a password error mail, doesn't it?. Is this intended?
There was a problem hiding this comment.
You're right, I tried to reuse the existing functionality, but we I agree that might not want the invalid credentials event (which might trigger an email, depending on the settings of course).
sirkrypt0
force-pushed
the
feature/validate-on-login
branch
2 times, most recently
from
7e00fa7
to
640404e
Compare
Previously, Keycloak would only validate the password policy for new users and password changes. However, it may be desired to force all existing users to update their passwords when the password policy has changed. To accomplish this, this adds a new ValidateOnLogin password policy that can be configured per realm much like the existing password policies. When this policy is present, the password of the user will be validated against the current password policy on each login. This can be done for both, local users and users in the LDAP. When the LDAP is in read-only mode and the password no longer matches the policy, an error is shown, but the user is not given the option to update their password, as that doesn't work with read-only LDAP. Administrators with a read-only LDAP are free to disable the policy on login to avoid this. Currently, users are only shown a generic error message that their password no longer matches the policy, but not the exact error. This is because I didn't find a way to properly pass the PolicyError up to the authenticator which handles the password validation, as the policy errors contain parameters (like minimum lower case chars) and their error messages are localized based on the users locale. Closes keycloak#14150 Signed-off-by: Tobias Kantusch <[email protected]>
sirkrypt0
force-pushed
the
feature/validate-on-login
branch
from
640404e
to
4bfb8c0
Compare
Previously, Keycloak would only validate the password policy for new users and password changes. However, it may be desired to force all existing users to update their passwords when the password policy has changed.
To accomplish this, this adds a new ValidateOnLogin password policy that can be configured per realm much like the existing password policies. When this policy is present, the password of the user will be validated against the current password policy on each login. This can be done for both, local users and users in the LDAP.
Closes keycloak#14150