[keycloak-dev] no empty password in UserFederationProvider

Bill Burke bburke at redhat.com
Fri Nov 20 11:40:38 EST 2015 

You can I guess, but why does it matter?  invalidPassword hits the brute 
force detector if it is turned on.

On 11/20/2015 10:16 AM, Michael Gerber wrote:
> AbstractUsernameFormAuthenticator.validatePassword
>
> public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
>      List<UserCredentialModel> credentials =new LinkedList<>();
> String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
> if (password ==null || password.isEmpty()) {
>          invalidPassword(context, user);
> return false;
> }
>      credentials.add(UserCredentialModel.password(password));
> boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
> if (!valid) {
>          invalidPassword(context, user);
> return false;
> }
>      return true;
> }
>
> I think we can remove the first if (password == null || password.isEmpty())
>
> Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke at redhat.com>:
>
>> Point me to the code?
>>
>> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>>> Hi All,
>>>
>>> keycloak does not pass an empty password to the validCredentials method
>>> in the UserFederationProvider class.
>>> Is there a reason for that? I would like to authenticate against an AD
>>> even if the password is empty, otherwise the user won't be blocked after
>>> x attempts.
>>>
>>> Michael
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list