[keycloak-dev] Adding a validate password endpoint in the Admin API

Wim Vandenhaute wim.vandenhaute at gmail.com
Tue Jun 27 09:29:48 EDT 2017

This does not validate the password as in checking if it is the same as the
user's current one but only checks if a new password might violate the
realm's password policies or not so I do not really see an issue here to be

On Tue, Jun 27, 2017 at 2:52 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> If I understood correctly, the password could be provided here
> https://github.com/keycloak/keycloak/pull/4229/files#diff-2d5026806b9f86138813c99521f40597R782,
> right? If yes. I could implement my own password validator web app to
> validate passwords and interact with KC. Now, instead of worry with the
> call between the client and KC server, I could have a third server to worry
> about or a shell script. Because it's possible.
> Instead of targeting Keycloak only (which is built with security in mind),
> now people could target my password validation app (not so concerned with
> security). This is just an example, and I'm not saying this is the end of
> the world. What I'm saying that this opens a new door for people to be
> creative.
> On Tue, Jun 27, 2017 at 4:51 AM Wim Vandenhaute <wim.vandenhaute at gmail.com>
> wrote:
>> Hello list,
>> Via an admin portal of a customer I am working for, they provide a feature
>> where an admin can edit the user's data, including setting a new password.
>> For the sake of atomicity, all update steps first go through a series of
>> validations for all modified data before actually committing the changes
>> and (if needed) updating the keycloak password
>> At the moment, there is no way to pre-update do a validity check of the
>> updated password against keycloak's configured password policy(ies)
>> Therefor I would propose to have a validate-password endpoint in the Admin
>> API.
>> I've made a pull request already here:
>>   *  https://github.com/keycloak/keycloak/pull/4229
>> Any thoughts on this?
>> Kind regards,
>> Wim
> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list