[keycloak-dev] Adding a validate password endpoint in the Admin API
Stian Thorgersen
sthorger at redhat.com
Tue Jun 27 10:00:29 EDT 2017
I still don't see the door that is being opened. It's just validating if a
password supplied by the potential attacker is good enough to pass our
password policies. I.e. is it long enough and such. It doesn't give any
opportunity to check if it's a real password or update it or anything?
On 27 June 2017 at 14:52, Bruno Oliveira <bruno at abstractj.org> wrote:
> If I understood correctly, the password could be provided here
> https://github.com/keycloak/keycloak/pull/4229/files#diff-
> 2d5026806b9f86138813c99521f40597R782,
> right? If yes. I could implement my own password validator web app to
> validate passwords and interact with KC. Now, instead of worry with the
> call between the client and KC server, I could have a third server to worry
> about or a shell script. Because it's possible.
>
> Instead of targeting Keycloak only (which is built with security in mind),
> now people could target my password validation app (not so concerned with
> security). This is just an example, and I'm not saying this is the end of
> the world. What I'm saying that this opens a new door for people to be
> creative.
>
> On Tue, Jun 27, 2017 at 4:51 AM Wim Vandenhaute <wim.vandenhaute at gmail.com
> >
> wrote:
>
> > Hello list,
> >
> > Via an admin portal of a customer I am working for, they provide a
> feature
> > where an admin can edit the user's data, including setting a new
> password.
> >
> > For the sake of atomicity, all update steps first go through a series of
> > validations for all modified data before actually committing the changes
> > and (if needed) updating the keycloak password
> >
> > At the moment, there is no way to pre-update do a validity check of the
> > updated password against keycloak's configured password policy(ies)
> >
> > Therefor I would propose to have a validate-password endpoint in the
> Admin
> > API.
> >
> > I've made a pull request already here:
> > * https://github.com/keycloak/keycloak/pull/4229
> >
> > Any thoughts on this?
> >
> > Kind regards,
> > Wim
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list