[keycloak-dev] Defining several Password Policies within a Realm

[AMIEL Patrice]

Hi Stian,

Thanks for your reply. I’m glad to see that you would welcome a PR on the topic !

To be sure that my understanding of your proposal is correct, let me rephrase what it could be:

-          Several “Password policies groups” might be defined within a single “Realm”, each of them having their own set of “Password Policies” with their own configuration values. In addition to that, you propose to add another information to each of the “Password policies groups”: a priority.

-          Contrary to my proposal, application of a “Password policy group” would not be on a per-User basis. Instead, a “Password policy group” would be applied to the “Groups”, meaning that a “Group” would now be able to gather Attributes, Roles and (new !) Password Policies for all the members of the “Group”.

-          Then, when a “User” needs to login or to change its password (i.e. to access to its password policies), then KeyCloak would get the list of “Groups” the user is member of, and then select the Group’s “Password policies group” that has the highest priority: this is the one to be applied for password policy.

Is my understanding correct?

I also understand that not everyone is using Groups, but if so, I don’t understand what you mean by “it may be useful to also add support for a role”. Do you want also to be able to attach a “Password policies group” to individual roles, and thus apply the same election of the “policy to be used” thanks to the priority, taking into account not only the “Password policies groups” attached to the “Groups” the “User” is member of, but also the “Password policies groups” attached to the “Roles” the “User” is granted to?
I like the fact that “Password policies groups” are attached to “Groups” instead of “Users”… but the priority mechanism looks to me a bit complex to understand for Realm administrators… and it becomes quite odd when having “Password policies groups” attached to “Roles”, don’t you think so?

Best regards,
Patrice

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: lundi 14 janvier 2019 08:51
To: AMIEL Patrice <Patrice.Amiel at gemalto.com>
Cc: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] Defining several Password Policies within a Realm

Hi,

This is a feature that have had a few requests for it so we would welcome a PR.

Assigning password policy groups to individual users is not the way to go. I'd suggest adding a priority to the password policy group where the password policy group with highest priority that applies to a user is used. This would allow adding different matching conditions for a policy. Initially it would be sufficient to match on a group of users, but it may be useful to also add support for a role as not everyone use groups at all.

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.