<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Btv. I think it should be possible to
do it with authenticator as well, but you need to configure
authentication flow correctly. You will have your custom
authenticator, which will check pwdLastSet and if it's 0, it will
put the requiredAction on user and at the same time it will set
user as authenticated. It would need to be ALTERNATIVE
authenticator used in browser flow before "Forms" authenticator
(Forms authenticator is that one which displays login form with
username/password and optionally OTP). That way, forms
authenticator won't be used and username/password form won't be
displayed. It will go directly to requiredActions and user will be
asked to update password.<br>
<br>
Marek<br>
<br>
0On 10/11/15 14:27, Marek Posolda wrote:<br>
</div>
<blockquote cite="mid:5641F0BF.6000208@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">I agree we need some way to address
this. Active Directory is widely used and more people asked for
that . I've put the comment to <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://issues.jboss.org/browse/KEYCLOAK-1744">https://issues.jboss.org/browse/KEYCLOAK-1744</a>
with possible solution, but it may need changes in
UserFederationProvider interface, so the federationProvider is
able to propagate the cause why password validation failed
(password is expired, user is disabled, or just invalid password
was used etc...).<br>
<br>
As a temporary workaround, you can subclass
LDAPFederationProvider and do something on your own. You can
override LDAPFederationProvider.validPassword and add
updatePassword on User when you detect that reason of password
validation failure is expired password.<br>
<br>
Marek<br>
<br>
On 09/11/15 20:32, Cory Snyder wrote:<br>
</div>
<blockquote
cite="mid:76A3D583-AF5C-4616-B3B8-12B9C33C9CAE@iland.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div class="">Hey guys,</div>
<div class=""><br class="">
</div>
<div class="">Following up on this conversation that took place
a couple of months back: <a moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html"
class="">http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html</a>.
I just had a chance to try the proposed approach of
implementing a custom authentication provider that checks the
pwdLastSet attribute and sets the update password required
action. I believe that this may not be quite as easy as was
suggested due to the fact that authentication fails with the
default LDAP Federation Provider before a custom execution in
the login flow has a chance to check the attribute and set the
required action. It seems I would need to implement a custom
LDAP Federation Provider that considers authentication
successful when the exception referenced in <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-1744"
class=""><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-1744">https://issues.jboss.org/browse/KEYCLOAK-1744</a></a> is
thrown, but also add the required action for updating the
password. Is there an easy way to do that or something that
I’m missing? Otherwise, I’d be willing to work on a
contribution for this issue if you’re willing to have logic
that is specific to AD?</div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<br class="">
<div apple-content-edited="true" class="">
<div class="">
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 13px;" class=""> Cory Snyder</div>
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 11px; color: rgb(153, 153, 153);" class="">
software engineer</div>
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 11px;" class=""> <span style="font-weight:
bold; color: rgb(11, 164, 232);" class="">USA</span> <span
style="color: rgb(153, 153, 153);" class="">+1.419.731.3479
</span><span style="font-weight: bold; color: rgb(11,
164, 232);" class=""> UK </span><span style="color:
rgb(153, 153, 153);" class="">+44.20.7096.0149 </span>
<a moz-do-not-send="true" href="http://www.iland.com/"
style="font-weight: bold; color: rgb(11, 164, 232);
text-decoration: none;" class="">iland.com</a> </div>
</div>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>