[keycloak-user] Question re Keycloak password / session ploicies

Stian Thorgersen sthorger at redhat.com
Thu Apr 14 02:08:13 EDT 2016


On 13 April 2016 at 21:48, Richard Lavallee <rllavallee at hotmail.com> wrote:

> I appreciate your patience, Stian,
> is the below list also supported by Keycloak?
>
> Do you want to enable password aging? YesNo
>

Yes


> Select the number of days before password must be changed. 30354045505560
> 657075808590
>

Yes


> Do you want to enable session timeouts? YesNo
>

Yes


> Enforce password complexity rules YesNo
>

Depends what the rules are ;)


> Minimum password length 0 (Disabled)4812
>

Yes


> Block reuse of how many recent passwords 0 (Disabled)61224
>

Yes


> Block change of new passwords for how many days? 0 (Disabled)153045
>

No, you can create a JIRA for this one though


> Force change of new account passwords on first login? YesNo
>

Yes


> Select amount of time before session will be terminated. 15304560
>

Yes


> Do you want to check for common passwords? YesNo
>

No, we really should have this one. JIRA please


> Inactivate user after how many days of inactivity? Never306090120
>

Yes


> Number of failed login attempts to allow before temporary lockout 0
> (Disabled)35
>

Yes


> Number of minutes to block user after failed login attempts 0 Min15 Min30
> Min60 Min
>

Yes


>
>
> ------------------------------
> Date: Wed, 13 Apr 2016 20:47:37 +0200
>
> Subject: RE: [keycloak-user] Question re Keycloak password / session
> ploicies
> From: sthorger at redhat.com
> To: rllavallee at hotmail.com
> CC: stian at redhat.com; keycloak-user at lists.jboss.org
>
> Nope, that one is not there. You can add a jira request for it.
> On 13 Apr 2016 20:46, "Richard Lavallee" <rllavallee at hotmail.com> wrote:
>
> *Is the below policy supported in Keycloak?  If not can it be done in some
> custom way?*
>
> You are only allowed to change your password every 30 days
>
> ------------------------------
> Date: Wed, 13 Apr 2016 20:42:20 +0200
> Subject: RE: [keycloak-user] Question re Keycloak password / session
> ploicies
> From: sthorger at redhat.com
> To: rllavallee at hotmail.com
> CC: stian at redhat.com; keycloak-user at lists.jboss.org
>
> Sure, but it would be a rather lengthy one.
> On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee at hotmail.com> wrote:
>
> Thanks.  But even for repetitive letters such as "aaaa"
> I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes?
>
> ------------------------------
> Date: Wed, 13 Apr 2016 06:47:09 +0200
> Subject: Re: [keycloak-user] Question re Keycloak password / session
> ploicies
> From: sthorger at redhat.com
> To: rllavallee at hotmail.com
> CC: keycloak-user at lists.jboss.org
>
> That'd do it. I got confused and thought you didn't want to repetitive
> letters.
>
> On 12 April 2016 at 19:32, Richard Lavallee <rllavallee at hotmail.com>
> wrote:
>
>
>    - Password should not have consecutive letters
>
> Maybe, if you can come up with a way to write that as regex (probably not
> though). We'll add ability to create custom password policies in the future
> though.
>
> Wouldn't the below suffice for regex?  Thus avoiding needing custom work
> for the short-term?
>
> forward  =
> "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
>     backward =
> "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
>     regex    = "(" + forward + "|" + backward + ")+";
>
>
> ------------------------------
> Date: Tue, 12 Apr 2016 06:37:41 +0200
> Subject: Re: [keycloak-user] Question re Keycloak password / session
> ploicies
> From: sthorger at redhat.com
> To: rllavallee at hotmail.com
> CC: keycloak-user at lists.jboss.org
>
>
>
>
> On 11 April 2016 at 20:49, Richard Lavallee <rllavallee at hotmail.com>
> wrote:
>
> Does Keycloak support the following requirements?
>
> *Password:*
>
>    - Password should be changed in every 60 days (configurable)
>
> Yes
>
>
>    - If user enters password wrong three times account is locked out for
>    15 min (configurable)
>
> Yes
>
>
>    - Password chosen should not be previous 24 passwords
>
> Yes
>
>
>    - Password should have a letter and a number
>
> Yes
>
>
>    - Password should not have consecutive letters
>
> Maybe, if you can come up with a way to write that as regex (probably not
> though). We'll add ability to create custom password policies in the future
> though.
>
>
>    -
>
> *Inactivity:*
>
>    - Application session inactivity - default is 45 minutes (can be
>    configured)
>
> Yes, you can configure idle timeout for a session. Idle for a session is
> if there are no app logins or token refreshes
>
>
>    - Account inactivity - account inactivity is 30 days default
>    (configurable)
>
> Yes
>
>
> -Richard
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/71c42911/attachment-0001.html 


More information about the keycloak-user mailing list