[keycloak-user] Question re Keycloak password / session ploicies

Guus der Kinderen guus.der.kinderen at gmail.com
Thu Apr 14 06:09:43 EDT 2016


JIRA issue for common password check:
https://issues.jboss.org/browse/KEYCLOAK-2822

On 14 April 2016 at 08:08, Stian Thorgersen <sthorger at redhat.com> wrote:

>
>
> On 13 April 2016 at 21:48, Richard Lavallee <rllavallee at hotmail.com>
> wrote:
>
>> I appreciate your patience, Stian,
>> is the below list also supported by Keycloak?
>>
>> Do you want to enable password aging? YesNo
>>
>
> Yes
>
>
>> Select the number of days before password must be changed. 30354045505560
>> 657075808590
>>
>
> Yes
>
>
>> Do you want to enable session timeouts? YesNo
>>
>
> Yes
>
>
>> Enforce password complexity rules YesNo
>>
>
> Depends what the rules are ;)
>
>
>> Minimum password length 0 (Disabled)4812
>>
>
> Yes
>
>
>> Block reuse of how many recent passwords 0 (Disabled)61224
>>
>
> Yes
>
>
>> Block change of new passwords for how many days? 0 (Disabled)153045
>>
>
> No, you can create a JIRA for this one though
>
>
>> Force change of new account passwords on first login? YesNo
>>
>
> Yes
>
>
>> Select amount of time before session will be terminated. 15304560
>>
>
> Yes
>
>
>> Do you want to check for common passwords? YesNo
>>
>
> No, we really should have this one. JIRA please
>
>
>> Inactivate user after how many days of inactivity? Never306090120
>>
>
> Yes
>
>
>> Number of failed login attempts to allow before temporary lockout 0
>> (Disabled)35
>>
>
> Yes
>
>
>> Number of minutes to block user after failed login attempts 0 Min15 Min30
>> Min60 Min
>>
>
> Yes
>
>
>>
>>
>> ------------------------------
>> Date: Wed, 13 Apr 2016 20:47:37 +0200
>>
>> Subject: RE: [keycloak-user] Question re Keycloak password / session
>> ploicies
>> From: sthorger at redhat.com
>> To: rllavallee at hotmail.com
>> CC: stian at redhat.com; keycloak-user at lists.jboss.org
>>
>> Nope, that one is not there. You can add a jira request for it.
>> On 13 Apr 2016 20:46, "Richard Lavallee" <rllavallee at hotmail.com> wrote:
>>
>> *Is the below policy supported in Keycloak?  If not can it be done in
>> some custom way?*
>>
>> You are only allowed to change your password every 30 days
>>
>> ------------------------------
>> Date: Wed, 13 Apr 2016 20:42:20 +0200
>> Subject: RE: [keycloak-user] Question re Keycloak password / session
>> ploicies
>> From: sthorger at redhat.com
>> To: rllavallee at hotmail.com
>> CC: stian at redhat.com; keycloak-user at lists.jboss.org
>>
>> Sure, but it would be a rather lengthy one.
>> On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee at hotmail.com> wrote:
>>
>> Thanks.  But even for repetitive letters such as "aaaa"
>> I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes?
>>
>> ------------------------------
>> Date: Wed, 13 Apr 2016 06:47:09 +0200
>> Subject: Re: [keycloak-user] Question re Keycloak password / session
>> ploicies
>> From: sthorger at redhat.com
>> To: rllavallee at hotmail.com
>> CC: keycloak-user at lists.jboss.org
>>
>> That'd do it. I got confused and thought you didn't want to repetitive
>> letters.
>>
>> On 12 April 2016 at 19:32, Richard Lavallee <rllavallee at hotmail.com>
>> wrote:
>>
>>
>>    - Password should not have consecutive letters
>>
>> Maybe, if you can come up with a way to write that as regex (probably not
>> though). We'll add ability to create custom password policies in the future
>> though.
>>
>> Wouldn't the below suffice for regex?  Thus avoiding needing custom work
>> for the short-term?
>>
>> forward  =
>> "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
>>     backward =
>> "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
>>     regex    = "(" + forward + "|" + backward + ")+";
>>
>>
>> ------------------------------
>> Date: Tue, 12 Apr 2016 06:37:41 +0200
>> Subject: Re: [keycloak-user] Question re Keycloak password / session
>> ploicies
>> From: sthorger at redhat.com
>> To: rllavallee at hotmail.com
>> CC: keycloak-user at lists.jboss.org
>>
>>
>>
>>
>> On 11 April 2016 at 20:49, Richard Lavallee <rllavallee at hotmail.com>
>> wrote:
>>
>> Does Keycloak support the following requirements?
>>
>> *Password:*
>>
>>    - Password should be changed in every 60 days (configurable)
>>
>> Yes
>>
>>
>>    - If user enters password wrong three times account is locked out for
>>    15 min (configurable)
>>
>> Yes
>>
>>
>>    - Password chosen should not be previous 24 passwords
>>
>> Yes
>>
>>
>>    - Password should have a letter and a number
>>
>> Yes
>>
>>
>>    - Password should not have consecutive letters
>>
>> Maybe, if you can come up with a way to write that as regex (probably not
>> though). We'll add ability to create custom password policies in the future
>> though.
>>
>>
>>    -
>>
>> *Inactivity:*
>>
>>    - Application session inactivity - default is 45 minutes (can be
>>    configured)
>>
>> Yes, you can configure idle timeout for a session. Idle for a session is
>> if there are no app logins or token refreshes
>>
>>
>>    - Account inactivity - account inactivity is 30 days default
>>    (configurable)
>>
>> Yes
>>
>>
>> -Richard
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/f13021cb/attachment-0001.html 


More information about the keycloak-user mailing list