[keycloak-user] password history not always correctly considered
Stian Thorgersen
sthorger at redhat.com
Tue Oct 25 08:54:51 EDT 2016
I suspect what's happening is that there's two concurrent requests to
update the password history and one overrides the changes from the other.
Is it really a problem though? I somehow don't think users update their
password every 300 ms.
On 25 October 2016 at 13:23, Bystrik Horvath <bystrik.horvath at gmail.com>
wrote:
> Hello,
>
> I have a realm where password history was set to 3. When I try to set the
> password for an user too fast (via REST API), I'm able to use one of the
> passwords that should be recorded as not usable. When I put a small sleep
> between the password changes (aprox. 300 ms), the usecase works fine - so
> I'm not allowed to use any of the 3 recorded password from the history. I
> tested the case using 1.9.3 Final and 2.2.1 Final with same results.
> It looks to me like a bug, isn't it?
>
> Thank you for the answer&best regards,
> Bystrik
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list