[keycloak-user] password history not always correctly considered

Stian Thorgersen sthorger at redhat.com
Mon Oct 31 02:29:54 EDT 2016 

I guess it's buggy behavior, but the real question is do we care? It seems
to be an issue purely limited to testing and not to real usage?

On 27 October 2016 at 12:22, Bystrik Horvath <bystrik.horvath at gmail.com>
wrote:

> Hi,
>
> the question is whether is this buggy behavior or not regardless of mu use
> case. I came to this behavior on slower virtual machine where the gaps
> between the calls was more than 300 ms, than I realized to test it locally
> on windows machine without network communication.
> What could I expect then on clustered solution where I change the password
> on one node and do the same on next node?
> Thank you for the answer.
>
> Best regards,
> Bystrik
>
> On Tue, Oct 25, 2016 at 3:28 PM, Bystrik Horvath <
> bystrik.horvath at gmail.com>
> wrote:
>
> > Hi Bill and Stian,
> >
> > I know that this is a silly test case, but the API provides the possibity
> > ;-) Anyway, I run my test from POSTMAN tool and the requests are running
> in
> > a sequece. I have a standalone Keycloak on my windows maschine, so it is
> > not a cluster. Yes Bill, you are right, most failing is the 3rd attempt.
> >
> > Best regards,
> > Bystrik
> >
> > On Tue, Oct 25, 2016 at 3:00 PM, Bill Burke <bburke at redhat.com> wrote:
> >
> >> We purge older history entries.  Its based on creation date of current
> >> time in milliseconds.  I guess it could be possible that the update is
> >> happening so fast that multiple entries have the same creation date.
> >> Are you running tests in a cluster?  Could also be possible that the
> >> machines in your cluster don't have fully synchronized clocks.
> >>
> >> Does it work for the 1st 2 tries, then fail on the 3rd?  Then that is
> >> probably the problem you are experiencing.
> >>
> >>
> >> On 10/25/16 7:23 AM, Bystrik Horvath wrote:
> >> > Hello,
> >> >
> >> > I have a realm where password history was set to 3. When I try to set
> >> the
> >> > password for an user too fast (via REST API), I'm able to use one of
> the
> >> > passwords that should be recorded as not usable. When I put a small
> >> sleep
> >> > between the password changes (aprox. 300 ms), the usecase works fine -
> >> so
> >> > I'm not allowed to use any of the 3 recorded password from the
> history.
> >> I
> >> > tested the case using 1.9.3 Final and 2.2.1 Final with same results.
> >> > It looks to me like a bug, isn't it?
> >> >
> >> > Thank you for the answer&best regards,
> >> > Bystrik
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list