Javascript client mobile review
by Wojciech Trocki
Hi
I recently made couple integrations with Keycloak on Android and IOS.
During testing some problems were found around cordova adapter.
Created minor fix to resolve IOS issue I have found:
https://github.com/keycloak/keycloak/pull/4514
After reviewing source code I think that it will be good to allow
developers to provide their own adapters. This way we will be able to made
some tweaks for platforms like nativescript or react native. If you think
that's good idea?
I can create ticket and contribute to provide this mechanisms.
Regards
--
WOJCIECH TROCKI
Red Hat Mobile <https://www.redhat.com/>
IM: wtrocki
<https://red.ht/sig>
7 years, 3 months
rename client templates to scope?
by Bill Burke
This is something for 4.0
Was thinking that we should rename Client Templates to Client Scopes.
For oauth, oidc, and token exchange client asks for a specific scope
with the "scope" parameter. This "scope" parameter would be the name
of a client-id or a client scope (formerly client emplates. Clients
will be granted access to scopes in the admin console. Probably
through authz services.
--
Bill Burke
Red Hat
7 years, 3 months
Incompatiblity of UserRepresentation (and other Reps) between 2.5.5.Final and 3.3.0.CR2
by Thomas Darimont
Hello,
I just noticed that it isn't possible to create a user with the old
keycloak admin client (2.5.5.Final)
on the Keycloak Server (3.3.0.CR2). See the exception below.
It turns out that the recently introduced field "notBefore" on
UserRepresentation in KEYCLOAK-5293 is the cause.
Other representations like ClientRepresentation (unknown field "access")
and ProviderRepresentation (unknown field "order")
have the same problem.
How about adding... @JsonIgnoreProperties(ignoreUnknown = true) ... to all
representations (org.keycloak.representations.idm.*) to stay backwards
compatible for old clients?
I gave this a spin locally (by patching the keycloak-core jar) and it is
working fine.
Cheers,
Thomas
javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "notBefore" (class
org.keycloak.representations.idm.UserRepresentation), not marked as
ignorable (24 known properties: "disableableCredentialTypes", "enabled",
"emailVerified", "origin", "self", "applicationRoles", "createdTimestamp",
"clientRoles", "groups", "username", "totp", "id", "email",
"federationLink", "serviceAccountClientId", "lastName", "clientConsents",
"socialLinks", "realmRoles", "attributes", "firstName", "credentials",
"requiredActions", "federatedIdentities"])
at [Source: org.apache.http.conn.EofSensorInputStream@2663e964; line: 1,
column: 308] (through reference chain:
java.util.ArrayList[0]->org.keycloak.representations.idm.UserRepresentation["notBefore"])
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:141)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:59)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
at com.sun.proxy.$Proxy32.search(Unknown Source)
7 years, 3 months
Promise wrapper for javascript adapter
by Raymond DeCampo
Hello all,
I create a wrapper around the javascript adapter which uses ES6 native
Promises. (https://github.com/RayDeCampo/keycloak-promise).
If you are interested, I can re-package it for inclusion in Keycloak and
create a pull request on GitHub. If you have a different process for
contributions, let me know.
If you are not interested, no hard feelings.
Thanks,
Ray
7 years, 3 months
Question about a problem with Derivation and/or Deployment and/or (at the end) a 'NoClassDefFoundError'.
by Christian Kayssner
Hello,
I have an problem in the deployment process.
For an higher security context I have to intervene in the original username/password functionality.
I searched and found the original class 'org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory'.
For this mail, I reduced the derivation and manipulation to a minimum and choose the 'secret-example' for deployment.
The derivated factory class get the name 'org.example.derivations.MyUsernamePasswordFormFactory' and would be activated next to the existing factory in the file 'org.keycloak.examples.authenticator.SecretQuestionAuthenticatorFactory'.
I take the secret-question example because it closest to mine.
But when I deploy the secret-example I get the 'NoClassDefFoundError' (see below).
I checked the java visibilities (nothing private, protected or final).
The core class reside in the artefactId 'keycloak-services', and the secret-example pom has a direct dependency entry.
Eclipse (the maven-plugin) is satisfied.
Therefore I found no reason for this exception.
Does anyone have an idea why the *deployment* fails (and which party (Maven, Wildfly or Keycloak) is not amused)?
Have I missed note something?
Or is a derivation, per se, not desired??
If someone wants to retrace, he/she needs:
* a current 64bit linux with approximately 420MB free space with a directory of your choice,
* with a running maven environment
* and *without* running wildfly/keycloak system.
Next, you:
* download the demo version in your/this direcory
wget -r https://downloads.jboss.org/keycloak/3.2.1.Final/keycloak-demo-3.2.1.Fina...
* expand this archive,
tar -xzf keycloak-demo-3.2.1.Final.tar.gz
* save the follow patch (all content between <SecretExamplePatchFile> and </SecretExamplePatchFile>) file and execute it,
patch -p 0 < NameOfYourSavedPatchFile
* start the example server and save the terminal-log,
keycloak-demo-3.2.1.Final/keycloak/bin/standalone.sh | tee keycloak-demo-3.2.1.Final.log
* open a new terminal,
* go to the secret example direcory and
cd keycloak-demo-3.2.1.Final/examples/providers/authenticator
* deploy it.
mvn clean install wildfly:deploy
* will see the 'NoClassDefFoundError' exception!
Best regards
Christian Kayssner
--
G. Muth Partners GmbH
Borsigstraße 32
D - 65205 Wiesbaden
HRB 10196 Amtsgericht Wiesbaden
Geschäftsführer: Klaus Gockel / Oliver Mächold
Tel. : +49(0)6122/5981-0
FAX. : +49(0)6122/5981-50
eMail: christian.kayssner(a)muthpartners.de
www : www.muthpartners.de
--
<stack trace>
:
:
:
[0m [0m17:39:08,074 INFO [org.jboss.as.repository] (management-handler-thread - 4) WFLYDR0001: Content added at location /path/to/your/own/playground/keycloak-demo-3.2.1.Final/keycloak/standalone/data/content/e4/95f32235bb131df52f479a09827186a3265788/content
[0m [0m17:39:08,082 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0027: Starting deployment of "authenticator-required-action-example.jar" (runtime-name: "authenticator-required-action-example.jar")
[0m [0m17:39:08,322 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-1) Deploying Keycloak provider: authenticator-required-action-example.jar
[0m [33m17:39:08,335 WARN [org.jboss.modules] (MSC service thread 1-1) Failed to define class org.example.derivations.MyUsernamePasswordFormFactory in Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/example/derivations/MyUsernamePasswordFormFactory (Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:208)
at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:114)
at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[0m [31m17:39:08,336 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "authenticator-required-action-example.jar"
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NoClassDefFoundError: Failed to link org/example/derivations/MyUsernamePasswordFormFactory (Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:208)
at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:114)
at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
... 5 more
[0m [31m17:39:08,339 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "authenticator-required-action-example.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\"
Caused by: java.lang.NoClassDefFoundError: Failed to link org/example/derivations/MyUsernamePasswordFormFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory"}}
[0m [31m17:39:08,341 ERROR [org.jboss.as.server] (management-handler-thread - 4) WFLYSRV0021: Deploy of deployment "authenticator-required-action-example.jar" was rolled back with the following failure message:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\"
Caused by: java.lang.NoClassDefFoundError: Failed to link org/example/derivations/MyUsernamePasswordFormFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordFormFactory"}}
[0m [0m17:39:08,356 INFO [org.jboss.as.server.deployment] (MSC service thread 1-5) WFLYSRV0028: Stopped deployment authenticator-required-action-example.jar (runtime-name: authenticator-required-action-example.jar) in 14ms
[0m [0m17:39:08,357 INFO [org.jboss.as.controller] (management-handler-thread - 4) WFLYCTL0183: Service status report
WFLYCTL0186: Services which failed to start: service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE
[0m
</stack trace>
--
<SecretExamplePatchFile>
diff -Naur keycloak-demo-3.2.1.Final/examples/providers/authenticator/src/main/java/org/example/derivations/MyUsernamePasswordFormFactory.java keycloak-demo-3.2.1.Final-modified/examples/providers/authenticator/src/main/java/org/example/derivations/MyUsernamePasswordFormFactory.java
--- keycloak-demo-3.2.1.Final/examples/providers/authenticator/src/main/java/org/example/derivations/MyUsernamePasswordFormFactory.java 1970-01-01 00:00:00.000000000 +0000
+++ keycloak-demo-3.2.1.Final-modified/examples/providers/authenticator/src/main/java/org/example/derivations/MyUsernamePasswordFormFactory.java 2017-09-20 11:37:09.425674263 +0000
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.derivations;
+
+import org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory;
+
+/**
+ */
+public//
+class MyUsernamePasswordFormFactory//
+ extends UsernamePasswordFormFactory//
+{
+ public//
+ static//
+ final//
+ String PROVIDER_ID = "my-auth-username-password-form";
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public//
+ String getId()//
+ {
+ return MyUsernamePasswordFormFactory.PROVIDER_ID;
+ }
+
+ /**
+ * {@inheritDoc}
+ *
+ * @return The heading for the (browser) page to explain the necessary inputs.
+ */
+ @Override
+ public//
+ String getDisplayType()//
+ {
+ return "My Username Password Form";
+ }
+}
diff -Naur keycloak-demo-3.2.1.Final/examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory keycloak-demo-3.2.1.Final-modified/examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory
--- keycloak-demo-3.2.1.Final/examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory 2017-07-21 11:31:26.000000000 +0000
+++ keycloak-demo-3.2.1.Final-modified/examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory 2017-09-20 11:43:31.354018042 +0000
@@ -15,4 +15,5 @@
# limitations under the License.
#
-org.keycloak.examples.authenticator.SecretQuestionAuthenticatorFactory
\ No newline at end of file
+org.keycloak.examples.authenticator.SecretQuestionAuthenticatorFactory
+org.example.derivations.MyUsernamePasswordFormFactory
\ No newline at end of file
diff -Naur keycloak-demo-3.2.1.Final/keycloak/modules/layers.conf keycloak-demo-3.2.1.Final-modified/keycloak/modules/layers.conf
--- keycloak-demo-3.2.1.Final/keycloak/modules/layers.conf 1970-01-01 00:00:00.000000000 +0000
+++ keycloak-demo-3.2.1.Final-modified/keycloak/modules/layers.conf 2017-07-21 09:11:58.000000000 +0000
@@ -0,0 +1 @@
+layers=keycloak
\ No newline at end of file
</SecretExamplePatchFile>
7 years, 3 months
Implementations for KEYCLOAK-2209
by Ricardo Martin Camarero
Hi team,
I'm forwarding this email to the list following Stian's recommendation.
I needed to learn more about keycloak (how to manage the maven project,
how to add a modification, how to test it, and so on and so forth), so I
decided to start looking the code and try to help when I have some free
time. As I filed an internal RFE because one customer wanted a similar
solution than the one specified in KEYCLOAK-2209 I started to implement
something. Now I have two possible ideas that are not completely
implemented (I haven't done any group use for example). Both ideas have
similarities:
* I have extended the database to include a REALM_PASSWORD_POLICY_GROUP
table that contains more policies associated to the realm. I thought
about using an attribute but I decided to extend the database because
the current policy attribute is a long string (length 2550). This way in
the realm (policies page) now you can configure more than one password
policy (default is the current one and you can add new policies that are
saved in the new table with a name).
* The user has a new attribute that contains the password policy, in
this case I have re-used an attribute (I'm not sure about this idea, now
I think using a new column would be better but I needed a multiple
attribute for option 2).
* In both solutions I needed to extend the PasswordPolicyProvider
interface to pass the config to the two validate methods:
PolicyError validate(RealmModel realm, UserModel user, String
password, Object config);
I think there is a bug in this part in current master branch, because
regex policy is multiple, and you cannot assign two different regex
providers in the same policy (PasswordPolicy stores the configuration in
a Map<String, Object>, so you cannot have two different configurations
for the same type, if you assign two regex providers they are
transformed into one as soon as you save the policy).
Now the two implementations:
1) The first idea let us configure to a user one password policy. My
branch is this one:
https://github.com/rmartinc/keycloak/tree/password-policy-groups
In this solution the user has a combo (only one policy can be assigned
to a user) and only one policy is applied to that user. My idea was
extending the idea using groups and priorities. Password policies will
have a priority, and only one policy will apply to a user (from all the
possible policies the one with the higher priority applies). For the
moment I only modified keycloak to have a different policy in the user
(no priorities or group policies).
2) The second idea follows the description in 2209. The branch is the
following:
https://github.com/rmartinc/keycloak/tree/password-policy-groups-multi
Here the user can have multiple password policies. The definitive
policy is a merge between all the policies applied to the user. To do
this I needed to extend the PasswordPolicyProvider interface even more,
in order to have a compare method that returns which policy is more
restrictive. Extending this idea to groups is just merging more policies.
You can test my ideas (I think both of them are working). If you are
interested please let me know which idea you think is better (I'm not
completely sure, now I think that I prefer option 1, although option 2
is more similar to the RFE description, I think the latter is very
confusing). If you like one of them, I'll try to finish the
implementation (now there are no tests and some decisions I took maybe
are wrong). If you think this is not needed or it's not the time to
implement this RFE don't worry, it's ok, I needed to play with keycloak,
and that part is done.
Regards!
7 years, 3 months
external token exchange - feedback needed
by Bill Burke
I'm almost done implementing external token exchange where you can
provide an external OIDC token and exchange it for a Keycloak one.
Need some feedback though.
* first broker flow and post broker flows won't be executed. Can't,
its a non-browser flow.
* mappers are run.
* logout will not logout broker session
* If duplicate emails exist, abort, 403
* If duplicate username exists, abort, 403.
The feedback I need is on duplicates. We might have the case where
username is unique across different realms. Should I have a switch
that will use existing user? Maybe an additional switch to not create
a link? Maybe I should have an exchange flow?
--
Bill Burke
Red Hat
7 years, 3 months
Script based OIDC Protocol Mapper
by Thomas Darimont
Hi,
it has been a while since I proposed this feature [0],
but I finally managed to get this done [1].
I needed this to be able to dynamically compute
a token claim based on user attributes with a
javascript expression.
When "Script Mapper" is selected in the "Create New Mapper" dialog,
then the following script is used as a default value:
/**
* Available variables:
* user - the current user
* realm - the current realm
* token - the current token
* userSession - the current userSession
*/
//insert your code here...
[0] https://issues.jboss.org/browse/KEYCLOAK-3599
[1] https://github.com/keycloak/keycloak/pull/4495
Cheers,
Thomas
7 years, 3 months
Passay and PasswordPolicy
by Thomas Darimont
Hello,
I just stumbled upon passay [0] which is comprehensive library for
validating passwords against rule based policies and wanted to share my
thoughts.
Perhaps some of the contained rules [1] might be valuable additions to the
existing password policies.
One thing I particularly like is the differentiation between positive
and negative matching rules which make it quite explicit and easy to
express rules.
E.g. instead of crafting a regex like "regex('^[^,&]+$')" to prohibit the
use of characters like "," and "&", one could simply write:
"illegalCharacters(',&')"
Perhaps someone could also come up with a PassayPasswordPolicy provider
which can be feed with a passay rule file (+ some Keycloak adapters to
support
Password history, blacklists) to validate a password.
Cheers,
Thomas
[0] http://www.passay.org/
[1] http://www.passay.org/reference/
7 years, 3 months
