I think it’s the responsibility of the UserFederationProvider to decide if a password is valid or not. Therefore, even empty passwords have to be send to it.


On 23.11.2015, at 09:04, Stian Thorgersen <sthorger@redhat.com> wrote:

Question: a user passing an empty password is that really a brute force attempt? Is it not more likely that a user has forgotten to enter the password? I'm asking because I'm not convinced forgetting to enter a value in the password field should count as a login attempt.

On 23 November 2015 at 09:02, Marek Posolda <mposolda@redhat.com> wrote:
Sure, that would be fine. But again, it's important that with default
settings, LDAPOperationManager.authenticate won't automatically
authenticate AD users with empty password (which may happen when
anonymous bind is enabled on AD side).

Marek

On 20/11/15 18:22, Michael Gerber wrote:
> We’ve got a custom UserFederationProvider, which authenticate users against an AD or DB. Therefore, we need to know if a user entered an empty password.
> I will create a PR and jira ticket for that, ok?
>
>> On 20.11.2015, at 17:50, Marek Posolda <mposolda@redhat.com> wrote:
>>
>> That will be the easiest path to use our BruteForceProtector.
>>
>> However AD also has some "BruteForceProtector" of it's own, which disables user in AD when he reach some count of invalid attempts. And I guess Michael wants to use that one and disable user in AD as well.
>>
>> Marek
>>
>> On 20/11/15 17:40, Bill Burke wrote:
>>> You can I guess, but why does it matter?  invalidPassword hits the brute
>>> force detector if it is turned on.
>>>
>>> On 11/20/2015 10:16 AM, Michael Gerber wrote:
>>>> AbstractUsernameFormAuthenticator.validatePassword
>>>>
>>>> public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
>>>>       List<UserCredentialModel> credentials =new LinkedList<>();
>>>> String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
>>>> if (password ==null || password.isEmpty()) {
>>>>           invalidPassword(context, user);
>>>> return false;
>>>> }
>>>>       credentials.add(UserCredentialModel.password(password));
>>>> boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
>>>> if (!valid) {
>>>>           invalidPassword(context, user);
>>>> return false;
>>>> }
>>>>       return true;
>>>> }
>>>>
>>>> I think we can remove the first if (password == null || password.isEmpty())
>>>>
>>>> Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke@redhat.com>:
>>>>
>>>>> Point me to the code?
>>>>>
>>>>> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> keycloak does not pass an empty password to the validCredentials method
>>>>>> in the UserFederationProvider class.
>>>>>> Is there a reason for that? I would like to authenticate against an AD
>>>>>> even if the password is empty, otherwise the user won't be blocked after
>>>>>> x attempts.
>>>>>>
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev@lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev@lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev