It should be fine to remove it in Authenticator, but I am not sure if it addresses your usecase. We have another similar check in LDAPOperationManager.authenticate : https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java#L330 .

The reason behind it was another issue related to AD. Basically all other LDAP servers will always throw an exception if you put incorrect (or empty) LDAP password. However AD in some cases doesn't throw an exception in case of empty password . It throws an exception for invalid password, but not for an empty one. So it will allow any AD user to login into Keycloak with empty password... I don't know if there is some switch in AD settings to disable this behaviour.

But anyway, we need to have solution, which will work in all situations. So we either need to add some switch to configuration (true: allow empty password to be sent to LDAP authentication, false: not allow it and throw error as we do now. Default setting will be false). Or if you can figure the code, which works for all usecases without additional switch, it will be even better :-)

Marek

On 20/11/15 16:16, Michael Gerber wrote:
AbstractUsernameFormAuthenticator.validatePassword

public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
    List<UserCredentialModel> credentials = new LinkedList<>();
    String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
    if (password == null || password.isEmpty()) {
        invalidPassword(context, user);
        return false;
    }
    credentials.add(UserCredentialModel.password(password));
    boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
    if (!valid) {
        invalidPassword(context, user);
        return false;
    }
    return true;
}
I think we can remove the first if (password == null || password.isEmpty())

Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke@redhat.com>:

Point me to the code?

On 11/20/2015 9:04 AM, Michael Gerber wrote:
Hi All,

keycloak does not pass an empty password to the validCredentials method
in the UserFederationProvider class.
Is there a reason for that? I would like to authenticate against an AD
even if the password is empty, otherwise the user won't be blocked after
x attempts.

Michael


_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev


--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev


_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev