This does not validate the password as in checking if it is the same as the
user's current one but only checks if a new password might violate the
realm's password policies or not so I do not really see an issue here to be
honest.
On Tue, Jun 27, 2017 at 2:52 PM Bruno Oliveira <bruno(a)abstractj.org> wrote:
If I understood correctly, the password could be provided here
https://github.com/keycloak/keycloak/pull/4229/files#diff-2d5026806b9f861...,
right? If yes. I could implement my own password validator web app to
validate passwords and interact with KC. Now, instead of worry with the
call between the client and KC server, I could have a third server to worry
about or a shell script. Because it's possible.
Instead of targeting Keycloak only (which is built with security in mind),
now people could target my password validation app (not so concerned with
security). This is just an example, and I'm not saying this is the end of
the world. What I'm saying that this opens a new door for people to be
creative.
On Tue, Jun 27, 2017 at 4:51 AM Wim Vandenhaute <wim.vandenhaute(a)gmail.com>
wrote:
> Hello list,
>
> Via an admin portal of a customer I am working for, they provide a feature
> where an admin can edit the user's data, including setting a new password.
>
> For the sake of atomicity, all update steps first go through a series of
> validations for all modified data before actually committing the changes
> and (if needed) updating the keycloak password
>
> At the moment, there is no way to pre-update do a validity check of the
> updated password against keycloak's configured password policy(ies)
>
> Therefor I would propose to have a validate-password endpoint in the Admin
> API.
>
> I've made a pull request already here:
> *
https://github.com/keycloak/keycloak/pull/4229
>
> Any thoughts on this?
>
> Kind regards,
> Wim
>
_______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>