Re: [keycloak-dev] Implementations for KEYCLOAK-2209

Hi team, I'm forwarding this email to the list following Stian's recommendation. I needed to learn more about keycloak (how to manage the maven project, how to add a modification, how to test it, and so on and so forth), so I decided to start looking the code and try to help when I have some free time. As I filed an internal RFE because one customer wanted a similar solution than the one specified in KEYCLOAK-2209 I started to implement something. Now I have two possible ideas that are not completely implemented (I haven't done any group use for example). Both ideas have similarities: * I have extended the database to include a REALM_PASSWORD_POLICY_GROUP table that contains more policies associated to the realm. I thought about using an attribute but I decided to extend the database because the current policy attribute is a long string (length 2550). This way in the realm (policies page) now you can configure more than one password policy (default is the current one and you can add new policies that are saved in the new table with a name). * The user has a new attribute that contains the password policy, in this case I have re-used an attribute (I'm not sure about this idea, now I think using a new column would be better but I needed a multiple attribute for option 2). * In both solutions I needed to extend the PasswordPolicyProvider interface to pass the config to the two validate methods: PolicyError validate(RealmModel realm, UserModel user, String password, Object config); I think there is a bug in this part in current master branch, because regex policy is multiple, and you cannot assign two different regex providers in the same policy (PasswordPolicy stores the configuration in a Map<String, Object>, so you cannot have two different configurations for the same type, if you assign two regex providers they are transformed into one as soon as you save the policy). Now the two implementations: 1) The first idea let us configure to a user one password policy. My branch is this one: https://github.com/rmartinc/keycloak/tree/password-policy-groups In this solution the user has a combo (only one policy can be assigned to a user) and only one policy is applied to that user. My idea was extending the idea using groups and priorities. Password policies will have a priority, and only one policy will apply to a user (from all the possible policies the one with the higher priority applies). For the moment I only modified keycloak to have a different policy in the user (no priorities or group policies). 2) The second idea follows the description in 2209. The branch is the following: https://github.com/rmartinc/keycloak/tree/password-policy-groups-multi Here the user can have multiple password policies. The definitive policy is a merge between all the policies applied to the user. To do this I needed to extend the PasswordPolicyProvider interface even more, in order to have a compare method that returns which policy is more restrictive. Extending this idea to groups is just merging more policies. You can test my ideas (I think both of them are working). If you are interested please let me know which idea you think is better (I'm not completely sure, now I think that I prefer option 1, although option 2 is more similar to the RFE description, I think the latter is very confusing). If you like one of them, I'll try to finish the implementation (now there are no tests and some decisions I took maybe are wrong). If you think this is not needed or it's not the time to implement this RFE don't worry, it's ok, I needed to play with keycloak, and that part is done. Regards! _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev