Hello list, Via an admin portal of a customer I am working for, they provide a feature where an admin can edit the user's data, including setting a new password. For the sake of atomicity, all update steps first go through a series of validations for all modified data before actually committing the changes and (if needed) updating the keycloak password At the moment, there is no way to pre-update do a validity check of the updated password against keycloak's configured password policy(ies) Therefor I would propose to have a validate-password endpoint in the Admin API. I've made a pull request already here: * https://github.com/keycloak/keycloak/pull/4229 Any thoughts on this? Kind regards, Wim _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

I'm 50/50 on this. And I fully agree that no one should know a users password. On the other hand I understand that might not work for everyone. If we move forward with this, we might not just be increasing the attack surface. But also would enabling people to do creative things like, store user's password into their database in plain text. On 2017-06-27, Stian Thorgersen wrote: > I think the flow of allowing admins to set the users passwords are a bit > broken in the first place. No-one should know a users password, but > themselves. A better flow would be to send a password-reset link to users > through email and let them set the initial password themselves. > > However, I can see that might not work for everyone so I don't feel to > strongly about not accepting this change. Let's see what others think about > it. > > On 27 June 2017 at 09:03, Wim Vandenhaute <wim.vandenhaute(a)gmail.com&gt; wrote: > > > Hello list, > > > > Via an admin portal of a customer I am working for, they provide a feature > > where an admin can edit the user's data, including setting a new password. > > > > For the sake of atomicity, all update steps first go through a series of > > validations for all modified data before actually committing the changes > > and (if needed) updating the keycloak password > > > > At the moment, there is no way to pre-update do a validity check of the > > updated password against keycloak's configured password policy(ies) > > > > Therefor I would propose to have a validate-password endpoint in the Admin > > API. > > > > I've made a pull request already here: > > * https://github.com/keycloak/keycloak/pull/4229 > > > > Any thoughts on this? > > > > Kind regards, > > Wim > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev -- abstractj

If I understood correctly, the password could be provided here https://github.com/keycloak/keycloak/pull/4229/files#diff-2d5026806b9f861..., right? If yes. I could implement my own password validator web app to validate passwords and interact with KC. Now, instead of worry with the call between the client and KC server, I could have a third server to worry about or a shell script. Because it's possible. Instead of targeting Keycloak only (which is built with security in mind), now people could target my password validation app (not so concerned with security). This is just an example, and I'm not saying this is the end of the world. What I'm saying that this opens a new door for people to be creative. On Tue, Jun 27, 2017 at 4:51 AM Wim Vandenhaute <wim.vandenhaute(a)gmail.com&gt; wrote: > Hello list, > > Via an admin portal of a customer I am working for, they provide a feature > where an admin can edit the user's data, including setting a new password. > > For the sake of atomicity, all update steps first go through a series of > validations for all modified data before actually committing the changes > and (if needed) updating the keycloak password > > At the moment, there is no way to pre-update do a validity check of the > updated password against keycloak's configured password policy(ies) > > Therefor I would propose to have a validate-password endpoint in the Admin > API. > > I've made a pull request already here: > * https://github.com/keycloak/keycloak/pull/4229 > > Any thoughts on this? > > Kind regards, > Wim > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

I still don't see the door that is being opened. It's just validating if a password supplied by the potential attacker is good enough to pass our password policies. I.e. is it long enough and such. It doesn't give any opportunity to check if it's a real password or update it or anything? On 27 June 2017 at 14:52, Bruno Oliveira <bruno(a)abstractj.org&gt; wrote: > If I understood correctly, the password could be provided here > > https://github.com/keycloak/keycloak/pull/4229/files#diff-2d5026806b9f861... > , > right? If yes. I could implement my own password validator web app to > validate passwords and interact with KC. Now, instead of worry with the > call between the client and KC server, I could have a third server to > worry > about or a shell script. Because it's possible. > > Instead of targeting Keycloak only (which is built with security in mind), > now people could target my password validation app (not so concerned with > security). This is just an example, and I'm not saying this is the end of > the world. What I'm saying that this opens a new door for people to be > creative. > > On Tue, Jun 27, 2017 at 4:51 AM Wim Vandenhaute < > wim.vandenhaute(a)gmail.com&gt; > wrote: > > > Hello list, > > > > Via an admin portal of a customer I am working for, they provide a > feature > > where an admin can edit the user's data, including setting a new > password. > > > > For the sake of atomicity, all update steps first go through a series of > > validations for all modified data before actually committing the changes > > and (if needed) updating the keycloak password > > > > At the moment, there is no way to pre-update do a validity check of the > > updated password against keycloak's configured password policy(ies) > > > > Therefor I would propose to have a validate-password endpoint in the > Admin > > API. > > > > I've made a pull request already here: > > * https://github.com/keycloak/keycloak/pull/4229 > > > > Any thoughts on this? > > > > Kind regards, > > Wim > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >