6:35 p.m.
Does anyone know the answer to this?
I want to setup up a Keycloak SSO for, say, five apps: only one of which is required (by
U.S. State Law) to become logged out upon ten inactive minutes timeout. How can I achieve
this in Keycloak?
So for example: user signs in to Keycloak and begins working in APP1 then switches to
APP2 and stays there for more than ten minutes. User re-visits APP1 which has been idle
for more than ten minutes. By law he needs to re-authenticate to APP1 even though he
remains already authenticated in Keycloak. How to force re-authentication for at least
APP1?
-Richard
12:12 a.m.
We don't have support for this at the moment and would like to do it at
some point. It would mainly be a matter of adding the authentication time
to the token as well as implementing support for prompt=login (see
http://openid.net/specs/openid-connect-implicit-1_0.html#rfc.section.2.1.1.1
).
You could probably achieve the same with a custom authentication flow and a
custom protocol mapper that adds the authentication time to the token.
On 8 April 2016 at 01:35, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Does anyone know the answer to this?
I want to setup up a Keycloak SSO for, say, five apps: only one of which
is required (by U.S. State Law) to become logged out upon ten inactive
minutes timeout.
How can I achieve this in Keycloak?
So for example: user signs in to Keycloak and begins working in APP1 then
switches to APP2 and stays there for more than ten minutes. User re-visits
APP1 which has been idle for more than ten minutes. By law he needs to
re-authenticate to APP1 even though he remains already authenticated in
Keycloak. How to force re-authentication for at least APP1?
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:15 a.m.
Couldn't find the issue about this so added
https://issues.jboss.org/browse/KEYCLOAK-2775
On 8 April 2016 at 07:12, Stian Thorgersen <sthorger(a)redhat.com> wrote:
We don't have support for this at the moment and would like to do
it at
some point. It would mainly be a matter of adding the authentication time
to the token as well as implementing support for prompt=login (see
http://openid.net/specs/openid-connect-implicit-1_0.html#rfc.section.2.1.1.1
).
You could probably achieve the same with a custom authentication flow and
a custom protocol mapper that adds the authentication time to the token.
On 8 April 2016 at 01:35, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
> Does anyone know the answer to this?
>
> I want to setup up a Keycloak SSO for, say, five apps: only one of which
> is required (by U.S. State Law) to become logged out upon ten inactive
> minutes timeout.
> How can I achieve this in Keycloak?
>
> So for example: user signs in to Keycloak and begins working in APP1
> then switches to APP2 and stays there for more than ten minutes. User
> re-visits APP1 which has been idle for more than ten minutes. By law he
> needs to re-authenticate to APP1 even though he remains already
> authenticated in Keycloak. How to force re-authentication for at least
> APP1?
>
> -Richard
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
12:37 p.m.
New subject: Question re Keycloak conflicting password policies
Does anyone know the answer to this?
A keycloak admin may want to enforce a specific password policy for one APP but a
different (and conflicting) password policy for another APP.
E.g. first policy requires one special character whereas second policy prohibits any
special character. Is this supportable in Keycloak? I am thinking that two realms could
be defined to do this but wouldn't that defeat single-sign-on across the realms? Any
thoughts?
-Richard
12:53 p.m.
New subject: Question re Keycloak conflicting password policies
I don't know the answer, but: would it be valid to have a SSO solution in
the first place, when the applications have conflicting password policies?
APP-A: You can't log in like that! I don't trust you, go away!
APP-B: Sure, come on in!
APP-A: Ah, I see you're a perfectly trusted user now!
- Guus
On 11 April 2016 at 19:37, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Does anyone know the answer to this?
A keycloak admin may want to enforce a specific password policy for one
APP but a different (and conflicting) password policy for another APP.
E.g. first policy requires one special character whereas second policy
prohibits any special character. Is this supportable in Keycloak? I am
thinking that two realms could be defined to do this but wouldn't that
defeat single-sign-on across the realms? Any thoughts?
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:31 p.m.
New subject: Question re Keycloak conflicting password policies
A password policy per-app makes no sense in a SSO solution. However, step
up authentication does. For example one app requires user to be logged-in
with password only, while another requires otp as well. We're planning to
add the latter at some point.
On 11 April 2016 at 19:53, Guus der Kinderen <guus.der.kinderen(a)gmail.com>
wrote:
I don't know the answer, but: would it be valid to have a SSO
solution in
the first place, when the applications have conflicting password policies?
APP-A: You can't log in like that! I don't trust you, go away!
APP-B: Sure, come on in!
APP-A: Ah, I see you're a perfectly trusted user now!
- Guus
On 11 April 2016 at 19:37, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
>
> Does anyone know the answer to this?
>
> A keycloak admin may want to enforce a specific password policy for one
> APP but a different (and conflicting) password policy for another APP.
>
> E.g. first policy requires one special character whereas second policy
> prohibits any special character. Is this supportable in Keycloak? I am
> thinking that two realms could be defined to do this but wouldn't that
> defeat single-sign-on across the realms? Any thoughts?
>
> -Richard
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:49 p.m.
New subject: Question re Keycloak password / session ploicies
Does Keycloak support the following requirements?
Password:Password should be changed in every 60 days (configurable)
If user enters password wrong three times account is locked out for 15 min (configurable)
Password chosen should not be previous 24 passwords
Password should have a letter and a number
Password should not have consecutive letters
Inactivity:Application session inactivity - default is 45 minutes (can be configured)
Account inactivity - account inactivity is 30 days default (configurable)
-Richard
11:37 p.m.
New subject: Question re Keycloak password / session ploicies
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Does Keycloak support the following requirements?
*Password:*
- Password should be changed in every 60 days (configurable)
Yes
- If user enters password wrong three times account is locked out for
15 min (configurable)
Yes
- Password chosen should not be previous 24 passwords
Yes
- Password should have a letter and a number
Yes
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though).
We'll add ability to create custom password policies in the future
though.
-
*Inactivity:*
- Application session inactivity - default is 45 minutes (can be
configured)
Yes, you can configure idle timeout for a session. Idle for a session is
if there
are no app logins or token refreshes
- Account inactivity - account inactivity is 30 days default
(configurable)
Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:32 p.m.
New subject: Question re Keycloak password / session ploicies
Password should not have consecutive lettersMaybe, if you can come up with a way to write
that as regex (probably not though). We'll add ability to create custom password
policies in the future though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work for the
short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Does Keycloak support the following requirements?
Password:Password should be changed in every 60 days (configurable)Yes If user enters
password wrong three times account is locked out for 15 min (configurable)Yes Password
chosen should not be previous 24 passwordsYes Password should have a letter and a
numberYes Password should not have consecutive lettersMaybe, if you can come up with a way
to write that as regex (probably not though). We'll add ability to create custom
password policies in the future though.
Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes,
you can configure idle timeout for a session. Idle for a session is if there are no app
logins or token refreshes Account inactivity - account inactivity is 30 days default
(configurable)Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:47 p.m.
New subject: Question re Keycloak password / session ploicies
That'd do it. I got confused and thought you didn't want to repetitive
letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though). We'll add ability to create custom password policies in the future
though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work
for the short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
------------------------------
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
Does Keycloak support the following requirements?
*Password:*
- Password should be changed in every 60 days (configurable)
Yes
- If user enters password wrong three times account is locked out for
15 min (configurable)
Yes
- Password chosen should not be previous 24 passwords
Yes
- Password should have a letter and a number
Yes
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though). We'll add ability to create custom password policies in the future
though.
-
*Inactivity:*
- Application session inactivity - default is 45 minutes (can be
configured)
Yes, you can configure idle timeout for a session. Idle for a session is
if there are no app logins or token refreshes
- Account inactivity - account inactivity is 30 days default
(configurable)
Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:18 a.m.
New subject: Question re Keycloak password / session ploicies
Thanks. But even for repetitive letters such as "aaaa"I could still devise a
regex such as "xx" | "xX" | "Xx" | "XX", yes?
Date: Wed, 13 Apr 2016 06:47:09 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
That'd do it. I got confused and thought you didn't want to repetitive letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Password should not have consecutive lettersMaybe, if you can come up with a way to write
that as regex (probably not though). We'll add ability to create custom password
policies in the future though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work for the
short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Does Keycloak support the following requirements?
Password:Password should be changed in every 60 days (configurable)Yes If user enters
password wrong three times account is locked out for 15 min (configurable)Yes Password
chosen should not be previous 24 passwordsYes Password should have a letter and a
numberYes Password should not have consecutive lettersMaybe, if you can come up with a way
to write that as regex (probably not though). We'll add ability to create custom
password policies in the future though.
Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes,
you can configure idle timeout for a session. Idle for a session is if there are no app
logins or token refreshes Account inactivity - account inactivity is 30 days default
(configurable)Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:42 p.m.
New subject: Question re Keycloak password / session ploicies
Sure, but it would be a rather lengthy one.
On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
Thanks. But even for repetitive letters such as "aaaa"
I could still devise a regex such as "xx" | "xX" | "Xx" |
"XX", yes?
------------------------------
Date: Wed, 13 Apr 2016 06:47:09 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
That'd do it. I got confused and thought you didn't want to repetitive
letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though). We'll add ability to create custom password policies in the future
though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work
for the short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
------------------------------
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
Does Keycloak support the following requirements?
*Password:*
- Password should be changed in every 60 days (configurable)
Yes
- If user enters password wrong three times account is locked out for
15 min (configurable)
Yes
- Password chosen should not be previous 24 passwords
Yes
- Password should have a letter and a number
Yes
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though). We'll add ability to create custom password policies in the future
though.
-
*Inactivity:*
- Application session inactivity - default is 45 minutes (can be
configured)
Yes, you can configure idle timeout for a session. Idle for a session is
if there are no app logins or token refreshes
- Account inactivity - account inactivity is 30 days default
(configurable)
Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:46 p.m.
New subject: Question re Keycloak password / session ploicies
Is the below policy supported in Keycloak? If not can it be done in some custom way?
You are only allowed to change your password every 30 days
Date: Wed, 13 Apr 2016 20:42:20 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Sure, but it would be a rather lengthy one.
On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
Thanks. But even for repetitive letters such as "aaaa"I could still devise a
regex such as "xx" | "xX" | "Xx" | "XX", yes?
Date: Wed, 13 Apr 2016 06:47:09 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
That'd do it. I got confused and thought you didn't want to repetitive letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Password should not have consecutive lettersMaybe, if you can come up with a way to write
that as regex (probably not though). We'll add ability to create custom password
policies in the future though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work for the
short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Does Keycloak support the following requirements?
Password:Password should be changed in every 60 days (configurable)Yes If user enters
password wrong three times account is locked out for 15 min (configurable)Yes Password
chosen should not be previous 24 passwordsYes Password should have a letter and a
numberYes Password should not have consecutive lettersMaybe, if you can come up with a way
to write that as regex (probably not though). We'll add ability to create custom
password policies in the future though.
Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes,
you can configure idle timeout for a session. Idle for a session is if there are no app
logins or token refreshes Account inactivity - account inactivity is 30 days default
(configurable)Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:47 p.m.
New subject: Question re Keycloak password / session ploicies
Nope, that one is not there. You can add a jira request for it.
On 13 Apr 2016 20:46, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
*Is the below policy supported in Keycloak? If not can it be done in
some
custom way?*
You are only allowed to change your password every 30 days
------------------------------
Date: Wed, 13 Apr 2016 20:42:20 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Sure, but it would be a rather lengthy one.
On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
Thanks. But even for repetitive letters such as "aaaa"
I could still devise a regex such as "xx" | "xX" | "Xx" |
"XX", yes?
------------------------------
Date: Wed, 13 Apr 2016 06:47:09 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
That'd do it. I got confused and thought you didn't want to repetitive
letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though). We'll add ability to create custom password policies in the future
though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work
for the short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
------------------------------
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
Does Keycloak support the following requirements?
*Password:*
- Password should be changed in every 60 days (configurable)
Yes
- If user enters password wrong three times account is locked out for
15 min (configurable)
Yes
- Password chosen should not be previous 24 passwords
Yes
- Password should have a letter and a number
Yes
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though). We'll add ability to create custom password policies in the future
though.
-
*Inactivity:*
- Application session inactivity - default is 45 minutes (can be
configured)
Yes, you can configure idle timeout for a session. Idle for a session is
if there are no app logins or token refreshes
- Account inactivity - account inactivity is 30 days default
(configurable)
Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:48 p.m.
New subject: Question re Keycloak password / session ploicies
I appreciate your patience, Stian,is the below list also supported by Keycloak?
Do you want to enable password aging?YesNoSelect the number of days before password must
be changed.30354045505560657075808590Do you want to enable session timeouts?YesNoEnforce
password complexity rulesYesNoMinimum password length0 (Disabled)4812Block reuse of how
many recent passwords0 (Disabled)61224Block change of new passwords for how many days?0
(Disabled)153045Force change of new account passwords on first login?YesNoSelect amount of
time before session will be terminated.15304560Do you want to check for common
passwords?YesNoInactivate user after how many days of inactivity?Never306090120
Number of failed login attempts to allow before temporary lockout0 (Disabled)35Number of
minutes to block user after failed login attempts0 Min15 Min30 Min60 Min
Date: Wed, 13 Apr 2016 20:47:37 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Nope, that one is not there. You can add a jira request for it.
On 13 Apr 2016 20:46, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
Is the below policy supported in Keycloak? If not can it be done in some custom way?
You are only allowed to change your password every 30 days
Date: Wed, 13 Apr 2016 20:42:20 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Sure, but it would be a rather lengthy one.
On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
Thanks. But even for repetitive letters such as "aaaa"I could still devise a
regex such as "xx" | "xX" | "Xx" | "XX", yes?
Date: Wed, 13 Apr 2016 06:47:09 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
That'd do it. I got confused and thought you didn't want to repetitive letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Password should not have consecutive lettersMaybe, if you can come up with a way to write
that as regex (probably not though). We'll add ability to create custom password
policies in the future though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work for the
short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Does Keycloak support the following requirements?
Password:Password should be changed in every 60 days (configurable)Yes If user enters
password wrong three times account is locked out for 15 min (configurable)Yes Password
chosen should not be previous 24 passwordsYes Password should have a letter and a
numberYes Password should not have consecutive lettersMaybe, if you can come up with a way
to write that as regex (probably not though). We'll add ability to create custom
password policies in the future though.
Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes,
you can configure idle timeout for a session. Idle for a session is if there are no app
logins or token refreshes Account inactivity - account inactivity is 30 days default
(configurable)Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:08 a.m.
New subject: Question re Keycloak password / session ploicies
On 13 April 2016 at 21:48, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
I appreciate your patience, Stian,
is the below list also supported by Keycloak?
Do you want to enable password aging? YesNo
Yes
Select the number of days before password must be changed.
30354045505560
657075808590
Yes
Do you want to enable session timeouts? YesNo
Yes
Enforce password complexity rules YesNo
Depends what the rules are ;)
Minimum password length 0 (Disabled)4812
Yes
Block reuse of how many recent passwords 0 (Disabled)61224
Yes
Block change of new passwords for how many days? 0 (Disabled)153045
No, you can create a JIRA for this one though
Force change of new account passwords on first login? YesNo
Yes
Select amount of time before session will be terminated. 15304560
Yes
Do you want to check for common passwords? YesNo
No, we really should have this one. JIRA please
Inactivate user after how many days of inactivity? Never306090120
Yes
Number of failed login attempts to allow before temporary lockout 0
(Disabled)35
Yes
Number of minutes to block user after failed login attempts 0 Min15
Min30
Min60 Min
Yes
------------------------------
Date: Wed, 13 Apr 2016 20:47:37 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Nope, that one is not there. You can add a jira request for it.
On 13 Apr 2016 20:46, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
*Is the below policy supported in Keycloak? If not can it be done in some
custom way?*
You are only allowed to change your password every 30 days
------------------------------
Date: Wed, 13 Apr 2016 20:42:20 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Sure, but it would be a rather lengthy one.
On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
Thanks. But even for repetitive letters such as "aaaa"
I could still devise a regex such as "xx" | "xX" | "Xx" |
"XX", yes?
------------------------------
Date: Wed, 13 Apr 2016 06:47:09 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
That'd do it. I got confused and thought you didn't want to repetitive
letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though). We'll add ability to create custom password policies in the future
though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work
for the short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
------------------------------
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session
ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
Does Keycloak support the following requirements?
*Password:*
- Password should be changed in every 60 days (configurable)
Yes
- If user enters password wrong three times account is locked out for
15 min (configurable)
Yes
- Password chosen should not be previous 24 passwords
Yes
- Password should have a letter and a number
Yes
- Password should not have consecutive letters
Maybe, if you can come up with a way to write that as regex (probably not
though). We'll add ability to create custom password policies in the future
though.
-
*Inactivity:*
- Application session inactivity - default is 45 minutes (can be
configured)
Yes, you can configure idle timeout for a session. Idle for a session is
if there are no app logins or token refreshes
- Account inactivity - account inactivity is 30 days default
(configurable)
Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:09 a.m.
New subject: Question re Keycloak password / session ploicies
JIRA issue for common password check:
https://issues.jboss.org/browse/KEYCLOAK-2822
On 14 April 2016 at 08:08, Stian Thorgersen <sthorger(a)redhat.com> wrote:
On 13 April 2016 at 21:48, Richard Lavallee <rllavallee(a)hotmail.com>
wrote:
> I appreciate your patience, Stian,
> is the below list also supported by Keycloak?
>
> Do you want to enable password aging? YesNo
>
Yes
> Select the number of days before password must be changed. 30354045505560
> 657075808590
>
Yes
> Do you want to enable session timeouts? YesNo
>
Yes
> Enforce password complexity rules YesNo
>
Depends what the rules are ;)
> Minimum password length 0 (Disabled)4812
>
Yes
> Block reuse of how many recent passwords 0 (Disabled)61224
>
Yes
> Block change of new passwords for how many days? 0 (Disabled)153045
>
No, you can create a JIRA for this one though
> Force change of new account passwords on first login? YesNo
>
Yes
> Select amount of time before session will be terminated. 15304560
>
Yes
> Do you want to check for common passwords? YesNo
>
No, we really should have this one. JIRA please
> Inactivate user after how many days of inactivity? Never306090120
>
Yes
> Number of failed login attempts to allow before temporary lockout 0
> (Disabled)35
>
Yes
> Number of minutes to block user after failed login attempts 0 Min15 Min30
> Min60 Min
>
Yes
>
>
> ------------------------------
> Date: Wed, 13 Apr 2016 20:47:37 +0200
>
> Subject: RE: [keycloak-user] Question re Keycloak password / session
> ploicies
> From: sthorger(a)redhat.com
> To: rllavallee(a)hotmail.com
> CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
>
> Nope, that one is not there. You can add a jira request for it.
> On 13 Apr 2016 20:46, "Richard Lavallee" <rllavallee(a)hotmail.com>
wrote:
>
> *Is the below policy supported in Keycloak? If not can it be done in
> some custom way?*
>
> You are only allowed to change your password every 30 days
>
> ------------------------------
> Date: Wed, 13 Apr 2016 20:42:20 +0200
> Subject: RE: [keycloak-user] Question re Keycloak password / session
> ploicies
> From: sthorger(a)redhat.com
> To: rllavallee(a)hotmail.com
> CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
>
> Sure, but it would be a rather lengthy one.
> On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee(a)hotmail.com>
wrote:
>
> Thanks. But even for repetitive letters such as "aaaa"
> I could still devise a regex such as "xx" | "xX" | "Xx"
| "XX", yes?
>
> ------------------------------
> Date: Wed, 13 Apr 2016 06:47:09 +0200
> Subject: Re: [keycloak-user] Question re Keycloak password / session
> ploicies
> From: sthorger(a)redhat.com
> To: rllavallee(a)hotmail.com
> CC: keycloak-user(a)lists.jboss.org
>
> That'd do it. I got confused and thought you didn't want to repetitive
> letters.
>
> On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com>
> wrote:
>
>
> - Password should not have consecutive letters
>
> Maybe, if you can come up with a way to write that as regex (probably not
> though). We'll add ability to create custom password policies in the future
> though.
>
> Wouldn't the below suffice for regex? Thus avoiding needing custom work
> for the short-term?
>
> forward =
>
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
> backward =
>
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
> regex = "(" + forward + "|" + backward + ")+";
>
>
> ------------------------------
> Date: Tue, 12 Apr 2016 06:37:41 +0200
> Subject: Re: [keycloak-user] Question re Keycloak password / session
> ploicies
> From: sthorger(a)redhat.com
> To: rllavallee(a)hotmail.com
> CC: keycloak-user(a)lists.jboss.org
>
>
>
>
> On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com>
> wrote:
>
> Does Keycloak support the following requirements?
>
> *Password:*
>
> - Password should be changed in every 60 days (configurable)
>
> Yes
>
>
> - If user enters password wrong three times account is locked out for
> 15 min (configurable)
>
> Yes
>
>
> - Password chosen should not be previous 24 passwords
>
> Yes
>
>
> - Password should have a letter and a number
>
> Yes
>
>
> - Password should not have consecutive letters
>
> Maybe, if you can come up with a way to write that as regex (probably not
> though). We'll add ability to create custom password policies in the future
> though.
>
>
> -
>
> *Inactivity:*
>
> - Application session inactivity - default is 45 minutes (can be
> configured)
>
> Yes, you can configure idle timeout for a session. Idle for a session is
> if there are no app logins or token refreshes
>
>
> - Account inactivity - account inactivity is 30 days default
> (configurable)
>
> Yes
>
>
> -Richard
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:45 p.m.
New subject: Block change of new passwords for configurable number of days
Added "Block change of new passwords for configurable number of days":
https://issues.jboss.org/browse/KEYCLOAK-2843
-Richard Lavallee
Date: Thu, 14 Apr 2016 12:09:43 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: guus.der.kinderen(a)gmail.com
To: stian(a)redhat.com
CC: rllavallee(a)hotmail.com; keycloak-user(a)lists.jboss.org
JIRA issue for common password check: https://issues.jboss.org/browse/KEYCLOAK-2822
On 14 April 2016 at 08:08, Stian Thorgersen <sthorger(a)redhat.com> wrote:
On 13 April 2016 at 21:48, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
I appreciate your patience, Stian,is the below list also supported by Keycloak?
Do you want to enable password aging?YesNo
Yes Select the number of days before password must be changed.30354045505560657075808590
Yes Do you want to enable session timeouts?YesNo
Yes Enforce password complexity rulesYesNo
Depends what the rules are ;) Minimum password length0 (Disabled)4812
Yes Block reuse of how many recent passwords0 (Disabled)61224
Yes Block change of new passwords for how many days?0 (Disabled)153045
No, you can create a JIRA for this one though Force change of new account passwords on
first login?YesNo
Yes Select amount of time before session will be terminated.15304560
Yes Do you want to check for common passwords?YesNo
No, we really should have this one. JIRA please Inactivate user after how many days of
inactivity?Never306090120
Yes Number of failed login attempts to allow before temporary lockout0 (Disabled)35
Yes Number of minutes to block user after failed login attempts0 Min15 Min30 Min60 Min
Yes
Date: Wed, 13 Apr 2016 20:47:37 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Nope, that one is not there. You can add a jira request for it.
On 13 Apr 2016 20:46, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
Is the below policy supported in Keycloak? If not can it be done in some custom way?
You are only allowed to change your password every 30 days
Date: Wed, 13 Apr 2016 20:42:20 +0200
Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Sure, but it would be a rather lengthy one.
On 13 Apr 2016 17:18, "Richard Lavallee" <rllavallee(a)hotmail.com> wrote:
Thanks. But even for repetitive letters such as "aaaa"I could still devise a
regex such as "xx" | "xX" | "Xx" | "XX", yes?
Date: Wed, 13 Apr 2016 06:47:09 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
That'd do it. I got confused and thought you didn't want to repetitive letters.
On 12 April 2016 at 19:32, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Password should not have consecutive lettersMaybe, if you can come up with a way to write
that as regex (probably not though). We'll add ability to create custom password
policies in the future though.
Wouldn't the below suffice for regex? Thus avoiding needing custom work for the
short-term?
forward =
"ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz",
backward =
"zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba",
regex = "(" + forward + "|" + backward + ")+";
Date: Tue, 12 Apr 2016 06:37:41 +0200
Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies
From: sthorger(a)redhat.com
To: rllavallee(a)hotmail.com
CC: keycloak-user(a)lists.jboss.org
On 11 April 2016 at 20:49, Richard Lavallee <rllavallee(a)hotmail.com> wrote:
Does Keycloak support the following requirements?
Password:Password should be changed in every 60 days (configurable)Yes If user enters
password wrong three times account is locked out for 15 min (configurable)Yes Password
chosen should not be previous 24 passwordsYes Password should have a letter and a
numberYes Password should not have consecutive lettersMaybe, if you can come up with a way
to write that as regex (probably not though). We'll add ability to create custom
password policies in the future though.
Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes,
you can configure idle timeout for a session. Idle for a session is if there are no app
logins or token refreshes Account inactivity - account inactivity is 30 days default
(configurable)Yes
-Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3168
days inactive
3180
days old
17 comments
3 participants
participants (3)
-
Guus der Kinderen -
Richard Lavallee -
Stian Thorgersen