[keycloak-dev] Require password change on login when AD is the federation provider and pwdLastSet equals 0

Marek Posolda mposolda at redhat.com
Tue Nov 10 08:27:27 EST 2015 

I agree we need some way to address this. Active Directory is widely 
used and more people asked for that . I've put the comment to 
https://issues.jboss.org/browse/KEYCLOAK-1744 with possible solution, 
but it may need changes in UserFederationProvider interface, so the 
federationProvider is able to propagate the cause why password 
validation failed (password is expired, user is disabled, or just 
invalid password was used etc...).

As a temporary workaround, you can subclass LDAPFederationProvider and 
do something on your own. You can override 
LDAPFederationProvider.validPassword and add updatePassword on User when 
you detect that reason of password validation failure is expired password.

Marek

On 09/11/15 20:32, Cory Snyder wrote:
> Hey guys,
>
> Following up on this conversation that took place a couple of months 
> back: 
> http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html. 
> I just had a chance to try the proposed approach of implementing a 
> custom authentication provider that checks the pwdLastSet attribute 
> and sets the update password required action. I believe that this may 
> not be quite as easy as was suggested due to the fact that 
> authentication fails with the default LDAP Federation Provider before 
> a custom execution in the login flow has a chance to check the 
> attribute and set the required action. It seems I would need to 
> implement a custom LDAP Federation Provider that considers 
> authentication successful when the exception referenced in 
> https://issues.jboss.org/browse/KEYCLOAK-1744 is thrown, but also add 
> the required action for updating the password. Is there an easy way to 
> do that or something that I’m missing? Otherwise, I’d be willing to 
> work on a contribution for this issue if you’re willing to have logic 
> that is specific to AD?
>
> Thanks,
>
> Cory Snyder
> software engineer
> USA +1.419.731.3479  UK +44.20.7096.0149 iland.com 
> <http://www.iland.com/>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151110/c466f975/attachment.html

More information about the keycloak-dev mailing list