[keycloak-dev] Require password change on login when AD is the federation provider and pwdLastSet equals 0
Marek Posolda
mposolda at redhat.com
Tue Nov 10 08:27:27 EST 2015
I agree we need some way to address this. Active Directory is widely
used and more people asked for that . I've put the comment to
https://issues.jboss.org/browse/KEYCLOAK-1744 with possible solution,
but it may need changes in UserFederationProvider interface, so the
federationProvider is able to propagate the cause why password
validation failed (password is expired, user is disabled, or just
invalid password was used etc...).
As a temporary workaround, you can subclass LDAPFederationProvider and
do something on your own. You can override
LDAPFederationProvider.validPassword and add updatePassword on User when
you detect that reason of password validation failure is expired password.
Marek
On 09/11/15 20:32, Cory Snyder wrote:
> Hey guys,
>
> Following up on this conversation that took place a couple of months
> back:
> http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html.
> I just had a chance to try the proposed approach of implementing a
> custom authentication provider that checks the pwdLastSet attribute
> and sets the update password required action. I believe that this may
> not be quite as easy as was suggested due to the fact that
> authentication fails with the default LDAP Federation Provider before
> a custom execution in the login flow has a chance to check the
> attribute and set the required action. It seems I would need to
> implement a custom LDAP Federation Provider that considers
> authentication successful when the exception referenced in
> https://issues.jboss.org/browse/KEYCLOAK-1744 is thrown, but also add
> the required action for updating the password. Is there an easy way to
> do that or something that I’m missing? Otherwise, I’d be willing to
> work on a contribution for this issue if you’re willing to have logic
> that is specific to AD?
>
> Thanks,
>
> Cory Snyder
> software engineer
> USA +1.419.731.3479 UK +44.20.7096.0149 iland.com
> <http://www.iland.com/>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151110/c466f975/attachment.html
More information about the keycloak-dev
mailing list