[keycloak-dev] no empty password in UserFederationProvider

Marek Posolda mposolda at redhat.com
Fri Nov 20 11:46:33 EST 2015 

It should be fine to remove it in Authenticator, but I am not sure if it 
addresses your usecase. We have another similar check in 
LDAPOperationManager.authenticate : 
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java#L330 
.

The reason behind it was another issue related to AD. Basically all 
other LDAP servers will always throw an exception if you put incorrect 
(or empty) LDAP password. However AD in some cases doesn't throw an 
exception in case of empty password . It throws an exception for invalid 
password, but not for an empty one. So it will allow any AD user to 
login into Keycloak with empty password... I don't know if there is some 
switch in AD settings to disable this behaviour.

But anyway, we need to have solution, which will work in all situations. 
So we either need to add some switch to configuration (true: allow empty 
password to be sent to LDAP authentication, false: not allow it and 
throw error as we do now. Default setting will be false). Or if you can 
figure the code, which works for all usecases without additional switch, 
it will be even better :-)

Marek

On 20/11/15 16:16, Michael Gerber wrote:
> AbstractUsernameFormAuthenticator.validatePassword
>
> public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
>      List<UserCredentialModel> credentials =new LinkedList<>(); String password = inputData.getFirst(CredentialRepresentation.PASSWORD); if (password ==null || password.isEmpty()) {
>          invalidPassword(context, user); return false; }
>      credentials.add(UserCredentialModel.password(password)); boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials); if (!valid) {
>          invalidPassword(context, user); return false; }
>      return true; }
> I think we can remove the first if (password == null || 
> password.isEmpty())
>
> Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke at redhat.com>:
>
>> Point me to the code?
>>
>> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>>> Hi All,
>>>
>>> keycloak does not pass an empty password to the validCredentials method
>>> in the UserFederationProvider class.
>>> Is there a reason for that? I would like to authenticate against an AD
>>> even if the password is empty, otherwise the user won't be blocked after
>>> x attempts.
>>>
>>> Michael
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> -- 
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151120/37005b82/attachment.html

More information about the keycloak-dev mailing list