[keycloak-dev] no empty password in UserFederationProvider

Marek Posolda mposolda at redhat.com
Fri Nov 20 11:50:14 EST 2015


That will be the easiest path to use our BruteForceProtector.

However AD also has some "BruteForceProtector" of it's own, which 
disables user in AD when he reach some count of invalid attempts. And I 
guess Michael wants to use that one and disable user in AD as well.

Marek

On 20/11/15 17:40, Bill Burke wrote:
> You can I guess, but why does it matter?  invalidPassword hits the brute
> force detector if it is turned on.
>
> On 11/20/2015 10:16 AM, Michael Gerber wrote:
>> AbstractUsernameFormAuthenticator.validatePassword
>>
>> public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
>>       List<UserCredentialModel> credentials =new LinkedList<>();
>> String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
>> if (password ==null || password.isEmpty()) {
>>           invalidPassword(context, user);
>> return false;
>> }
>>       credentials.add(UserCredentialModel.password(password));
>> boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
>> if (!valid) {
>>           invalidPassword(context, user);
>> return false;
>> }
>>       return true;
>> }
>>
>> I think we can remove the first if (password == null || password.isEmpty())
>>
>> Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke at redhat.com>:
>>
>>> Point me to the code?
>>>
>>> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>>>> Hi All,
>>>>
>>>> keycloak does not pass an empty password to the validCredentials method
>>>> in the UserFederationProvider class.
>>>> Is there a reason for that? I would like to authenticate against an AD
>>>> even if the password is empty, otherwise the user won't be blocked after
>>>> x attempts.
>>>>
>>>> Michael
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list