[keycloak-dev] no empty password in UserFederationProvider

Michael Gerber gerbermichi at me.com
Fri Nov 20 12:22:53 EST 2015 

We’ve got a custom UserFederationProvider, which authenticate users against an AD or DB. Therefore, we need to know if a user entered an empty password.
I will create a PR and jira ticket for that, ok?

> On 20.11.2015, at 17:50, Marek Posolda <mposolda at redhat.com> wrote:
> 
> That will be the easiest path to use our BruteForceProtector.
> 
> However AD also has some "BruteForceProtector" of it's own, which disables user in AD when he reach some count of invalid attempts. And I guess Michael wants to use that one and disable user in AD as well.
> 
> Marek
> 
> On 20/11/15 17:40, Bill Burke wrote:
>> You can I guess, but why does it matter?  invalidPassword hits the brute
>> force detector if it is turned on.
>> 
>> On 11/20/2015 10:16 AM, Michael Gerber wrote:
>>> AbstractUsernameFormAuthenticator.validatePassword
>>> 
>>> public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
>>>      List<UserCredentialModel> credentials =new LinkedList<>();
>>> String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
>>> if (password ==null || password.isEmpty()) {
>>>          invalidPassword(context, user);
>>> return false;
>>> }
>>>      credentials.add(UserCredentialModel.password(password));
>>> boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
>>> if (!valid) {
>>>          invalidPassword(context, user);
>>> return false;
>>> }
>>>      return true;
>>> }
>>> 
>>> I think we can remove the first if (password == null || password.isEmpty())
>>> 
>>> Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke at redhat.com>:
>>> 
>>>> Point me to the code?
>>>> 
>>>> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>>>>> Hi All,
>>>>> 
>>>>> keycloak does not pass an empty password to the validCredentials method
>>>>> in the UserFederationProvider class.
>>>>> Is there a reason for that? I would like to authenticate against an AD
>>>>> even if the password is empty, otherwise the user won't be blocked after
>>>>> x attempts.
>>>>> 
>>>>> Michael
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>> 
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list