[keycloak-dev] Adding a validate password endpoint in the Admin API

Bruno Oliveira bruno at abstractj.org
Tue Jun 27 08:10:24 EDT 2017


I'm 50/50 on this. And I fully agree that no one should know a users
password. On the other hand I understand that might not work for
everyone.

If we move forward with this, we might not just
be increasing the attack surface. But also would enabling people to
do creative things like, store user's password into their database in plain
text.

On 2017-06-27, Stian Thorgersen wrote:
> I think the flow of allowing admins to set the users passwords are a bit
> broken in the first place. No-one should know a users password, but
> themselves. A better flow would be to send a password-reset link to users
> through email and let them set the initial password themselves.
>
> However, I can see that might not work for everyone so I don't feel to
> strongly about not accepting this change. Let's see what others think about
> it.
>
> On 27 June 2017 at 09:03, Wim Vandenhaute <wim.vandenhaute at gmail.com> wrote:
>
> > Hello list,
> >
> > Via an admin portal of a customer I am working for, they provide a feature
> > where an admin can edit the user's data, including setting a new password.
> >
> > For the sake of atomicity, all update steps first go through a series of
> > validations for all modified data before actually committing the changes
> > and (if needed) updating the keycloak password
> >
> > At the moment, there is no way to pre-update do a validity check of the
> > updated password against keycloak's configured password policy(ies)
> >
> > Therefor I would propose to have a validate-password endpoint in the Admin
> > API.
> >
> > I've made a pull request already here:
> >   *  https://github.com/keycloak/keycloak/pull/4229
> >
> > Any thoughts on this?
> >
> > Kind regards,
> > Wim
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj


More information about the keycloak-dev mailing list