[keycloak-dev] Adding a validate password endpoint in the Admin API

Stian Thorgersen sthorger at redhat.com
Tue Jun 27 08:31:17 EDT 2017


All this does is allow checking if a password is accepted by the password
policies. That's it. I can't see how that increases any attack surface?

On 27 June 2017 at 14:10, Bruno Oliveira <bruno at abstractj.org> wrote:

> I'm 50/50 on this. And I fully agree that no one should know a users
> password. On the other hand I understand that might not work for
> everyone.
>
> If we move forward with this, we might not just
> be increasing the attack surface. But also would enabling people to
> do creative things like, store user's password into their database in plain
> text.
>
> On 2017-06-27, Stian Thorgersen wrote:
> > I think the flow of allowing admins to set the users passwords are a bit
> > broken in the first place. No-one should know a users password, but
> > themselves. A better flow would be to send a password-reset link to users
> > through email and let them set the initial password themselves.
> >
> > However, I can see that might not work for everyone so I don't feel to
> > strongly about not accepting this change. Let's see what others think
> about
> > it.
> >
> > On 27 June 2017 at 09:03, Wim Vandenhaute <wim.vandenhaute at gmail.com>
> wrote:
> >
> > > Hello list,
> > >
> > > Via an admin portal of a customer I am working for, they provide a
> feature
> > > where an admin can edit the user's data, including setting a new
> password.
> > >
> > > For the sake of atomicity, all update steps first go through a series
> of
> > > validations for all modified data before actually committing the
> changes
> > > and (if needed) updating the keycloak password
> > >
> > > At the moment, there is no way to pre-update do a validity check of the
> > > updated password against keycloak's configured password policy(ies)
> > >
> > > Therefor I would propose to have a validate-password endpoint in the
> Admin
> > > API.
> > >
> > > I've made a pull request already here:
> > >   *  https://github.com/keycloak/keycloak/pull/4229
> > >
> > > Any thoughts on this?
> > >
> > > Kind regards,
> > > Wim
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> abstractj
>


More information about the keycloak-dev mailing list