[keycloak-dev] [KEYCLOAK-4052] implementation
Stian Thorgersen
sthorger at redhat.com
Fri Sep 15 05:25:33 EDT 2017
This particular SPI is fully supported so we can't break backwards
compatiblity. Would have to be an option interface if done this way.
Alternatively, which may be better is to just let user storage providers
deal with it themselves. The built-in LDAP provider could have an option,
then other custom implementations can just do what they want (enable
always, configurable, disable always, etc..).
On 15 September 2017 at 10:18, Cédric Couralet <cedric.couralet at gmail.com>
wrote:
> thank you.
>
> What I'm thinking now is :
> - adding a method in CredentialInputUpdater (veryPasswordPolicy boolean)
> - using this in updateCredential in UserCredentialStoreManager to
> check or not the password policy
> - adding an option in all existing providers provided by default.
>
> This would allow custom providers to use or not the Password Policy.
>
> What do you think?
> I'm not sure changing the interface can be done like that, is there
> some rules to follow?
>
>
> 2017-09-15 10:06 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
> > +1 for the config option. Maybe should be disabled by default for
> backwards
> > compatibility?
> >
> > Will be cool if also implementors of custom UserStorage have an easy way
> to
> > specify whether they want to use Keycloak password policies or not (maybe
> > it's available already, I am not 100 % sure).
> >
> > Marek
> >
> >
> > On 15/09/17 09:11, Stian Thorgersen wrote:
> >>
> >> * There needs to be a config option whether or not the password policy
> >> should be considered or not
> >> * Before trying the password policy you need to check if the credential
> >> being update is indeed a password and not a different type
> >> * Tests need to be added (update password success, update password
> >> rejected
> >> due to policy, with/without config password policy check on, updating
> >> different types of credentials doesn't break, etc.)
> >>
> >> On 15 September 2017 at 08:36, Cédric Couralet <
> cedric.couralet at gmail.com>
> >> wrote:
> >>
> >>> Hi,
> >>>
> >>> This place is surely better than a comment in JIRA. I really need this
> >>> issue to be resolved. I tried a fistr patch quickly, which was
> >>> rejected[1], but is it possible to verify the credential type befoer
> >>> the password policy check in UserCredentialStoreManager.java or is it
> >>> the wrong direction?
> >>>
> >>> [1]: https://github.com/keycloak/keycloak/pull/4364/files
> >>>
> >>>
> >>> Regards,
> >>>
> >>> --
> >>>
> >>> Cédric Couralet
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> >
>
More information about the keycloak-dev
mailing list