[keycloak-user] Different password policies for the same client

Bill Burke bburke at redhat.com
Wed Oct 14 11:39:09 EDT 2015

Our realms are isolated from one another so I wouldn't recommend having 
2 realms if at all possible.

We don't have per client password policies.  We do have "service 
accounts" now.  A service account belongs to a client.  Client can use 
this to interact with admin console or other services.

On 10/14/2015 11:09 AM, Sebastian Olscher wrote:
> Hi guys,
> is there any way to configure different password policies for different
> kind of users in one realm?
> We´re dealing with the following use case: Two different types of users:
> one represents human users, who are able to login via a login page. The
> second represents other applications which do a system to system
> communication without login via a login page . For human users we want
> to specify the policy that they have to change their password at least
> all 90 days. User which were used for other applications (machine to
> machine communication) were not able to change their password. So we
> want to define this policy is only for human users.
> I can´t find a possibility to distinguish between user types, so our
> idea was to use two separated realms. I can add user from type A to
> Realm 1 and user from type B to Realm 2 and with that, I´m able to
> configure different password policies for both groups. But at the end if
> both user types have access to the same client, I have to configure the
> same client with all its roles in both realms identically to add roles
> of this client to users within this realm.
> What would be your recommendation to fulfil the requirement described in
> the use case?
> Thanks for your help,
> Sebastian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list