[keycloak-user] Is there a possibility to stop users changing their passwords too often?

Marek Posolda mposolda at redhat.com
Fri Mar 18 05:09:02 EDT 2016

Btv. Kevin you are using LDAP/MSAD right? If you have writable LDAP, 
then for the LDAP users, you can create custom LDAP Mapper 
implementation, which will implement "proxy" method and override 
"updateCredential" method of the proxy user object. Here you can
implement this functionality by yourself (MSAD has pwdLastSet attribute 
with the time when password was updated for last time)


On 18/03/16 10:04, Marek Posolda wrote:
> Hi,
> this is not available right now. It can be achieved with password 
> policy, but we don't have such a password policy right now. We can either:
> - Add the password policy to have this available in Keycloak OOTB
> - Make PasswordPolicy pluggable SPI, so you can add your custom 
> password policy for the functionality like this.
> Feel free to create JIRA for this.
> Marek
> On 16/03/16 15:02, Kevin Thorpe wrote:
>> A standard practice for login systems is to stop users changing their 
>> passwords too often. Keycloak does not support this as of 1.7.0. Is 
>> there a possibility of adding a timeout to stop too frequent password 
>> changes?
>> *Kevin Thorpe*
>> VP Enterprise Platform
>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>> *T: +44 (0)20 3005 6750 <tel:%2B44%20%280%2920%203005%206750>  | F: 
>> +44(0)20 7730 2635 <tel:%2B44%280%2920%207730%202635>  | T: +44 
>> (0)808 204 0344 <tel:%2B44%20%280%29808%20204%200344> *
>> *150 Buckingham Palace Road, London, SW1W 9TR, UK*
>> ____________________________________________________________________
>> This email and any files transmitted with it are confidential and 
>> intended solely for the use of the individual or entity to whom they 
>> are addressed. If you have received this email in error please notify 
>> the system manager. This message contains confidential information 
>> and is intended only for the individual named. If you are not the 
>> named addressee you should not disseminate, distribute or copy this 
>> e-mail. Please notify the sender immediately by e-mail if you have 
>> received this e-mail by mistake and delete this e-mail from your 
>> system. If you are not the intended recipient you are notified that 
>> disclosing, copying, distributing or taking any action in reliance on 
>> the contents of this information is strictly prohibited.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/6e18680a/attachment-0001.html 

More information about the keycloak-user mailing list