[keycloak-user] Is there a possibility to stop users changing their passwords too often?

Marek Posolda mposolda at redhat.com
Fri Mar 18 09:14:44 EDT 2016


On 18/03/16 12:58, Stian Thorgersen wrote:
>
> Seems like a strange requirement. I can see why you would want users 
> to update the password frequently, not the other way around. Or is 
> there something I'm missing?
>
> Password policy will be made an spi in the future. That will make it 
> easy to do, but it's not going to be done for a little while.
>
Maybe we can do Password policy SPI in 2.X together with validation SPI? 
Looks to me like quite related things.

Marek

> On 18 Mar 2016 10:10, "Marek Posolda" <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Btv. Kevin you are using LDAP/MSAD right? If you have writable
>     LDAP, then for the LDAP users, you can create custom LDAP Mapper
>     implementation, which will implement "proxy" method and override
>     "updateCredential" method of the proxy user object. Here you can
>     implement this functionality by yourself (MSAD has pwdLastSet
>     attribute with the time when password was updated for last time)
>
>     Marek
>
>     On 18/03/16 10:04, Marek Posolda wrote:
>>     Hi,
>>
>>     this is not available right now. It can be achieved with password
>>     policy, but we don't have such a password policy right now. We
>>     can either:
>>     - Add the password policy to have this available in Keycloak OOTB
>>     - Make PasswordPolicy pluggable SPI, so you can add your custom
>>     password policy for the functionality like this.
>>
>>     Feel free to create JIRA for this.
>>
>>     Marek
>>
>>     On 16/03/16 15:02, Kevin Thorpe wrote:
>>>     A standard practice for login systems is to stop users changing
>>>     their passwords too often. Keycloak does not support this as of
>>>     1.7.0. Is there a possibility of adding a timeout to stop too
>>>     frequent password changes?
>>>
>>>
>>>     *Kevin Thorpe*
>>>     VP Enterprise Platform
>>>
>>>     www.p-i.net <http://www.p-i.net> | @PI_150
>>>     <https://twitter.com/@PI_150>
>>>
>>>     *T: +44 (0)20 3005 6750 <tel:%2B44%20%280%2920%203005%206750>  |
>>>     F: +44(0)20 7730 2635 <tel:%2B44%280%2920%207730%202635>  | T:
>>>     +44 (0)808 204 0344 <tel:%2B44%20%280%29808%20204%200344> *
>>>     *150 Buckingham Palace Road, London, SW1W 9TR, UK*
>>>
>>>
>>>     *SAVE PAPER - THINK BEFORE YOU PRINT!*
>>>
>>>     ____________________________________________________________________
>>>
>>>     This email and any files transmitted with it are confidential
>>>     and intended solely for the use of the individual or entity to
>>>     whom they are addressed. If you have received this email in
>>>     error please notify the system manager. This message contains
>>>     confidential information and is intended only for the individual
>>>     named. If you are not the named addressee you should not
>>>     disseminate, distribute or copy this e-mail. Please notify the
>>>     sender immediately by e-mail if you have received this e-mail by
>>>     mistake and delete this e-mail from your system. If you are not
>>>     the intended recipient you are notified that disclosing,
>>>     copying, distributing or taking any action in reliance on the
>>>     contents of this information is strictly prohibited.
>>>
>>>
>>>
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/660d7997/attachment-0001.html 


More information about the keycloak-user mailing list