[keycloak-user] Is there a possibility to stop users changing their passwords too often?

Stian Thorgersen sthorger at redhat.com
Fri Mar 18 09:49:14 EDT 2016


+1 Password policy shouldn't be hard as it's already using a similar
approach, expect it's hard coded.
On 18 Mar 2016 2:14 p.m., "Marek Posolda" <mposolda at redhat.com> wrote:

> On 18/03/16 12:58, Stian Thorgersen wrote:
>
> Seems like a strange requirement. I can see why you would want users to
> update the password frequently, not the other way around. Or is there
> something I'm missing?
>
> Password policy will be made an spi in the future. That will make it easy
> to do, but it's not going to be done for a little while.
>
> Maybe we can do Password policy SPI in 2.X together with validation SPI?
> Looks to me like quite related things.
>
> Marek
>
> On 18 Mar 2016 10:10, "Marek Posolda" <mposolda at redhat.com> wrote:
>
>> Btv. Kevin you are using LDAP/MSAD right? If you have writable LDAP, then
>> for the LDAP users, you can create custom LDAP Mapper implementation, which
>> will implement "proxy" method and override "updateCredential" method of the
>> proxy user object. Here you can
>> implement this functionality by yourself (MSAD has pwdLastSet attribute
>> with the time when password was updated for last time)
>>
>> Marek
>>
>> On 18/03/16 10:04, Marek Posolda wrote:
>>
>> Hi,
>>
>> this is not available right now. It can be achieved with password policy,
>> but we don't have such a password policy right now. We can either:
>> - Add the password policy to have this available in Keycloak OOTB
>> - Make PasswordPolicy pluggable SPI, so you can add your custom password
>> policy for the functionality like this.
>>
>> Feel free to create JIRA for this.
>>
>> Marek
>>
>> On 16/03/16 15:02, Kevin Thorpe wrote:
>>
>> A standard practice for login systems is to stop users changing their
>> passwords too often. Keycloak does not support this as of 1.7.0. Is there a
>> possibility of adding a timeout to stop too frequent password changes?
>>
>>
>> *Kevin Thorpe*
>> VP Enterprise Platform
>>
>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>
>> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750>  | F: +44(0)20
>> 7730 2635 <%2B44%280%2920%207730%202635>  | T: +44 (0)808 204 0344
>> <%2B44%20%280%29808%20204%200344> *
>> *150 Buckingham Palace Road, London, SW1W 9TR, UK*
>>
>>
>>
>> *SAVE PAPER - THINK BEFORE YOU PRINT!*
>>
>> ____________________________________________________________________
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named addressee
>> you should not disseminate, distribute or copy this e-mail. Please notify
>> the sender immediately by e-mail if you have received this e-mail by
>> mistake and delete this e-mail from your system. If you are not the
>> intended recipient you are notified that disclosing, copying, distributing
>> or taking any action in reliance on the contents of this information is
>> strictly prohibited.
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/3b9bc4d9/attachment.html 


More information about the keycloak-user mailing list