[keycloak-user] Password policy when password is updated using admin API

Haim Vana haimv at perfectomobile.com
Tue Nov 29 11:18:48 EST 2016

I checked it again and the password policy is enforced :) I accidently set its value to 1 so it didn't do anything (maybe a UI warning should be added).

However when failing on the password reset from the admin API due to the policy I am getting - javax.ws.rs.BadRequestException: HTTP 400 Bad Request, while I was expecting something like - password history exception or something like that.

Any idea how I can notify the user that its password was already used ?


From: Haim Vana
Sent: Tuesday, November 29, 2016 5:47 PM
To: keycloak-user at lists.jboss.org
Cc: Boaz Hamo <boazh at perfectomobile.com>; Moshe Ben-Shoham <mosheb at perfectomobile.com>
Subject: Password policy when password is updated using admin API


Currently Keycloak is not exposed directly to our customers, hence all user operations are being done in our application background using the admin API.

We noticed that when changing user password from the admin API the password policy is not enforced, for example when setting password history policy.

Can you please advise if is it by design ?
If so do you have any suggestion how to handle the password policy in our case (using the admin API we can't get the user current or previous passwords) ?


The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

More information about the keycloak-user mailing list