[keycloak-user] password history not always correctly considered

Bystrik Horvath bystrik.horvath at gmail.com
Thu Oct 27 06:22:29 EDT 2016


Hi,

the question is whether is this buggy behavior or not regardless of mu use
case. I came to this behavior on slower virtual machine where the gaps
between the calls was more than 300 ms, than I realized to test it locally
on windows machine without network communication.
What could I expect then on clustered solution where I change the password
on one node and do the same on next node?
Thank you for the answer.

Best regards,
Bystrik

On Tue, Oct 25, 2016 at 3:28 PM, Bystrik Horvath <bystrik.horvath at gmail.com>
wrote:

> Hi Bill and Stian,
>
> I know that this is a silly test case, but the API provides the possibity
> ;-) Anyway, I run my test from POSTMAN tool and the requests are running in
> a sequece. I have a standalone Keycloak on my windows maschine, so it is
> not a cluster. Yes Bill, you are right, most failing is the 3rd attempt.
>
> Best regards,
> Bystrik
>
> On Tue, Oct 25, 2016 at 3:00 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> We purge older history entries.  Its based on creation date of current
>> time in milliseconds.  I guess it could be possible that the update is
>> happening so fast that multiple entries have the same creation date.
>> Are you running tests in a cluster?  Could also be possible that the
>> machines in your cluster don't have fully synchronized clocks.
>>
>> Does it work for the 1st 2 tries, then fail on the 3rd?  Then that is
>> probably the problem you are experiencing.
>>
>>
>> On 10/25/16 7:23 AM, Bystrik Horvath wrote:
>> > Hello,
>> >
>> > I have a realm where password history was set to 3. When I try to set
>> the
>> > password for an user too fast (via REST API), I'm able to use one of the
>> > passwords that should be recorded as not usable. When I put a small
>> sleep
>> > between the password changes (aprox. 300 ms), the usecase works fine -
>> so
>> > I'm not allowed to use any of the 3 recorded password from the history.
>> I
>> > tested the case using 1.9.3 Final and 2.2.1 Final with same results.
>> > It looks to me like a bug, isn't it?
>> >
>> > Thank you for the answer&best regards,
>> > Bystrik
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list