[keycloak-user] Password policy for the last used passwords
Sarp Kaya
akaya at expedia.com
Thu Jun 1 00:28:17 EDT 2017
Hello,
My keycloak configuration has password policy enabled for all users and it also has the Not Recently Used part specified to some number.
I have a simple use case:
1. I create user
2. I set a password for this user
3. I delete this user
I repeat this step again, with the same username and password and I get an error on 2nd step which is "Invalid password: must not be equal to any of last x passwords.”
The problem is, I can only have this error on admin API, if I do it on the admin UI then I don’t get it.
Now obviously if it was the same “user” it would make sense, but since I delete this username and create a new user, which has different user ID; then I would expect it to behave differently.
I am using Keycloak 3.1.0 and Java adapter which has 3.1.0 as well. The below are the code
1. Creating user:
keycloak.realm(usersRealm).users().create(someUserRepresentation);
2. Resetting password of the user:
CredentialRepresentation passwordCredRepresentation = new CredentialRepresentation();
representation.setTemporary(false);
representation.setType(PASSWORD);
representation.setValue(password);
UserResource userResource = keycloak.realm(usersRealm).users().get(keycloakId);
userResource.resetPassword(passwordCredRepresentation);
3. Deleting the user:
keycloak.realm(usersRealm).users().delete(keycloakId))
I definitely know that delete user works because once I run this, I don’t see any user and when I run create user code, I can see a user account with different ID.
My question is, is this intentional or a bug? If it is intentional, then how can I clear user’s password history? I tried looking that up in admin api but could not find any call.
Thanks,
Sarp
More information about the keycloak-user
mailing list