[keycloak-user] Password policy for the last used passwords

Sarp Kaya akaya at expedia.com
Thu Jun 1 00:28:17 EDT 2017


Hello,
My keycloak configuration has password policy enabled for all users and it also has the Not Recently Used part specified to some number.
 I have a simple use case:


  1.  I create user
  2.  I set a password for this user
  3.  I delete this user

I repeat this step again, with the same username and password and I get an error on 2nd step which is "Invalid password: must not be equal to any of last x passwords.”
The problem is, I can only have this error on admin API, if I do it on the admin UI then I don’t get it.

Now obviously if it was the same “user” it would make sense, but since I delete this username and create a new user, which has different user ID; then I would expect it to behave differently.

I am using Keycloak 3.1.0 and Java adapter which has 3.1.0 as well. The below are the code


  1.  Creating user:

keycloak.realm(usersRealm).users().create(someUserRepresentation);

2. Resetting password of the user:
CredentialRepresentation passwordCredRepresentation = new CredentialRepresentation();
representation.setTemporary(false);
representation.setType(PASSWORD);
representation.setValue(password);
UserResource userResource = keycloak.realm(usersRealm).users().get(keycloakId);
userResource.resetPassword(passwordCredRepresentation);


3. Deleting the user:
keycloak.realm(usersRealm).users().delete(keycloakId))


I definitely know that delete user works because once I run this, I don’t see any user and when I run create user code, I can see a user account with different ID.

My question is, is this intentional or a bug? If it is intentional, then how can I clear user’s password history? I tried looking that up in admin api but could not find any call.

Thanks,
Sarp


More information about the keycloak-user mailing list