[keycloak-user] Password policy for the last used passwords

Stian Thorgersen sthorger at redhat.com
Fri Jun 2 08:32:31 EDT 2017


This is certainly not intentional. When you re-create the user through the
admin api is it with the same user id? If so it could seem credentials are
not deleted properly when the user is and that the "old" credentials are
then associated with the new user.

On 1 June 2017 at 06:28, Sarp Kaya <akaya at expedia.com> wrote:

> Hello,
> My keycloak configuration has password policy enabled for all users and it
> also has the Not Recently Used part specified to some number.
>  I have a simple use case:
>
>
>   1.  I create user
>   2.  I set a password for this user
>   3.  I delete this user
>
> I repeat this step again, with the same username and password and I get an
> error on 2nd step which is "Invalid password: must not be equal to any of
> last x passwords.”
> The problem is, I can only have this error on admin API, if I do it on the
> admin UI then I don’t get it.
>
> Now obviously if it was the same “user” it would make sense, but since I
> delete this username and create a new user, which has different user ID;
> then I would expect it to behave differently.
>
> I am using Keycloak 3.1.0 and Java adapter which has 3.1.0 as well. The
> below are the code
>
>
>   1.  Creating user:
>
> keycloak.realm(usersRealm).users().create(someUserRepresentation);
>
> 2. Resetting password of the user:
> CredentialRepresentation passwordCredRepresentation = new
> CredentialRepresentation();
> representation.setTemporary(false);
> representation.setType(PASSWORD);
> representation.setValue(password);
> UserResource userResource = keycloak.realm(usersRealm).
> users().get(keycloakId);
> userResource.resetPassword(passwordCredRepresentation);
>
>
> 3. Deleting the user:
> keycloak.realm(usersRealm).users().delete(keycloakId))
>
>
> I definitely know that delete user works because once I run this, I don’t
> see any user and when I run create user code, I can see a user account with
> different ID.
>
> My question is, is this intentional or a bug? If it is intentional, then
> how can I clear user’s password history? I tried looking that up in admin
> api but could not find any call.
>
> Thanks,
> Sarp
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list