inteligr8/keycloak-group-password-policy
1
0
Fork 0
mirror of https://github.com/bmlong137/keycloak-group-password-policy.git synced 2025-09-10 22:21:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

added more documentation

Browse Source
This commit is contained in:
Brian Long
2021-10-21 15:24:42 -04:00
parent 919c288ba9
commit ba887619e8
1 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@@ -11,10 +11,24 @@ The extension can be installed just like any keycloak extension. Either copy it
`keycloak/standalone/deployments` folder, or load it via the jboss command line tool.
## Usage
To use the plugin you create a new password policy entry on the realm's password policy sub-page
with the `Group Policy` type, then enter a group attribute name as the configuration.
On a password change request, the extension will then check all the user's groups for this
attribute name and parse the corresponding attribute value as a serialized password policy.
There are multiple steps you will want to take to use this plugin. First, you need to determine
what password policies you will want for all users and for each group of users. Once you have
that, you will need to come up with an ID where you will specify group password policies. For
the purposes of this documentation we will use the ID `passwordPolicy`.
Go to the realm's password policy page. In the latest versions of Keycloak, this can be found
by navigating to the "Authentication" menu item in the vertical menu on the left side of the
realm's user interface. You will then need to navigate to the "Password Policy" tab along the
menu of tabs on the top of the page.
This interface provides you the OOTB ability to specify password policies for all users. This
is still true with the plugin installed. You will also have an additional option: **Group
Policy**. To use the plugin, you must add that password policy. The "Policy Value" should be
set to the ID we came up with earlier: `passwordPolicy`.
At this point, you will need to add an attribute (with key `passwordPolicy`) to each group you
want to have additional password policies. The format of that text is defined by Keycloak
documentation and covered in the section below.
### Password policy format
All policies are represented by a short string immediately followed by parenthesis, optionally
@@ -46,11 +60,10 @@ If these currently work is completely untested.
| Identifier | Description | Tested |
| ------------- |:------------------------------------ | ------ |
| `forceExpiredPasswordChange(int)` | number of days to expire password after | - |
| `forceExpiredPasswordChange(string)` | number of days to expire password after | - |
| `hashAlgorithm(string)` | hash algorithm to use when hashing the password | - |
| `hashIterations(int)` | number of hash iterations | - |
## Implementation
To minimize code duplication the extension uses as much of the built-in KeyCloak code
as possible. The parsing and instantiation of the policy provider classes is used as-is.