diff --git a/README.md b/README.md index 9f4b774..943660b 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,24 @@ The extension can be installed just like any keycloak extension. Either copy it `keycloak/standalone/deployments` folder, or load it via the jboss command line tool. ## Usage -To use the plugin you create a new password policy entry on the realm's password policy sub-page -with the `Group Policy` type, then enter a group attribute name as the configuration. -On a password change request, the extension will then check all the user's groups for this -attribute name and parse the corresponding attribute value as a serialized password policy. +There are multiple steps you will want to take to use this plugin. First, you need to determine +what password policies you will want for all users and for each group of users. Once you have +that, you will need to come up with an ID where you will specify group password policies. For +the purposes of this documentation we will use the ID `passwordPolicy`. + +Go to the realm's password policy page. In the latest versions of Keycloak, this can be found +by navigating to the "Authentication" menu item in the vertical menu on the left side of the +realm's user interface. You will then need to navigate to the "Password Policy" tab along the +menu of tabs on the top of the page. + +This interface provides you the OOTB ability to specify password policies for all users. This +is still true with the plugin installed. You will also have an additional option: **Group +Policy**. To use the plugin, you must add that password policy. The "Policy Value" should be +set to the ID we came up with earlier: `passwordPolicy`. + +At this point, you will need to add an attribute (with key `passwordPolicy`) to each group you +want to have additional password policies. The format of that text is defined by Keycloak +documentation and covered in the section below. ### Password policy format All policies are represented by a short string immediately followed by parenthesis, optionally @@ -46,11 +60,10 @@ If these currently work is completely untested. | Identifier | Description | Tested | | ------------- |:------------------------------------ | ------ | -| `forceExpiredPasswordChange(int)` | number of days to expire password after | - | +| `forceExpiredPasswordChange(string)` | number of days to expire password after | - | | `hashAlgorithm(string)` | hash algorithm to use when hashing the password | - | | `hashIterations(int)` | number of hash iterations | - | - ## Implementation To minimize code duplication the extension uses as much of the built-in KeyCloak code as possible. The parsing and instantiation of the policy provider classes is used as-is.