inteligr8/keycloak-group-password-policy

mirror of https://github.com/bmlong137/keycloak-group-password-policy.git synced 2025-09-11 06:21:10 +00:00

Go to file

dependabot[bot] e942c679e5 Bump keycloak-core from 6.0.1 to 13.0.0

Bumps [keycloak-core](https://github.com/keycloak/keycloak) from 6.0.1 to 13.0.0.
- [Release notes](https://github.com/keycloak/keycloak/releases)
- [Commits](https://github.com/keycloak/keycloak/compare/6.0.1...13.0.0)

---
updated-dependencies:
- dependency-name: org.keycloak:keycloak-core
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

2021-06-08 23:40:10 +00:00

src/main/java/com/github/jpicht/keycloak/policy

extract message collection logic

2019-09-28 18:07:39 +02:00

.gitignore

implement actual functionality

2019-09-14 13:58:36 +02:00

Dockerfile

initial code

2019-09-13 08:51:14 +02:00

LICENSE

Initial commit

2019-09-13 08:49:57 +02:00

pom.xml

Bump keycloak-core from 6.0.1 to 13.0.0

2021-06-08 23:40:10 +00:00

README.md

add README

2019-09-28 17:56:24 +02:00

README.md

keycloak-group-password-policy

This keycloak extension (currenty developed and tested against version 6.0.1) aims to create the possibility to assign additional password rules to user groups, extending the rules attached to the realm, not replacing them.

The extension registers a class implementing org.keycloak.policy.PasswordPolicyProviderFactory. It is available as a new type of password policy on the realm's password policy sub-page.

Installation

The extension can be installed just like any keycloak extension. Either copy it to the keycloak/standalone/deployments folder, or load it via the jboss command line tool.

Usage

To use the plugin you create a new password policy entry on the realm's password policy sub-page with the Group Policy type, then enter a group attribute name as the configuration. On a password change request, the extension will then check all the user's groups for this attribute name and parse the corresponding attribute value as a serialized password policy.

Password policy format

All policies are represented by a short string immediately followed by parenthesis, optionally containing configuration data. All policies are then concatenated using the fixed string " and ".

For example:

length(8) and digits(2) and lowerCase(2) and upperCase(2) and specialChars(2) and notUsername()

The policies provided with KeyCloak are:

Identifier	Parameter description	Tested
`length(int)`	minimum number of unicode characters	✓
`digits(int)`	minimum number of digits	✓
`lowerCase(int)`	minimum number of lower case unicode characters	✓
`upperCase(int)`	minimum number of upper case unicode characters	✓
`specialChars(int)`	minumum number of special characters	✓
`regexPattern(string)`	regular expression	✓
`notUsername()`		✓
`passwordBlacklist(string)`	file name	-
`passwordHistory(int)`	number of last used passwords to disallow	-

On the realm model the password policy attribute is also used for other purposes. There are some registered "policies", that do not actually implement a policy that a password is checked against, but when it has to be changed and how it is stored.

If these currently work is completely untested.

Identifier	Description	Tested
`forceExpiredPasswordChange(int)`	number of days to expire password after	-
`hashAlgorithm(string)`	hash algorithm to use when hashing the password	-
`hashIterations(int)`	number of hash iterations	-

Implementation

To minimize code duplication the extension uses as much of the built-in KeyCloak code as possible. The parsing and instantiation of the policy provider classes is used as-is.

As all policies are configured via the RealmModel, a custom implementation of the RealmModel interface (FakeRealm) is used to inject the configuration into the classes.

For details please have a look at the source code.