Skip to content

alexashley/keycloak-password-policy-have-i-been-pwned

Repository files navigation

keycloak-password-policy-have-i-been-pwned

A Keycloak password policy that checks potential passwords against Have I Been Pwnd.

account password reset page

installation

Note: this project was a weekend hack to try out the password policy SPI and HIBP API; it's not as robust or scalable as would be necessary in a production environment,
It depends on an SPI defined in keycloak-server-spi-private, which is not part of the public interface and may break between versions. A warning will print at start-up:

 WARN  [org.keycloak.services] (ServerService Thread Pool -- 64) KC-SERVICES0047: password-policy-have-i-been-pwned (dev.alexashley.policy.HaveIBeenPwnedPasswordPolicyProviderFactory) is implementing the internal SPI password-policy. This SPI is internal and may change without notice

Build the jar with make build (see the development section for prerequisites) and place it under ${KEYCLOAK_HOME}/standalone/deployments/.

Now you should see the provider as an option in the dropdown, and can configure it:

policy config

The policy value is the threshold for the number of times that the password hash appears in HIBP. The default is 1, meaning that any password that appears in HIBP is disallowed.

development

tools

running locally

  • jabba use
  • make build to create the jar
  • make keycloak to start an instance of Keycloak with the policy
    • admin credentials: keycloak:password
    • user credentials: test:password
  • ./scripts/init-keycloak.sh to setup the realm and user
  • make acceptance to run the minimal acceptance tests

About

No description or website provided.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published