Skip to content
No description or website provided.
Kotlin Shell Makefile Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
gradle/wrapper
images
scripts
src
.gitignore
.jabbarc
Dockerfile
Makefile
README.md
build.gradle.kts
gradlew
gradlew.bat
settings.gradle.kts

README.md

keycloak-password-policy-have-i-been-pwned

A Keycloak password policy that checks potential passwords against Have I Been Pwnd.

account password reset page

installation

Note: this project was a weekend hack to try out the password policy SPI and HIBP API; it's not as robust or scalable as would be necessary in a production environment,
It depends on an SPI defined in keycloak-server-spi-private, which is not part of the public interface and may break between versions. A warning will print at start-up:

 WARN  [org.keycloak.services] (ServerService Thread Pool -- 64) KC-SERVICES0047: password-policy-have-i-been-pwned (dev.alexashley.policy.HaveIBeenPwnedPasswordPolicyProviderFactory) is implementing the internal SPI password-policy. This SPI is internal and may change without notice

Build the jar with make build (see the development section for prerequisites) and place it under ${KEYCLOAK_HOME}/standalone/deployments/.

Now you should see the provider as an option in the dropdown, and can configure it:

policy config

The policy value is the threshold for the number of times that the password hash appears in HIBP. The default is 1, meaning that any password that appears in HIBP is disallowed.

development

tools

running locally

  • jabba use
  • make build to create the jar
  • make keycloak to start an instance of Keycloak with the policy
    • admin credentials: keycloak:password
    • user credentials: test:password
  • ./scripts/init-keycloak.sh to setup the realm and user
  • make acceptance to run the minimal acceptance tests
You can’t perform that action at this time.