password

Aim: Configurable policy to Restrict user from using N old passwords again.
https://issues.jboss.org/browse/KEYCLOAK-405

The proposed implementation via "createdDate" : I had almost finished doing this but then it din't look good to me.

Each time a user logins, we are required to

* Fetch all user credential entities and iterate to check the Credential type PASSWORD and check if it matches with the new password being set.
* if the policy is set, fetch all credential entities and iterate to check PASSWORD_EXPIRED type.
* Sort the fetched credentials on the basis of date directly via query or via utility (Collections.sort(...) etc.)
* Check if any of the old password (N old) is being used to reset the current password.
* If new password doesn't matches with n old passwords, remove the most recent password type, set it to PASSWORD_EXPIRED and add it again to the user credentials. Add current(new) credentials to the user credentials by keeping it set to the type PASSWORD.
* If PASSWORD_EXPIRED types is greater than N, perform CRUD and delete.

* If value of N is greater, we shall have many credentials of different types for each user and CRUD/iterating/ordering them leads
 to complexity and hits performance.

* Boundary/critical cases like greater values of N, frequent changes in values of N are critical to CRUD operations.


Alternative:
Currently, we have certain types of credential for each user and each user has only one PASSWORD type credential.

WE can add a field oldPassords to CredentialEntity like

@Lob
@Column
final String oldPassords;

OR
@Column(length=1000) 
final String oldPassords;

This string will update with each successful password reset.
Suppose N=3
Reset 1: Password = "a" oldPassords="a";
Reset 1: Password = "a" oldPassords="a";
Reset 1: Password = "a" oldPassords="a";