Created
April 8, 2015 18:30
-
-
Save girirajsharma/7a1bbf51cfcefa43ca09 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| KeycloakKEYCLOAK-405 | |
| Feature that doesn't allow old password to be reused | |
| https://issues.jboss.org/browse/KEYCLOAK-405 | |
| Issues with proposed implementation: I had almost finished with this but it looked too cumbersome to me. | |
| If the policy is set with value of N = 3. | |
| * For each password reset, fetch all credentials and iterate for credential type "PASSWORD". | |
| * Compare new credential's value with the passowrd of most recently set PASSWORD type credential (There will be only one such credential). | |
| * Next, fetch all credentials and iterate for credential type "PASSWORD_EXPIRED". | |
| * Sort them on the basis of CREATED_DATE directly from query or via Collection utils. | |
| * Compare new credential's value with the passowrd value of most recently set (N-1) old credentials with type PASSWORD_EXPIRED. | |
| * if such credentials are greater than N-1, remove and persist the entity. | |
| * Remove the most recently set password type credential, set its type to PASSWORD_EXPIRED and add it again to credentials. | |
| * Add the new credentials with type PASSWORD in case of a successful reset. | |
| * Boundary cases or frequent update in the values of N will make iterations cumbersome. | |
| * Large values of N might make it further complex. | |
| * Why to keep the whole old credential entity when we need only its value. | |
| Alternative: | |
| Add a field oldPasswords to the PASSWORD type CredentialEntity (There is one such PASSWORD type credential for each user. | |
| For other type of user credentials, value of this field can be null). | |
| @Column(name = "OLD_PASSOWRDS") | |
| final String oldPasswords; | |
| <addColumn tableName="CREDENTIAL"> | |
| <column name="OLD_PASSWORDS" type = VARCHAR(2048)> | |
| </addColumn> | |
| oldPasswords will be a comma separated string to keep hold of N old passwords. For eg. if N=3, | |
| Reset 1 Password "a" oldPasswords="a" Success | |
| Reset 2 Password "a" oldPasswords="a" Failed | |
| Reset 3 Password "b" oldPasswords="a,b" Success | |
| Reset 4 Password "c" oldPasswords="a,b,c" Success | |
| Reset 5 Password "c" oldPasswords="a,b,c" Failed | |
| Reset 6 Password "b" oldPasswords="a,b,c" Failed | |
| Reset 7 Password "d" oldPasswords="b,c,d" Success | |
| Reset 8 Password "e" oldPasswords="c,d,e" Success | |
| No complexity and no overhead even for large values of N and large length passwords. | |
| IMHO, we should restrict maximum password length policy value to 20 and maximum expired password policy value to 10 or at max 25 in forms/partials. | |
| KeycloakKEYCLOAK-402 | |
| Force password changes at regular intervals | |
| https://issues.jboss.org/browse/KEYCLOAK-402 | |
| This issue demands a field of "CREATED_DATE". For each login, simply check the difference between created and current time. | |
| If it is greater than the policy configured time, then force the user to change his password by redirecting hime to PASSWORD RESET HOME PAGE. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment