Reputation: 203
Keycloak- passed parameter to meet password policy requirements
I have defined get Keycloak method on my Symfony project.
I am getting excepted results in the matter of array where I am extracting the list of password policies. Currently it's set just 'not username' rule:
I could not find any other endpoint within keycloak in a documentation where I can pass my password string as parameter and see if it's meeting the requirements defined in password policies.
I will provide GET function which is returning the thing I just described. I think it will do the work if it could be modified to provide password string.
public function validateKeycloakPassword()
{
$options = [
'headers' => $this->getAuthJsonHeaders()
];
try {
$endpoint = sprintf('auth/admin/realms/%s/', $this->realm);
return $this->request('GET', $endpoint, $options);
} catch (\Exception $e) {
$this->exception('Can`t get password policy information on Keycloak. ' . $e->getMessage());
}
}
and in my controller, endpoint:
/**
* @Route("/check", name="check")
*/
public function validatePassword()
{
$violations = $this->service->validateKeycloakPassword();
return $violations['passwordPolicy'];
}
To summerize:
Is there any endpoint in keycloak where I can pass my password variable and check if it meets requirements defined in password policies Probably with PUT method.
Upvotes: 3
Views: 2485
Answers (1)
Reputation: 51393
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
As far as I know there is no such endpoint. Nevertheless, there is a workaround that you can do, create a dummy_user that will be used to test the passwords. Get the ID from that user, which you can get from the Keycloak Admin console or by using the endpoint:
curl -X GET <KEYCLOAK_HOST>/auth/admin/realms/<REALM_NAME>/users/?username=dummy_user
From the JSON response, extract the user ID. Then you call the following endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<REALM_NAME>/users/<USER_ID>/reset-password
with the request payload:
{"type":"password","value":"<THE_PASSWORD_THAT_YOU_WANT_TO_TEST>","temporary":false}
You will get a 400 if the password is not valid, and with the response you can look at the error. An example of such response:
error:"invalidPasswordMinLengthMessage"
error_description:"Invalid password minimum length 8"
Obviously, this will not work for the username policy, but that one can be easily check in your app (e.g., password != username)
Upvotes: 2
Related Questions
- Keycloak set password policy via Rest API
- Keycloak: grant_type=password in custom Identity Provider
- Keycloak get user password
- Keycloak expire password policy per user/group
- how to integrating keycloak with php(using stevenmaguire oauth2-keycloak)
- Keycloak | How to add custom keycloak password policies?
- Keycloak- get all users by client
- Keycloak password policy
- Keycloak - import password policy
- Keycloak Admin API - How to check if password fits the password policy