2

I have an app where I have to force some group of users to reset passwords after some time, but not all of them. Is it possible to create a policy per user/group with an Expire password?

I tried so many different ways to handle it in a different way (thinking to create a custom extension too), but nothing help :/

Is it possible to add something as a Keycloak script on the Client level, where I can check a specific user or group and call trigger for resetting the password?

And another question: Is it possible to limit access by IP address (Again with Keycloack javascript or any other way) somehow?

Kolesar
  • 1,265
  • 3
  • 19
  • 41

2 Answers2

4

Keycloak doesn't have this functionality. The default UPDATE_PASSWORD required action gets the number of days before password expiration from the single place for all the users on each login:

context.getRealm().getPasswordPolicy().getDaysToExpirePassword();

But you can add a custom provider which will update DaysToExpirePassword in runtime for every user:

public class DynamicPasswordLifetimeProvider implements RequiredActionProvider {
public static final String FORCE_EXPIRED_PASSWORD_CHANGE_ATTR_NAME = "forceExpiredPasswordChange";

@Override
  public void evaluateTriggers(RequiredActionContext context) {
      String passwordLifetime = ....get it from user/group attribute

      PasswordPolicy passwordPolicy = context.getRealm().getPasswordPolicy();
      PasswordPolicy newPolicy = passwordPolicy.toBuilder().put(FORCE_EXPIRED_PASSWORD_CHANGE_ATTR_NAME, passwordLifetime)
              .build(context.getSession());
      context.getRealm().setPasswordPolicy(newPolicy);
  }
  ....
}

After that should put this required action before the "Update Password" action: enter image description here

Koponkin
  • 93
  • 10
  • Thanks. This worked really well for me. I opted to use a user-level attribute so that selected users could have an override for the realm's default password expiration policy. – Chris Klopfenstein Sep 16 '22 at 18:08
  • Later discovered that this is modifying the realm setting when this runs, so it is not working on a per-user basis. – Chris Klopfenstein Nov 04 '22 at 13:30
0

Password polices in Keycloak are applied at the Realm level, to all the users on that Realm, not to the group level. So unless, you extend Keycloak functionality in your own I think you are out of luck.

And another question: Is it possible to limit access by IP address (Again with Keycloack javascript or any other way) somehow?

There was a feature request for that functionality, but it was deferred, and AFAIK is not on the latest Keycloak release. So another option would be to use a different layer on top of Keycloak that would filter IPs based on some white list of IPs.

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
  • Thanks for the reply. I have found this extension too: https://github.com/jpicht/keycloak-group-password-policy But, as I can see this is very old and very similar to this: https://github.com/keycloak/keycloak/blob/master/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/group/GroupPolicyProvider.java In any case, I do not understand how to use this Group Policy. Cannot find any documentation. – Kolesar Dec 15 '20 at 09:10
  • On the first link it is " The extension can be installed just like any keycloak extension. Either copy it to the keycloak/standalone/deployments folder, or load it via the jboss command line tool." – dreamcrash Dec 15 '20 at 09:12