Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/alexashley/keycloak-password-policy-have-i-been-pwned
https://github.com/alexashley/keycloak-password-policy-have-i-been-pwned
hibp keycloak
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/alexashley/keycloak-password-policy-have-i-been-pwned
- Owner: alexashley
- Created: 2019-05-18T06:15:24.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2019-05-19T02:02:40.000Z (about 5 years ago)
- Last Synced: 2024-02-10T10:09:56.401Z (5 months ago)
- Topics: hibp, keycloak
- Language: Kotlin
- Size: 114 KB
- Stars: 20
- Watchers: 2
- Forks: 1
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Lists
- awesome-keycloak - Have I Been Pwned? Keycloak Password Policy
README
# keycloak-password-policy-have-i-been-pwned
A [Keycloak](https://www.keycloak.org/) password policy that checks potential passwords against [Have I Been Pwnd](https://haveibeenpwned.com).
![account password reset page][policy-message]
## installation
**Note**: this project was a weekend hack to try out the password policy SPI and HIBP API; it's not as robust or scalable as would be necessary in a production environment,
It depends on an SPI defined in `keycloak-server-spi-private`, which is not part of the public interface and may break between versions. A warning will print at start-up:
```shell
WARN [org.keycloak.services] (ServerService Thread Pool -- 64) KC-SERVICES0047: password-policy-have-i-been-pwned (dev.alexashley.policy.HaveIBeenPwnedPasswordPolicyProviderFactory) is implementing the internal SPI password-policy. This SPI is internal and may change without notice
```
Build the jar with `make build` (see the [development](#development) section for prerequisites) and place it under `${KEYCLOAK_HOME}/standalone/deployments/`.
Now you should see the provider as an option in the dropdown, and can configure it:
![policy config][policy-config]
The policy value is the threshold for the number of times that the password hash appears in HIBP. The default is 1, meaning that any password that appears in HIBP is disallowed.
## development
### tools
- [`jabba`](https://github.com/shyiko/jabba)
- [`jq`](https://stedolan.github.io/jq/)
### running locally
- `jabba use`
- `make build` to create the jar
- `make keycloak` to start an instance of Keycloak with the policy
- admin credentials: `keycloak:password`
- user credentials: `test:password`
- `./scripts/init-keycloak.sh` to setup the realm and user
- `make acceptance` to run the minimal acceptance tests
[policy-message]: ./images/pwned.png "Account password reset page policy message"
[policy-config]: ./images/policy-config.png "Policy setup and config"