A Keycloak password policy that checks potential passwords against Have I Been Pwnd.
Note: this project was a weekend hack to try out the password policy SPI and HIBP API; it's not as robust or scalable as would be necessary in a production environment,
It depends on an SPI defined in keycloak-server-spi-private, which is not part of the public interface and may break between versions. A warning will print at start-up:
WARN [org.keycloak.services] (ServerService Thread Pool -- 64) KC-SERVICES0047: password-policy-have-i-been-pwned (dev.alexashley.policy.HaveIBeenPwnedPasswordPolicyProviderFactory) is implementing the internal SPI password-policy. This SPI is internal and may change without noticeBuild the jar with make build (see the development section for prerequisites) and place it under ${KEYCLOAK_HOME}/standalone/deployments/.
Now you should see the provider as an option in the dropdown, and can configure it:
The policy value is the threshold for the number of times that the password hash appears in HIBP. The default is 1, meaning that any password that appears in HIBP is disallowed.
jabba usemake buildto create the jarmake keycloakto start an instance of Keycloak with the policy- admin credentials:
keycloak:password - user credentials:
test:password
- admin credentials:
./scripts/init-keycloak.shto setup the realm and usermake acceptanceto run the minimal acceptance tests