keycloak-config-cli icon indicating copy to clipboard operation
keycloak-config-cli copied to clipboard

Published 20 hours ago verified publisher icon adorsys

PasswordPolicy HTTP 400 Bad Request

Open csemio opened this issue 2 years ago • 1 comments

Current Behavior

Hi team, When i try to create a simple realm with a password policy containing passwordHistory(5) or specialChars(1) the import failed with HTTP 400 Bad Request all other password policy are created correctly. The same work fine with kcadm.sh

2023-07-27 14:57:16.735 INFO 494 --- [ main] d.a.k.config.KeycloakConfigApplication : Starting KeycloakConfigApplication v5.8.0 using Java 11.0.19 on 8c935b46ebcd with PID 494 (/opt/keycloak-config-cli/keycloak-config-cli.jar started by AzDevOps_azpcontainer in /__w/1/s) 2023-07-27 14:57:16.741 INFO 494 --- [ main] d.a.k.config.KeycloakConfigApplication : No active profile set, falling back to 1 default profile: "default" 2023-07-27 14:57:18.217 INFO 494 --- [ main] d.a.k.config.KeycloakConfigApplication : Started KeycloakConfigApplication in 3.168 seconds (JVM running for 4.087) 2023-07-27 14:57:20.811 INFO 494 --- [ main] d.a.k.config.KeycloakConfigRunner : Importing file 'file:./sle-dev.json' 2023-07-27 14:57:28.735 ERROR 494 --- [ main] d.a.k.config.KeycloakConfigRunner : HTTP 400 Bad Request 2023-07-27 14:57:28.739 INFO 494 --- [ main] d.a.k.config.KeycloakConfigRunner : keycloak-config-cli running in 00:08.686.

Expected Behavior

password policy are created correctly

Steps To Reproduce

create a realm with property :
"passwordPolicy": "specialChars(1) and forceExpiredPasswordChange(365) and length(12) and lowerCase(1) and upperCase(1) and digits(1) and maxLength(128) and notUsername(undefined) and notEmail(undefined) and passwordHistory(5) and specialChars(1)"

Environment

  • Keycloak Version: 21.1.2
  • keycloak-config-cli Version: 5.8.0
  • Java Version: openjdk-11-jdk:amd64 (11.0.19+7~us1-0ubuntu1~22.04.1)

Anything else?

No response

csemio avatar Jul 27 '23 15:07 csemio

Had the same issue and ended up with splitting my realm json into two files. The first one 00_master-realm-config.json sets password policy to null:

...
"passwordPolicy": "",
...

And then within my second json 00_master-realm-global.json I'm setting the global configs, e.g. password policy;

...
  "sslRequired": "external",
  "registrationAllowed": false,
  "registrationEmailAsUsername": false,
  "rememberMe": false,
  "verifyEmail": false,
  "loginWithEmailAllowed": true,
  "duplicateEmailsAllowed": false,
  "resetPasswordAllowed": false,
  "editUsernameAllowed": false,
  "bruteForceProtected": true,
  "permanentLockout": false,
  "maxFailureWaitSeconds": 900,
  "minimumQuickLoginWaitSeconds": 60,
  "waitIncrementSeconds": 60,
  "quickLoginCheckMilliSeconds": 1000,
  "maxDeltaTimeSeconds": 43200,
  "failureFactor": 10,
  "passwordPolicy": "length(12) and notEmail(undefined) and passwordHistory(3) and digits(1) and specialChars(1) and upperCase(1) and lowerCase(1) and notUsername(1)",
...

Because of the naming the global file gets execution last:

2024-06-11 06:53:09.639  INFO 1 --- [           main] d.a.k.config.KeycloakConfigApplication   : Started KeycloakConfigApplication in 17.785 seconds (JVM running for 24.971)
2024-06-11 06:53:26.548  INFO 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Importing file 'file:/config/00_master-realm-config.json'
2024-06-11 06:53:26.648  INFO 1 --- [           main] d.a.k.config.provider.KeycloakProvider   : Wait 30 seconds until http://keycloak-service:8080 is available ...
2024-06-11 06:53:52.084  INFO 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Importing file 'file:/config/00_master-realm-global.json'

HTH

hypery2k avatar Jun 15 '24 07:06 hypery2k