No description
3103e0fd0a
* KEYCLOAK-5244 Add BlacklistPasswordPolicyProvider This introduces a new PasswordPolicy which can refer to a named predefined password-blacklist to avoid users choosing too easy to guess passwords. The BlacklistPasswordPolicyProvider supports built-in as well as custom blacklists. built-in blacklists use the form `default/filename` and custom ones `custom/filename`, where filename is the name of the found blacklist-filename. I'd propose to use some of the freely available password blacklists from the [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Passwords) project. For testing purposes one can download the password blacklist ``` wget -O 10_million_password_list_top_1000000.txt https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_1000000.txt?raw=true ``` to /data/keycloak/blacklists/ Custom password policies can be configured with the SPI configuration mechanism via jboss-cli: ``` /subsystem=keycloak-server/spi=password-policy:add() /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:add(enabled=true) /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:write-attribute(name=properties.blacklistsFolderUri, value=file:///data/keycloak/blacklists/) ``` Password blacklist is stored in a TreeSet. * KEYCLOAK-5244 Encode PasswordBlacklist as a BloomFilter We now use a dynamically sized BloomFilter with a false positive probability of 1% as a backing store for PasswordBlacklists. BloomFilter implementation is provided by google-guava which is available in wildfly. Password blacklist files are now resolved against the ${jboss.server.data.dir}/password-blacklists. This can be overridden via system property, or SPI config. See JavaDoc of BlacklistPasswordPolicyProviderFactory for details. Revised implementation to be more extensible, e.g. it could be possible to use other stores like databases etc. Moved FileSystem specific methods to FileBasesPasswordBlacklistPolicy. The PasswordBlacklistProvider uses the guava version 20.0 shipped with wildfly. Unfortunately the arquillian testsuite transitively depends on guava 23.0 via the selenium-3.5.1 dependency. Hence we need to use version 23.0 for tests but 20.0 for the policy provider to avoid NoClassDefFoundErrors in the server-dist. Configure password blacklist folder for tests * KEYCLOAK-5244 Configure jboss.server.data.dir for test servers * KEYCLOAK-5244 Translate blacklisted message in base/login |
||
|---|---|---|
| adapters | ||
| authz | ||
| boms | ||
| common | ||
| core | ||
| dependencies | ||
| distribution | ||
| examples | ||
| federation | ||
| integration | ||
| misc | ||
| model | ||
| proxy | ||
| saml-core | ||
| saml-core-api | ||
| server-spi | ||
| server-spi-private | ||
| services | ||
| testsuite | ||
| themes | ||
| util | ||
| wildfly | ||
| .gitattributes | ||
| .gitignore | ||
| .travis.yml | ||
| License.html | ||
| pom.xml | ||
| README.md | ||
| travis-run-tests.sh | ||
Keycloak
Open Source Identity and Access Management for modern Applications and Services.
For more information about Keycloak visit Keycloak homepage and Keycloak blog.
Building
Ensure you have JDK 8 (or newer), Maven 3.1.1 (or newer) and Git installed
java -version
mvn -version
git --version
First clone the Keycloak repository:
git clone https://github.com/keycloak/keycloak.git
cd keycloak
To build Keycloak run:
mvn install
This will build all modules and run the testsuite.
To build the distribution run:
mvn install -Pdistribution
Once completed you will find distribution archives in distribution.
Starting Keycloak
To start Keycloak during development first build as specified above, then run:
mvn -f testsuite/utils/pom.xml exec:java -Pkeycloak-server
To start Keycloak from the server distribution first build the distribution it as specified above, then run:
tar xfz distribution/server-dist/target/keycloak-<VERSION>.tar.gz
cd keycloak-<VERSION>
bin/standalone.sh
To stop the server press Ctrl + C.
Reporting security vulnerabilities
If you've found a security vulnerability, please look at the instructions on how to properly report it
Help and Documentation
- Documentation - User Guide, Admin REST API and Javadocs
- User Mailing List - Mailing list to ask for help and general questions about Keycloak
- JIRA - Issue tracker for bugs and feature requests
Contributing
- Developer documentation
- Hacking on Keycloak - How to become a Keycloak contributor
- Testsuite - Details about testsuite, but also how to quickly run Keycloak during development and a few test tools (OTP generation, LDAP server, Mail server)
- Database Testing - How to do testing of Keycloak on different databases
- Updating Database - How to change the Keycloak database
- Changing the Default keycloak-subsystem Configuration - How to update the default keycloak-subsystem config
- Developer Mailing List - Mailing list to discuss development of Keycloak