Class BlacklistPasswordPolicyProviderFactory

  • All Implemented Interfaces:
    PasswordPolicyProviderFactory, ProviderFactory<PasswordPolicyProvider>

    public class BlacklistPasswordPolicyProviderFactory
    extends Object
    implements PasswordPolicyProviderFactory
    Creates BlacklistPasswordPolicyProvider instances.

    Password blacklists are simple text files where every line is a blacklisted password delimited by \n. Blacklist files are discovered and registered at startup.

    Blacklists can be configured via the Authentication: Password Policy section in the admin-console. A blacklist-file is referred to by its name in the policy configuration.

    Users can provide custom blacklists by adding a blacklist password file to the configured blacklist folder.

    The location of the password-blacklists folder is derived as follows

    1. the value of the System property keycloak.password.blacklists.path if configured - fails if folder is missing
    2. the value of the SPI config property: blacklistsPath when explicitly configured - fails if folder is missing
    3. otherwise ${}/password-blacklists/ if nothing else is configured - the folder is created automatically if not present

    Note that the preferred way for configuration is to copy the password file to the ${}/password-blacklists/ folder

    To configure a password blacklist via the SPI configuration, run the following jboss-cli script:

     /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:write-attribute(name=properties.blacklistsPath, value=/data/keycloak/blacklists/)

    A password blacklist with the filename 10_million_password_list_top_1000000-password-blacklist.txt that is located beneath /data/keycloak/blacklists/ can be referred to as 10_million_password_list_top_1000000-password-blacklist.txt in the Authentication: Password Policy configuration.

    Thomas Darimont