Class BlacklistPasswordPolicyProviderFactory

  • All Implemented Interfaces:
    PasswordPolicyProviderFactory, ProviderFactory<PasswordPolicyProvider>

    public class BlacklistPasswordPolicyProviderFactory
    extends Object
    implements PasswordPolicyProviderFactory
    Creates BlacklistPasswordPolicyProvider instances.

    Password blacklists are simple text files where every line is a blacklisted password delimited by a newline character \n.

    Blacklists can be configured via the Authentication: Password Policy section in the admin-console. A blacklist-file is referred to by its name in the policy configuration.

    Blacklist location

    Users can provide custom blacklists by adding a blacklist password file to the configured blacklist folder.

    The location of the password-blacklists folder is derived as follows

    1. the value of the System property keycloak.password.blacklists.path if configured - fails if folder is missing
    2. the value of the SPI config property: blacklistsPath when explicitly configured - fails if folder is missing
    3. otherwise $KC_HOME/data/password-blacklists/ if nothing else is configured
    To configure the blacklist folder via CLI use --spi-password-policy-password-blacklist-blacklists-path=/path/to/blacklistsFolder

    Note that the preferred way for configuration is to copy the password file to the $KC_HOME/data/password-blacklists/ folder

    A password blacklist with the filename 10_million_passwords.txt that is located beneath $KC_HOME/data/keycloak/blacklists/ can be referred to as 10_million_passwords.txt in the Authentication: Password Policy configuration.

    False positives

    The current implementation uses a probabilistic data-structure called BloomFilter which allows for fast and memory efficient containment checks, e.g. whether a given password is contained in a blacklist, with the possibility for false positives. By default a false positive probability DEFAULT_FALSE_POSITIVE_PROBABILITY is used. To change the false positive probability via CLI configuration use --spi-password-policy-password-blacklist-false-positive-probability=0.00001

    Thomas Darimont