Add new password policy to validate passwords on login

federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java

@@ -55,6 +55,7 @@
 import org.keycloak.models.LDAPConstants;
 import org.keycloak.models.ModelDuplicateException;
 import org.keycloak.models.ModelException;
+import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RequiredActionProviderModel;
 import org.keycloak.models.RoleModel;
@@ -68,6 +69,7 @@
 import org.keycloak.policy.PasswordPolicyManagerProvider;
 import org.keycloak.policy.PolicyError;
 import org.keycloak.models.cache.UserCache;
+import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.storage.DatastoreProvider;
 import org.keycloak.storage.StoreManagers;
 import org.keycloak.storage.ReadOnlyException;
@@ -886,7 +888,27 @@ public boolean isConfiguredFor(RealmModel realm, UserModel user, String credenti
     public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
         if (!(input instanceof UserCredentialModel)) return false;
         if (input.getType().equals(PasswordCredentialModel.TYPE) && !((UserCredentialManager) user.credentialManager()).isConfiguredLocally(PasswordCredentialModel.TYPE)) {
-            return validPassword(realm, user, input.getChallengeResponse());
+            if(getEditMode() == EditMode.READ_ONLY) {
+                session.getContext().getAuthenticationSession().setAuthNote(AuthenticationManager.USER_READ_ONLY, "true");
+            }
+
+            if(!validPassword(realm, user, input.getChallengeResponse())){
+                return false;
+            }
+
+            // After the password has been validated successfully, check that it still matches the realm's password policy.
+            // Only do that, if we can write the LDAP store, since only then the password can be updated in Keycloak.
+            // TODO: Do we want to support read-only LDAP? How to handle this then? Leave the decision to whoever evaluates the
+            // password policy result, so e.g. show a warning in the browser authenticators / deny authentication?
+            if (ldapIdentityStore.getConfig().isValidatePasswordPolicy() && realm.getPasswordPolicy().shouldValidateOnLogin()) {
+                PolicyError error = session.getProvider(PasswordPolicyManagerProvider.class).validate(realm, user, input.getChallengeResponse());
+                if (error != null) {
+                    logger.debug("User password no longer matches password policy");
+                    session.getContext().getAuthenticationSession().setAuthNote(PasswordPolicy.POLICY_ERROR_AUTH_NOTE, "true");
+                    return false;
+                }
+            }
+            return true;
         } else {
             return false; // invalid cred type
         }

server-spi-private/src/main/java/org/keycloak/policy/ValidateOnLoginPasswordPolicyProvider.java

@@ -0,0 +1,26 @@
+package org.keycloak.policy;
+
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+
+public class ValidateOnLoginPasswordPolicyProvider implements PasswordPolicyProvider {
+    @Override
+    public PolicyError validate(RealmModel realm, UserModel user, String password) {
+        return null;
+    }
+
+    @Override
+    public PolicyError validate(String user, String password) {
+        return null;
+    }
+
+    @Override
+    public Object parseConfig(String value) {
+        return null;
+    }
+
+    @Override
+    public void close() {
+
+    }
+}

server-spi-private/src/main/java/org/keycloak/policy/ValidateOnLoginPasswordPolicyProviderFactory.java

@@ -0,0 +1,54 @@
+package org.keycloak.policy;
+
+import org.keycloak.Config;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.models.PasswordPolicy;
+
+public class ValidateOnLoginPasswordPolicyProviderFactory implements PasswordPolicyProviderFactory {
+
+    @Override
+    public String getDisplayName() {
+        return "Validate Policy on Login";
+    }
+
+    @Override
+    public String getConfigType() {
+        return null;
+    }
+
+    @Override
+    public String getDefaultConfigValue() {
+        return null;
+    }
+
+    @Override
+    public boolean isMultiplSupported() {
+        return false;
+    }
+
+    @Override
+    public PasswordPolicyProvider create(KeycloakSession session) {
+        return new ValidateOnLoginPasswordPolicyProvider();
+    }
+
+    @Override
+    public void init(Config.Scope config) {
+
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {
+
+    }
+
+    @Override
+    public void close() {
+
+    }
+
+    @Override
+    public String getId() {
+        return PasswordPolicy.VALIDATE_ON_LOGIN_ID;
+    }
+}

server-spi-private/src/main/resources/META-INF/services/org.keycloak.policy.PasswordPolicyProviderFactory

@@ -32,4 +32,5 @@ org.keycloak.policy.BlacklistPasswordPolicyProviderFactory
 org.keycloak.policy.NotEmailPasswordPolicyProviderFactory
 org.keycloak.policy.RecoveryCodesWarningThresholdPasswordPolicyProviderFactory
 org.keycloak.policy.MaxAuthAgePasswordPolicyProviderFactory
-org.keycloak.policy.AgePasswordPolicyProviderFactory
+org.keycloak.policy.AgePasswordPolicyProviderFactory
+org.keycloak.policy.ValidateOnLoginPasswordPolicyProviderFactory

server-spi/src/main/java/org/keycloak/models/PasswordPolicy.java

@@ -47,6 +47,10 @@ public class PasswordPolicy implements Serializable {
 
     public static final String PASSWORD_AGE = "passwordAge";
 
+    public static final String VALIDATE_ON_LOGIN_ID = "validateOnLogin";
+
+    public static final String POLICY_ERROR_AUTH_NOTE = "POLICY_ERROR";
+
     private Map<String, Object> policyConfig;
     private Builder builder;
 
@@ -143,6 +147,10 @@ public int getMaxAuthAge() {
         }
     }
 
+    public boolean shouldValidateOnLogin() {
+        return policyConfig.containsKey(VALIDATE_ON_LOGIN_ID);
+    }
+
     @Override
     public String toString() {
         return builder.asString();

services/src/main/java/org/keycloak/authentication/AuthenticatorUtil.java

@@ -32,6 +32,7 @@
 import org.keycloak.models.AuthenticationFlowModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.services.managers.AuthenticationManager;
@@ -49,6 +50,7 @@
 
 import static org.keycloak.services.managers.AuthenticationManager.FORCED_REAUTHENTICATION;
 import static org.keycloak.services.managers.AuthenticationManager.SSO_AUTH;
+import static org.keycloak.services.managers.AuthenticationManager.USER_READ_ONLY;
 import static org.keycloak.services.managers.AuthenticationManager.PASSWORD_VALIDATED;
 
 public class AuthenticatorUtil {
@@ -63,6 +65,10 @@ public static boolean isSSOAuthentication(AuthenticationSessionModel authSession
         return "true".equals(authSession.getAuthNote(SSO_AUTH));
     }
 
+    public static boolean isUserReadOnlyAuthentication(AuthenticationSessionModel authSession) {
+        return "true".equals(authSession.getAuthNote(USER_READ_ONLY));
+    }
+
     public static boolean isForcedReauthentication(AuthenticationSessionModel authSession) {
         return "true".equals(authSession.getAuthNote(FORCED_REAUTHENTICATION));
     }
@@ -75,6 +81,10 @@ public static boolean isForkedFlow(AuthenticationSessionModel authSession) {
         return authSession.getAuthNote(AuthenticationProcessor.FORKED_FROM) != null;
     }
 
+    public static boolean hasPasswordPolicyError(AuthenticationSessionModel authSession) {
+        return "true".equals(authSession.getAuthNote(PasswordPolicy.POLICY_ERROR_AUTH_NOTE));
+    }
+
     /**
      * Set authentication session note for callbacks defined for {@link AuthenticationFlowCallbackFactory) factories
      *

services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java

@@ -22,6 +22,7 @@
 import org.keycloak.authentication.AuthenticationFlowContext;
 import org.keycloak.authentication.AuthenticationFlowError;
 import org.keycloak.authentication.authenticators.util.AuthenticatorUtils;
+import org.keycloak.authentication.AuthenticatorUtil;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
 import org.keycloak.forms.login.LoginFormsProvider;
@@ -196,6 +197,29 @@ private boolean validateUser(AuthenticationFlowContext context, UserModel user,
     }
 
     public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData, boolean clearUser) {
+        // If we have validated the password before, but it didn't match the current password policy, allow to continue to
+        // update the password or cancel. If we don't check whether the password was validated, users could skip the authenticator simply
+        // by providing continueUpdate in their form data.
+        if (AuthenticatorUtil.isPasswordValidated(context.getAuthenticationSession())){
+            // Offer the option to update the password if user hit continue, and they are not read-only.
+            if(inputData.containsKey("continueToUpdate") && !AuthenticatorUtil.isUserReadOnlyAuthentication(context.getAuthenticationSession())) {
+                // Set a required action on the authentication session instead of on the user, as the password policy could be
+                // changed again such that the password would be compliant again. Setting an update action on the user could
+                // make it redundant, if their password is compliant again after a change in the policy.
+                context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
+                return true;
+            }
+
+            // Otherwise, go back to the login field.
+            Response challengeResponse = challenge(context, getDefaultChallengeMessage(context), FIELD_PASSWORD);
+            context.forceChallenge(challengeResponse);
+
+            if (clearUser) {
+                context.clearUser();
+            }
+            return false;
+        }
+
         String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
         if (password == null || password.isEmpty()) {
             return badPasswordHandler(context, user, clearUser,true);
@@ -205,6 +229,22 @@ public boolean validatePassword(AuthenticationFlowContext context, UserModel use
 
         if (password != null && !password.isEmpty() && user.credentialManager().isValid(UserCredentialModel.password(password))) {
             context.getAuthenticationSession().setAuthNote(AuthenticationManager.PASSWORD_VALIDATED, "true");
+
+            // The credentialManager doesn't return policy errors for us. Instead, the individual credential providers that
+            // validate the password set this flag to true if there is an error.
+            if (AuthenticatorUtil.hasPasswordPolicyError(context.getAuthenticationSession())) {
+                // TODO: Pass read-only state to form.
+
+                Response challenge = context.
+                        form().
+                        setAttribute("userReadOnly", AuthenticatorUtil.isUserReadOnlyAuthentication(context.getAuthenticationSession())).
+                        createForm("login-policy-error.ftl");
+
+                context.forceChallenge(challenge);
+
+                return false;
+            }
+
             return true;
         } else {
             return badPasswordHandler(context, user, clearUser,false);

services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidatePassword.java

@@ -19,6 +19,7 @@
 
 import org.keycloak.authentication.AuthenticationFlowContext;
 import org.keycloak.authentication.AuthenticationFlowError;
+import org.keycloak.authentication.AuthenticatorUtil;
 import org.keycloak.events.Errors;
 import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.KeycloakSession;
@@ -54,6 +55,17 @@ public void authenticate(AuthenticationFlowContext context) {
             context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
             return;
         }
+
+        if (AuthenticatorUtil.hasPasswordPolicyError(context.getAuthenticationSession())) {
+            Response challengeResponse = errorResponse(
+                    Response.Status.UNAUTHORIZED.getStatusCode(),
+                    "invalid_grant",
+                    "User password no longer matches the password policy and must be changed"
+            );
+            context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
+            return;
+        }
+
         context.getAuthenticationSession().setAuthNote(AuthenticationManager.PASSWORD_VALIDATED, "true");
         context.success();
     }

services/src/main/java/org/keycloak/credential/PasswordCredentialProvider.java

@@ -206,6 +206,15 @@ public boolean isValid(RealmModel realm, UserModel user, CredentialInput input)
             return false;
         }
 
+        if (realm.getPasswordPolicy().shouldValidateOnLogin()){
+            // After the password has been validated successfully, check that it still matches the realm's password policy.
+            PolicyError error = session.getProvider(PasswordPolicyManagerProvider.class).validate(realm, user, input.getChallengeResponse());
+            if (error != null) {
+                logger.debug("User password no longer matches password policy");
+                session.getContext().getAuthenticationSession().setAuthNote(PasswordPolicy.POLICY_ERROR_AUTH_NOTE, "true");
+            }
+        }
+
         return true;
     }
 

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -149,6 +149,9 @@ public class AuthenticationManager {
     // clientSession note with flag that clientSession was authenticated through SSO cookie
     public static final String SSO_AUTH = "SSO_AUTH";
 
+    // authSession note with flag that is true if user is authenticated through read-only user backend (e.g. read-only LDAP)
+    public static final String USER_READ_ONLY = "USER_READ_ONLY";
+
     // authSession note with flag that is true if user is forced to re-authenticate by client (EG. in case of OIDC client by sending "prompt=login")
     public static final String FORCED_REAUTHENTICATION = "FORCED_REAUTHENTICATION";
 

themes/src/main/resources/theme/base/login/login-policy-error.ftl

@@ -0,0 +1,17 @@
+<#import "template.ftl" as layout>
+<@layout.registrationLayout displayMessage=false; section>
+    <#if section = "header">
+        ${msg("passwordPolicyErrorTitle")}
+    <#elseif section = "form">
+    <div id="kc-terms-text">
+        ${kcSanitize(msg("passwordPolicyErrorMessage"))?no_esc}
+    </div>
+    <form class="form-actions" action="${url.loginAction}" method="POST">
+        <#if !userReadOnly>
+            <input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonLargeClass!}" name="continueToUpdate" id="kc-accept" type="submit" value="${msg("doContinue")}"/>
+        </#if>
+        <input class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!}" name="cancelUpdate" id="kc-decline" type="submit" value="${msg("doCancel")}"/>
+    </form>
+    <div class="clearfix"></div>
+    </#if>
+</@layout.registrationLayout>

themes/src/main/resources/theme/base/login/messages/messages_en.properties

@@ -307,6 +307,10 @@ delegationFailedMessage=You may close this browser window and go back to your co
 
 noAccessMessage=No access
 
+passwordPolicyErrorTitle=New password policy
+passwordPolicyErrorMessage=Your password no longer matches the password policy set by the administrator and therefore must be updated.\
+  Click Continue to update your password or click Cancel to go back to the login screen.
+
 invalidPasswordMinLengthMessage=Invalid password: minimum length {0}.
 invalidPasswordMaxLengthMessage=Invalid password: maximum length {0}.
 invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits.