Keycloak | How to add custom keycloak password policies?

Question

I'm working on a new project that uses Keycloak platform. I want to find a way to add custom password policies in the Authentication tab. I want to add a dictionary with blacklist words that these can't be included in password of a user

for example from the blacklist dictionary the word "testing" should block all passwords that contains "testing" inside line "123testing@123",... etc

Also i have multi requirements of password policies that can be done with the option that Keycloak offers in the drop-down menu of password policies. I found in some forums that i have to create my own Authentication SPI but i can find any documentation that explains step to step (from scratch) how to achieve this.

Answer 1

To implement an SPI you need to implement it's ProviderFactory and Provider interfaces. You also need to create a service configuration file.

For password policy - You would need to implememnt PasswordPolicyProviderFactory.java and the implmentation will go in CustomPasswordPolicyProviderClass which will implements PasswordPolicyProvider.java class.

This way you should be able to register this policy in keycloak and can configure in the realm UI. Refer this for the contract - Service Provider Interfaces

Answer 2

I cannot get an SPI working for a keycloak Realm Password Policy.

Preface: we are using Keycloak Version 4.5.1 FINAL.

I have successfully dev'd and deployed other keycloak SPIs so I am familiar with the general workflow:

-implementing a given interface
-insuring there is a services file in META-INF/services in the jar -modifying standalone-ha.xml
-deploying the jar and module.xml to the wildfly modules directory, etc.

I am getting no errors in the server logs after deploying, however I cannot see the Password Policy Provider in the keycloak admin/providers web GUI.

Is there a specific methodology for Realm Password Providers that is documented and that works?

Thanks