Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8731

"Not Recently Used" Password Policy value changing from high value to 1 causes a latency on user password change

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.4.3.Final, 4.5.0.Final
    • Fix Version/s: 4.7.0.Final
    • Component/s: None
    • Labels:
    • Sprint:
      Keycloak Sprint 15
    • Story Points:
      1
    • Steps to Reproduce:
      Hide
      • set "Not Recently Used" Password Policy with hig value (for example from 80).
      • change user password a lot of times to reach the max 80 records of TYPE 'password-history' for this user in the 'CREDENTIAL' table.
      • change the "Not Recently Used" Password Policy value to 1
      • change the same user password
      • observe the latency it takes to complete for just changing the 1 password
      Show
      set "Not Recently Used" Password Policy with hig value (for example from 80). change user password a lot of times to reach the max 80 records of TYPE 'password-history' for this user in the 'CREDENTIAL' table. change the "Not Recently Used" Password Policy value to 1 change the same user password observe the latency it takes to complete for just changing the 1 password
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      When the "Not Recently Used" Password Policy value is set to 1 from an higher value (say it was previously set to a very big number like 80, and then reduced/changed to only 1), it is noticed that ONLY one (1) password history is deleted from the 'CREDENTIAL' table. This is incorrect if an user has more passwords in history because of a previous setting of the "Not Recently Used" Password Policy value (for example from 80 to 1).

      This can cause an high latency issue when there is a password change request for users with such a huge number of old passwords history in the database.

      This code [1] is buggy as there is an regression issue caused by the KEYCLOAK-4095 bug fix [2]. In the case of "Not Recently Used = 1", it doesn't delete the old passwords (as inherited from a previous setting with 80), but just one password is removed and one added, so it remains with the same 80 records in the 'CREDENTIAL' table.

      [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/credential/PasswordCredentialProvider.java#L114
      [2] https://issues.jboss.org/browse/KEYCLOAK-4095

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  hmlnarik Hynek Mlnařík
                  Reporter:
                  rhn-support-igueye Issa Gueye
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: