Search code examples
keycloakkeycloak-rest-apipassword-policy

Keycloak set password policy via Rest API

I would like to update/add password policy through Keycloak RestAPI.

I went through the docs, but it looks like that I may only retrieve the list of password policy through APIs. Any other possible way so that I can handle the password policy through Rest API?

https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_serverinforepresentation
https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_passwordpolicytyperepresentation

Manage Password Policy through Keycloak Admin Panel

I am using Keycloak 11.

Update: I managed to figure out that the password policy values are located inside the password policy column under Realm table. I think that I might need to restart Keycloak, or clear Keycloak cache using Keycloak Rest API (POST /{realm}/clear-realm-cache) on https://www.keycloak.org/docs-api/11.0/rest-api/index.html to make it work once I update the table.

enter image description here

Solution

  • Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.

    You can use Keycloak Rest API to get Realm password policies, namely:

    GET <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>

    from the JSON response extract the field passwordPolicy. For the following policies:

    enter image description here

    you would get the following response: length(8) and hashIterations(27500)

    To add/update a given policy call the endpoint

    PUT <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>

    with the appropriate data parameter. For instance, let us say that from the previous example you want to update the "Minimum length" policy to 10 instead of 8, then the data to be send in the PUT request would be:

    '{"passwordPolicy":"length(10) and hashIterations(27500)"}'

    For those that are interested I have scripts for the aforementioned actions in this git repo.

    Step-by-Step

    You can get that information using the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. For now, I will be using the admin user from the master realm, but later I will explain how you can use another user:

    curl "https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token" \
    -d "client_id=admin-cli" \
    -d "username=${ADMIN_NAME}" \
    -d "password=${ADMIN_PASSWORD}" \
    -d "grant_type=password"

    You get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable $ACCESS_TOKEN for later reference.

    To get the realm information of $REALM_NAME:

    curl -X GET "https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}" \
     -H "Content-Type: application/json" \
     -H "Authorization: bearer ${ACCESS_TOKEN}"

    from the JSON response extract the field passwordPolicy.

    To set the password policies of $REALM_NAME:

    curl -X PUT "https://$KEYCLOAK_IP/auth/admin/realms/${REALM_NAME}"\
     -H "Content-Type: application/json" \
     -H "Authorization: bearer ${ACCESS_TOKEN}" \
     -d "${JSON_PASSWORD_POLICY_DATA}"

    Assigning the proper user permissions

    For those that do not want to get an access token from the master admin user, you can get it from another user but that user needs the permission view-realm from the realm-management client. For that you can:

    (OLD Keycloak UI)

    • Go to Users, and then the user in question
    • Go to the tab Role Mappings
    • In client roles select realm-management
    • Select the role view-realm and click on Add selected

    (New Keycloak UI)

    • Go to Users, and then the user in question
    • Go to the tab Role Mappings
    • Click on Assign role
    • In Search by role name type view-realm
    • Select the role and assign it