How to lock/disable inactive account after period of time?

We have a security rule for the application, that’s “system shall be able to automatically disabled / revoke accounts that have been unused / dormant for 90 days”. I searched gg how to do this for few days, but there is no way to config in keycloak admin UI. I found an old Q&A “https://lists.jboss.org/pipermail/keycloak-user/2018-July/014660.html” in this he said we can build a extension to check inactive account, but i check the keycloak’s database and i don’t see any field for “last access time” or something the same so i can do by that way.
Can someone give me a solution for this problems? and how to do that?
Thank you so much!

Hi,

just a couple of ideas, have tested only parts of these examples.

when a user logs in a user session is created which has a field started. You can create an extension which makes use of the TimerProvider to create a scheduled task to check all users.

Another way is to add a user attribute like last_login and each time the user has successfully logged in update it, you do this in an event listener, you can than again use the a TimerProvider to check these things.
An example of an event listener can be found at https://github.com/zonaut/keycloak-extensions and also includes an example how you could add an attribute in the PlaceholderEventListenerProvider class.

You also could approach it another way if you have your own backend and have the Keycloak users linked to a user in your own backend.
You could send an event to your backend when a user has logged in and do a scheduled task check in your own backend.
If you use Keycloak to let users access your app you could update a field in your own backend db and set a last_login field there and again do a scheduled task check. You can use the keycloak rest api to disable the user if needed.

It all depends on you and where you want to make changes. I like Keycloak for what it is and try not to customize too much of it when I can so maintenance and upgrades are kept to a minimal.
Writing a scheduled task in my own backend takes 5 minutes and as a user always passes my backend api I always know when a user has last logged in so I can do a quick easy and fast sql check in my own db.

Don’t forget to have fun :stuck_out_tongue:

1 Like

Dear zonaut,
thanks for your valuable ideas. I also don’t want to customize keycloak too much, so yesterday my teams came up with a solution that save all login time of user on application db, then create a process to check that time daily, the same as your last idea, on my view that’s best solution for our application.
Have a nice day, and thank you so much!