Keycloak Policies

Configuring the server
1

Hi Everyone,

Wanted to ask about Keycloak Policies. Recently, we added some policies on each of our realms.

For example we implemented:

  • Expire Password

  • Minimum Length

  • Special Characters

and so on…

And then we set our user’s required actions to “update password” for the policies to “take effect”

If ever we decide to remove the Expire password policy, do our users need to do something?

  • Like we deleted the policy > will we need to let the users update their passwords again to remove the “expire password” duration on their accounts?

or

  • If we remove the expire password policy, no user action required. Once it was removed regardless if the users have updated their passwords(again) or not the expired password duration was removed on the system. Meaning after “xx” days they will not be prompted to update their password since it has “expired”

Thanks

2

The expire password policy is evaluated when the user authenticates. It’s not stored with the password, but globally for the realm. So, if you remove the expire policy, the password won’t be recognized as expired, because there is no policy available, and the users are good to go.

3

Awesome. Thanks @dasniko

Good to know that it’s in line with the second bullet that I posted. That it “automatically” takes effect and doesn’t need “user intervention” or something. Base from what I understand on your statement.

We’re good to go then

1 Like