"Not Recently Used" password policy not working


I’m trying to use keycloak to recover user passwords (Forgot password) but the Password Policy is not working as expected.

I’m using Quay image and ldap Active Directory User Federation with “Import Users” and “Validate Password Policy” enabled.

On the Authentication Password Policy keycloak is validating as expected all the policies (e.g. minimum length, not username, special characters) except the “Not Recently Used” policy.

The “Not Recently Used” policy is configured with a value of 3, but the user may repeat the same password any times he wants.

This policy does not work for users imported from ldap? I’m doing it the wrong way? Or this is a bug?


Hi, could anyone help? Any help/suggestions are welcome!

When using LDAP user federation, Keycloak does not know about the recent used passwords and password policies are not used at all, because the policies configured in Keycloak might possibly clash with policies in LDAP. With LDAP user federation, only the password policies living in the LDAP will be taken into account, but by the LDAP itself, not by Keycloak.

Thanks @dasniko! I was thinking maybe keycloak could get some feedback from LDAP about these policies.

Thanks for your response to the issue. I am also facing same problem. Is it possible to modify something in HistoryPasswordPolicyProvider ?If yes…what ??

Also if these policies do not work in keycloak for ldap user federation, then first we need to validate password in ldap and then hit keycloak for token ? Am i right. ?


In the meantime the feature was introduced, that you can configure in LDAP user federation settings that also the Keycloak password policies should be evaluated. But I doubt that this will work with the most recent n passwords, as Keycloak doesn’t know about the passwords used in LDAP. IMHO only semantic password policies will work properly.