Password policy change not forcing user to update password

Hi All,

The Keycloak 18/19 documentation states the following in the section on password policies:

After saving the policy, Keycloak enforces the policy for new users and sets an Update Password action for existing users to ensure they change their password the next time they log in.

This does not appear to work as stated. I tried it with both version 18 and 19 Keycloak servers freshly downloaded and running locally. I can create a new user with a password then add a new more restrictive password policy to the realm. The user can still log in with the original password and it does not present me with the update password form. If I create a new user the new password policy does apply correctly.

Am I missing some other configuration step for this feature or is this a defect?

Thanks for any help!

1 Like

I’m having the same issue. Setting the update password action manually on a user does work, but it does not seem to happen when the password policy changes.

My understanding is that updating a password policy is supposed to trigger an Update Password action for all users in the Realm. If you aren’t seeing this behavior, I’d suggest filing a bug.

That is my understanding as well. I created an issue with Keycloak a couple of weeks ago but it hasn’t received any responses yet.
See: Password policy change not forcing users to update password · Issue #14150 · keycloak/keycloak · GitHub

1 Like