Keycloak expire password policy per user/group

Question

I have an app where I have to force some group of users to reset passwords after some time, but not all of them. Is it possible to create a policy per user/group with an Expire password?

I tried so many different ways to handle it in a different way (thinking to create a custom extension too), but nothing help :/

Is it possible to add something as a Keycloak script on the Client level, where I can check a specific user or group and call trigger for resetting the password?

And another question: Is it possible to limit access by IP address (Again with Keycloack javascript or any other way) somehow?

Answer 1

Password polices in Keycloak are applied at the Realm level, to all the users on that Realm, not to the group level. So unless, you extend Keycloak functionality in your own I think you are out of luck.

And another question: Is it possible to limit access by IP address (Again with Keycloack javascript or any other way) somehow?

There was a feature request for that functionality, but it was deferred, and AFAIK is not on the latest Keycloak release. So another option would be to use a different layer on top of Keycloak that would filter IPs based on some white list of IPs.

Answer 2

Keycloak doesn't have this functionality. The default UPDATE_PASSWORD required action gets the number of days before password expiration from the single place for all the users on each login:

context.getRealm().getPasswordPolicy().getDaysToExpirePassword();

But you can add a custom provider which will update DaysToExpirePassword in runtime for every user:

public class DynamicPasswordLifetimeProvider implements RequiredActionProvider {
public static final String FORCE_EXPIRED_PASSWORD_CHANGE_ATTR_NAME = "forceExpiredPasswordChange";

@Override
  public void evaluateTriggers(RequiredActionContext context) {
      String passwordLifetime = ....get it from user/group attribute

      PasswordPolicy passwordPolicy = context.getRealm().getPasswordPolicy();
      PasswordPolicy newPolicy = passwordPolicy.toBuilder().put(FORCE_EXPIRED_PASSWORD_CHANGE_ATTR_NAME, passwordLifetime)
              .build(context.getSession());
      context.getRealm().setPasswordPolicy(newPolicy);
  }
  ....
}

After that should put this required action before the "Update Password" action: