A Keycloak password policy that checks potential passwords against Have I Been Pwnd.

Note: this project was a weekend hack to try out the password policy SPI and HIBP API; it's not as robust or scalable as would be necessary in a production environment,
It depends on an SPI defined in keycloak-server-spi-private, which is not part of the public interface and may break between versions. A warning will print at start-up:

 WARN  [org.keycloak.services] (ServerService Thread Pool -- 64) KC-SERVICES0047: password-policy-have-i-been-pwned (dev.alexashley.policy.HaveIBeenPwnedPasswordPolicyProviderFactory) is implementing the internal SPI password-policy. This SPI is internal and may change without notice

Build the jar with make build (see the development section for prerequisites) and place it under ${KEYCLOAK_HOME}/standalone/deployments/.

Now you should see the provider as an option in the dropdown, and can configure it:

The policy value is the threshold for the number of times that the password hash appears in HIBP. The default is 1, meaning that any password that appears in HIBP is disallowed.

• jabba
• jq

• jabba use
• make build to create the jar
• make keycloak to start an instance of Keycloak with the policy
  • admin credentials: keycloak:password
  • user credentials: test:password
• ./scripts/init-keycloak.sh to setup the realm and user
• make acceptance to run the minimal acceptance tests