Let’s say we want to prevent the reuse of the 4 previous passwords when updating OpenIDM managed users. To do so, we need to store an Array containing the last passwords. We name that attribute lastPass and declare it in bin/defaults/script/ui/onCreate-user-set-default-fields.js :
object.lastPass = new Array(5);
Note : It’s highly recommended to use a custom onCreate javascript file ; you can for example copy the original bin/defaults/script/ui/onCreate-user-set-default-fields.js file to bin/defaults/script/ui/onCreate-user-set-default-fields-custom.js, add the above line and call the new file in « conf/managed.json », instead of the old one.
Even if we need just 4 elements, we declare an array containing 5 ones because of this bug. We also have to update the lastPass attribute each time the password is modified, therefore we create a script (bin/defaults/script/ui/onUpdate-user-pwpolicy.js) with the following content :
if (newObject.password != oldObject.password) { newObject.lastPass[1] = oldObject.lastPass[2]; newObject.lastPass[2] = oldObject.lastPass[3]; newObject.lastPass[3] = oldObject.lastPass[4]; newObject.lastPass[4] = oldObject.password; }
and call it in the user configuration bloc of conf/managed.json :
... "name" : "user", "onUpdate" : { "type" : "text/javascript", "file" : "bin/defaults/script/ui/onUpdate-user-pwpolicy.js" } ...
Now, we have to extend the policy service by adding a scripted policy in a custom javascript file, for example script/pwpolicy.js :
var policy1 = { "policyId" : "is-new", "policyExec" : "isNew", "policyRequirements" : ["IS_NEW"] } addPolicy(policy1); function isNew(fullObject, value, params, property) { var length = fullObject.lastPass.length; for(var i = 1; i < length; i++) { if(fullObject.lastPass[i] == value) return [{"policyRequirement": "IS_NEW"}]; } return []; }
And in the conf/policy.json we first reference our previous script by filling the additionalFiles value :
{ "file" : "bin/defaults/script/policy.js", "additionalFiles" : ["script/pwdpolicy.js"], ...
Then, we call our new policy in the password configuration bloc, by it’s policyId :
... { "name" : "password", "policies" : [ { "policyId" : "not-empty" }, { "policyId" : "is-new" }, ...
Finally, we configure OpenIDM to encrypt the new attribute and deny retrieving it through REST, so in conf/managed.json
... { "name" : "user", "properties" : [ { "name" : "lastPass", "encryption" : { "key" : "openidm-sym-default" }, "scope" : "private" } ...
- New Keycloak online training - 19 janvier 2022
- Sizing Keycloak or Redhat SSO projects - 8 juin 2021
- Keycloak.X Distribution - 28 janvier 2021