Hide Forgot
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/password-rotation. Description: Problem Statement In the current Keystone implementation Users only have the ability of expressing one password. This eliminates the possibility of storing more than one password associated with the user as well as have a record of the last N passwords used. The rotation mechanism and history can simplify access without service interruption as well as make the system more secure preventing users to always use the same password which will never expire. Supported Scenarios 1) Password Expiration In this case, when a password is created, the system can specify the duration/validity of the password. For instance it could be valid for 1 day or 1 year. 2) Password rotation with no service interruption A user can define at least two passwords allowing access to services using both the old and the new. Once all the services have migrated to use the new passwords the old one will be revoked and/or expired. 3) Prevent Usage of previous N passwords The previous N passwords can be stored as indicated as "expired" or "disabled". When a user refreshes or create a new password it can be verified that it is not one of the N previously created and expired passwords. Specification URL (additional information): None
As discussed upstream, this is pushing Keystone toward being a full Identity provider, which it is ill suited to become. Instead, we are working to integrate other methods for identifying users into the Federation approach that will then tie to external IdPs. These IdPs should be full features ones that provide features like password rotation.