Authentication will fail if passwords include one or more "/"

Question

Authentication will fail if passwords include one or more "/"

valluwtf opened this issue 8 months ago · 1 comments

Describe the bug

The slash "/" being the separator between password and OTP in stdin, things will fail if it is included as a character in the password.

Expected behavior
To allow slashes in passwords, the ReadPasswordWithOTP() function could parse the string from the back instead of the front to find the last occurence of "/". This will of course still not work if the password contains a slash but no OTP is specified.
(this is why I have not added this as a pull request)

Possibly one could check from the Keycloak API before splitting the input, to gather information about whether the user actually has OTP policy enabled or not.
Or maybe just at least warn in the documentation, since AFAIK the keycloak password policies don't offer the option to block certain characters, which could have been another possible solution

Additional context

I have changed this for our needs here, but as I said this only works when OTP policy is set to mandatory
valluwtf@2d2bbde

Answer 1 · 2024-04-03T17:52:20.000Z

Changing the character from / some other character will not solve the problem, if some one uses that in the password we will end up in the same situation again.
I will check if there is any solution for it, i am open to any suggestions or PRs. In the mean time i will highlight this in readme.