FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Do not enforce minimum password life restrictions

    Scheduled Pinned Locked Moved
    General Discussion
    0
    4
    2.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yb98
      last edited by

      Hello,

      I have a use case where I am launching Grafana using Kickstart, the issue is that the accounts created by Kickstart are made with a default password, I have also set passwordChangeRequired = true for each user.

      For the Tenant (also modified within Kickstart), I have specified a minimum password lifetime of 1 day. The issue arises when I launch Kickstart and try to log into an account immediately, this triggers the required password change as intended, but the minimum password lifetime causes a rejection of the change, as the password was set only moments ago, during the Kickstart phase.

      Effectively, I am unable to use a FusionAuth user account until 1 day after the Kickstart has completed. Is there any solution to this issue, such as not enforcing the password minimum lifetime if the user was forced to change their password?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        I don't think there's any settings inside FusionAuth that will fix this issue. I would probably change how I set up the tenant and apply the minimum password lifetime setting 1 day after I kickstarted. (So, write a script using one of the client libraries which modified the tenant to apply that password complexity rule and execute it one day after the system was booted up.)

        But further, I'm curious how you are using kickstart that would require you to have both these settings (forcing the change of password and also requiring the minimum age)? Are you setting up a dev environment? Your prod environment? Something else?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 1
        • Y
          yb98
          last edited by

          Thanks for the reply Dan, the final outcome I was hoping to achieve using those two settings is to Kickstart with some already existing accounts, each using the same, default password. When a user attempts to log in with one of those accounts, they will be allowed to create a new password.

          1 Reply Last reply Reply Quote 0
          • danD
            dan
            last edited by

            @yb98 thanks for explaining. I don't see an easy way to do what you want with kickstart alone, since you can't set the age of the password programmatically. The same issue would occur if you did this all via an API. The only thing I can think of is to apply the password complexity rules 1 day after system startup. A pain, I know, but that's the only path I see that would work.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • danD dan referenced this topic on
            • First post
              Last post