Do not enforce minimum password life restrictions



  • Hello,

    I have a use case where I am launching Grafana using Kickstart, the issue is that the accounts created by Kickstart are made with a default password, I have also set passwordChangeRequired = true for each user.

    For the Tenant (also modified within Kickstart), I have specified a minimum password lifetime of 1 day. The issue arises when I launch Kickstart and try to log into an account immediately, this triggers the required password change as intended, but the minimum password lifetime causes a rejection of the change, as the password was set only moments ago, during the Kickstart phase.

    Effectively, I am unable to use a FusionAuth user account until 1 day after the Kickstart has completed. Is there any solution to this issue, such as not enforcing the password minimum lifetime if the user was forced to change their password?

    Thanks!



  • I don't think there's any settings inside FusionAuth that will fix this issue. I would probably change how I set up the tenant and apply the minimum password lifetime setting 1 day after I kickstarted. (So, write a script using one of the client libraries which modified the tenant to apply that password complexity rule and execute it one day after the system was booted up.)

    But further, I'm curious how you are using kickstart that would require you to have both these settings (forcing the change of password and also requiring the minimum age)? Are you setting up a dev environment? Your prod environment? Something else?



  • Thanks for the reply Dan, the final outcome I was hoping to achieve using those two settings is to Kickstart with some already existing accounts, each using the same, default password. When a user attempts to log in with one of those accounts, they will be allowed to create a new password.



  • @yb98 thanks for explaining. I don't see an easy way to do what you want with kickstart alone, since you can't set the age of the password programmatically. The same issue would occur if you did this all via an API. The only thing I can think of is to apply the password complexity rules 1 day after system startup. A pain, I know, but that's the only path I see that would work.


Log in to reply