[keycloak-dev] argon2 password hashing
Stian Thorgersen
sthorger at redhat.com
Thu Apr 28 01:51:09 EDT 2016
First thing would be to create PasswordPolicySPI,
PasswordPolicyProviderFactory
and PasswordPolicyProvider. PasswordPolicyProvider should have same methods
as Policy. You'd then have to extract all built-in providers from
PasswordPolicy into PasswordPolicyProvider implementations, this should be
relatively straightforward as they are already "id" -> implementation, just
means you retrieve it with KeycloakSession rather than hard-coded in
PasswordPolicy. PasswordPolicy should then be change to use KeycloakSession
to retrieve PasswordPolicyProvider instead of hard-coded Policy
implementations.
Next step would be admin console integration. At the moment the list of
policies is hard-coded it would need to get the list of policies from
server-info instead. There are other bits that use server-info to list
providers already so take a look at that. You would probably also need to
add a method to PasswordPolicyProvider to return a description of the
policy for the admin console tooltips.
On 25 April 2016 at 18:36, Roelof Naude <roelof.naude at gmail.com> wrote:
> thank you all for the quick response.
>
> do you guys have a basic idea on how to approach the policy spi? we are
> more than willing to help out to get it done.
>
> maintaining a fork is maybe an option to resolve the immediate need, but
> would prefer to keep things upstream as much as possible.
>
> On Mon, Apr 25, 2016 at 5:30 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> We an to introduce a password policy spi soon, but for now you're stuck
>> with the built-in policies.
>> On 25 Apr 2016 16:43, "Bruno Oliveira" <bruno at abstractj.org> wrote:
>>
>>> I believe we don't have an SPI for this, yet. See:
>>> https://issues.jboss.org/browse/KEYCLOAK-2824.
>>>
>>> IMO, Argon2 is completely new and aside from the bindings, we don't have
>>> a Java implementation, yet for this. I'm not sure if is a good idea to
>>> introduce C to the codebase, but totally doable to have an SPI for
>>> policies.
>>>
>>> On 2016-04-25, Roelof Naude wrote:
>>> > hi,
>>> >
>>> > a client has requested the use of the argon2 [1, 2] password hashing
>>> > scheme. this can easily be added as an external provider. we do however
>>> > require custom password policies, e.g. memory / parallelism cost as
>>> well as
>>> > salt length. AFAIK there is no way to provide policy extensions using a
>>> > provider interface?
>>> >
>>> > would argon2 be a worthwhile contribution?
>>> >
>>> > regards
>>> > roelof.
>>> >
>>> > [1] https://github.com/P-H-C/phc-winner-argon2
>>> > [2] https://github.com/phxql/argon2-jvm
>>>
>>> > _______________________________________________
>>> > keycloak-dev mailing list
>>> > keycloak-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>> --
>>>
>>> abstractj
>>> PGP: 0x84DC9914
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160428/8c951ccf/attachment.html
More information about the keycloak-dev
mailing list