[keycloak-dev] rehash password if different algorithm?
Bill Burke
bburke at redhat.com
Tue Aug 2 18:45:08 EDT 2016
Hey,
Ran into something implementing a user federation example. My user
federation example stores passwords in plain text. So, I wrote a plain
text password hasher. The first time the password is validated, the
hashing iterations don't match from the returned
UserCredentialValueModel. The user fed provider always returns 0
because its plain text. The CredentialValidation class sees that the
hash iterations dont' match with the default realm's hashing iterations,
so the password is rehashed. Rehashed with the default realm
algorithm. There is a bug here in that the algorithm is not set to the
realm's hashing algorithm, so, once a user is validated once, they can
never be validated again...at least in this scenario.
The bigger question is, how do we handle this scenario where the User
Federation Provider does not store passwords in the same format as the
realm's password policy? The workaround is to ignore password updates
when updateCredentialsDirectly is called. But this seems like a hack.
A lot of documentation would need to be in place for this.
Bill
More information about the keycloak-dev
mailing list