[keycloak-dev] rethinking credentials

Stian Thorgersen sthorger at redhat.com
Thu Aug 18 04:57:30 EDT 2016 

We could also enable caching of creds from LDAP with something like:

* Verify plain text password against LDAP
* If OK store the hashed password in the cache
* Next time around we can check against in-mem only

On 10 August 2016 at 17:35, Bill Burke <bburke at redhat.com> wrote:

> The credential API for users needs to change.  Here are the types of
> credentials and how system interacts:
>
> 1. Creds stored, gathered, and validated by Keycloak OOTB code.
>
> 2. Creds stored in external store, but gathered and validated by
> Keycloak OOTB code.  (i.e. User Storage SPI returns the credentials
> directly)
>
> 3. Creds gathered by built-in Keycloak OOTB code, but stored and
> validated externally (i.e. LDAP).
>
> 4. Creds gathered by custom Authenticators, stored and validated
> externally.
>
> 5. Creds gathered by custom authenticators, stored by keycloak,
> validated by custom code.
>
> There's other combinations as well:
>
> a. Keycloak stored User, custom credential store
>
> b. User Storage Provider, keycloak stored creds
>
> c. User Storage Provider, custom credential store
>
> Credentials that are validated by Keycloak are currently cached along
> with the user.  What sucks about this that some credential types require
> a database update, i.e. HOTP which needs to update a counter.  So HOTP
> invalidates the user cache every single login. We also want to allow
> custom credential stores to be able to cache themselves along with the
> user.
>
> What's interesting about #4 is that there really doesn't need to be any
> special SPI.  The custom authenticator can lookup the factory and
> typecast it to any interface it wants to to validate the credential.
> Since our caching layer is a local-only (invalidation cache), cachable
> custom externally stored credentials just need a simple.
>
> Given all this, gonna put some iterations in on a new credential API.
> Any other thoughts?
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160818/eb98e1c0/attachment.html

More information about the keycloak-dev mailing list