[keycloak-dev] OTP string based secrets
bburke at redhat.com
Wed Jul 12 18:16:15 EDT 2017
On 7/12/17 1:39 PM, Dobbels, Andy wrote:
> We are adopting Keycloak and are trying to move our OTP tokens over to Keycloak. However, Keycloak can only use secrets that are alphanumeric strings whereas our existing implementation and most hard and software tokens we have used use the full range of binary values when generating secrets.
> 2 questions:
> 1: Is the lower entropy of the secrets generated by Keycloak a concern?
Should it be a concern? Its currently a randomly generated 20 character
alpha-numeric string. That's not enough entropy?
> 2: If we provided a PR that migrated the existing data by re-encoding all existing secrets as Base32 and updated the code to assume Base32 instead of string be acceptable?
> This would be a non breaking change but allow anyone using existing OTP tokens to migrate their secrets which I don't think they can at the moment.
We have undocumented SPIs to support other storage options for different
credential types. If you want to use the data model that's currently
there you have to encode your secrets as strings. We're limited in the
fact that our current OTP storage must be backward compatible. Also,
don't want to have to recalculate storage for every single OTP record of
existing deployments when migrating.
We could though absolutely change how future secrets are generated if
you feel the entropy is a concern.
More information about the keycloak-dev