[keycloak-user] Porting user passwords to keycloak

Stian Thorgersen sthorger at redhat.com
Tue Dec 1 09:51:02 EST 2015


http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html

On 1 December 2015 at 15:39, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Thanks Stian.
>
> Can you send me some documentation or source code pointers about
> "modifying the password authenticator" ? Are we talking about a Java class,
> overriding login form ? sth else?
>
>
>
> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> So looks like we will indeed have password hash spi in 1.8. It'll be
>> released in early January.
>>
>> If you can't wait for that I think it would be better to not import users
>> with a password at all and instead send reset password links to their email
>> address. That would assume all users have emails registered. Or you could
>> also modify the password authenticator and make it run md5 the value of the
>> input password for users that haven't updated their password yet.
>>
>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Ok, so i guess i'll have to go with a workaround, password reset, etc as
>>> i've described.
>>>
>>> Thanks Stian
>>>
>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> We are planning to add a Password Hashing SPI, which will allow
>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>
>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I'm trying to create some migration scripts that will port users from
>>>>> Application1 into keycloak. Users in Application1 already have usernames,
>>>>> passwords etc. I use the admin rest api to create the users.
>>>>>
>>>>> The problem i'm facing is that user passwords in Application1 database
>>>>> are already hashed using md5. So, i don't really know the actual passwords
>>>>> (security wise that makes sense).
>>>>>
>>>>> The only solution i've come down to is store the password as they are
>>>>> in keycloak (md5ed) and tell the users to use the hashed value instead of
>>>>> the plaintext one wieh signing in. Then, force them to reset passwords. Not
>>>>> the best UX  :-(
>>>>>
>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>> db"  or sth like that?
>>>>>
>>>>> Any alternatives come to mind ?
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> Orestis
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/04fd2ac3/attachment.html 


More information about the keycloak-user mailing list