[keycloak-user] Porting user passwords to keycloak
Orestis Tsakiridis
orestis.tsakiridis at telestax.com
Mon Dec 21 07:47:06 EST 2015
Hello again!
So, i've recently pulled your master branch and started working on it (HEAD
was 0197c69ac3d6e8d90a6e7c93e1eaf) and implemented the password hashing
SPI.
Actually, i implemented PasswordHashProvider and
PasswordHashProviderFactory and created a provider .jar as described in
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
.
So, all went fine there. Deployment on keycloak had no issues too.
I'm wondering however how i enable this custom Password Hash Provider. Is
there a switch that instead of using the "Pbkdf2PasswordHashProvider" to
use my custom "RestcommPasswordHashProvider".
All i've found is the "Authentication/Password Policy/Hash algorithm" in
the Administration Console UI that directly maps to
"Pbkdf2PasswordHashProvider" but adding a new entry and changing this
to "restcomm-md5" (the id of the new provider) seems to have no effect.
Any ideas ?
On Thu, Dec 3, 2015 at 1:22 PM, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:
> Great! I will keep an eye on it.
>
> BR
>
> Orestis
>
> On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> That'd be great. If you watch this
>> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
>> master.
>>
>> Hopefully it should be added within a few days.
>>
>> On 3 December 2015 at 10:08, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Ok Stian.
>>>
>>> I will try to implement auth_spi.
>>>
>>> Btw, if you need any early adopters for your new Password Hashing SPI
>>> feature, we will gladly use it in our new "Restcomm as a Service"
>>> implementation and send feedback.
>>>
>>>
>>> Thanks
>>>
>>> Orestis
>>>
>>> Telestax
>>>
>>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>>
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>>
>>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>
>>>>> Thanks Stian.
>>>>>
>>>>> Can you send me some documentation or source code pointers about
>>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>>> overriding login form ? sth else?
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>>>>> released in early January.
>>>>>>
>>>>>> If you can't wait for that I think it would be better to not import
>>>>>> users with a password at all and instead send reset password links to their
>>>>>> email address. That would assume all users have emails registered. Or you
>>>>>> could also modify the password authenticator and make it run md5 the value
>>>>>> of the input password for users that haven't updated their password yet.
>>>>>>
>>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>
>>>>>>> Ok, so i guess i'll have to go with a workaround, password reset,
>>>>>>> etc as i've described.
>>>>>>>
>>>>>>> Thanks Stian
>>>>>>>
>>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>>
>>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>>
>>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>>
>>>>>>>>> The only solution i've come down to is store the password as they
>>>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead
>>>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords.
>>>>>>>>> Not the best UX :-(
>>>>>>>>>
>>>>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>>>>> db" or sth like that?
>>>>>>>>>
>>>>>>>>> Any alternatives come to mind ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Orestis
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/f818552d/attachment.html
More information about the keycloak-user
mailing list