[keycloak-user] Porting user passwords to keycloak
Orestis Tsakiridis
orestis.tsakiridis at telestax.com
Tue Dec 22 10:12:20 EST 2015
Hi Stian,
Indeed, changing the authentication/password policy works for new users
when created from Admin Console. The custom password hashing implementation
works fine.
However, creating a user WITH credentials using this:
http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user
does not work as expected. The user is created but the 'credentials' array
is empty in the resulting user record. I exported the realm and verified
that. Is the one above the correct method to use?
I can only set the password for a user using this:
http://keycloak.github.io/docs/rest-api/index.html#_set_up_a_temporary_password_for_the_user
But this does not take into account already "hashedSaltedValue".
PUT
127.0.0.1:8080/auth/admin/realms/test/users/216f6050-9c94-47d1-9b96-8534841305df/reset-password
For example i tried sending this:
{
"type" : "password",
"hashedSaltedValue" : "****",
"salt" : "****",
"hashIterations" : 1,
"algorithm" : "restcomm-md5"
}
but i got a "400 Bad Request" with "No password provided". Anyway, the
'reset-password' path does not seem the way to go here.
On Mon, Dec 21, 2015 at 4:43 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> In authentication / password policy you can configure what hashing
> algorithm new passwords are hashed with. If you change that value then
> update the users password either through admin console or account
> management it should use your provider.
>
> However, this is probably not what you want as you are implementing a md5
> hash provider which is weaker than the built in provider. I assume you want
> to import users with passwords that are hashed using md5? If so you need to
> specify the algorithm for the password in the json when you import the
> user. For example:
>
> "users" : [ {
> "username" : "myuser",
> "enabled" : true,
> "credentials" : [ {
> "type" : "password",
> "hashedSaltedValue" : "***************",
> "salt" : "**************",
> "hashIterations" : 1000,
> "algorithm" : "restcomm-md5"
> } ]
> } ]
>
> On 21 December 2015 at 13:48, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Btw, hHere is a screenshot of the 'switch' i referred to:
>>
>> On Mon, Dec 21, 2015 at 2:47 PM, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Hello again!
>>>
>>> So, i've recently pulled your master branch and started working on it
>>> (HEAD was 0197c69ac3d6e8d90a6e7c93e1eaf) and implemented the password
>>> hashing SPI.
>>>
>>> Actually, i implemented PasswordHashProvider and
>>> PasswordHashProviderFactory and created a provider .jar as described in
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
>>> .
>>>
>>> So, all went fine there. Deployment on keycloak had no issues too.
>>>
>>> I'm wondering however how i enable this custom Password Hash Provider.
>>> Is there a switch that instead of using the "Pbkdf2PasswordHashProvider" to
>>> use my custom "RestcommPasswordHashProvider".
>>>
>>> All i've found is the "Authentication/Password Policy/Hash algorithm"
>>> in the Administration Console UI that directly maps to
>>> "Pbkdf2PasswordHashProvider" but adding a new entry and changing this
>>> to "restcomm-md5" (the id of the new provider) seems to have no effect.
>>>
>>> Any ideas ?
>>>
>>>
>>>
>>> On Thu, Dec 3, 2015 at 1:22 PM, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Great! I will keep an eye on it.
>>>>
>>>> BR
>>>>
>>>> Orestis
>>>>
>>>> On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> That'd be great. If you watch this
>>>>> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's
>>>>> in master.
>>>>>
>>>>> Hopefully it should be added within a few days.
>>>>>
>>>>> On 3 December 2015 at 10:08, Orestis Tsakiridis <
>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>
>>>>>> Ok Stian.
>>>>>>
>>>>>> I will try to implement auth_spi.
>>>>>>
>>>>>> Btw, if you need any early adopters for your new Password Hashing SPI
>>>>>> feature, we will gladly use it in our new "Restcomm as a Service"
>>>>>> implementation and send feedback.
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Orestis
>>>>>>
>>>>>> Telestax
>>>>>>
>>>>>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>>
>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>>>>>
>>>>>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>
>>>>>>>> Thanks Stian.
>>>>>>>>
>>>>>>>> Can you send me some documentation or source code pointers about
>>>>>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>>>>>> overriding login form ? sth else?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> So looks like we will indeed have password hash spi in 1.8. It'll
>>>>>>>>> be released in early January.
>>>>>>>>>
>>>>>>>>> If you can't wait for that I think it would be better to not
>>>>>>>>> import users with a password at all and instead send reset password links
>>>>>>>>> to their email address. That would assume all users have emails registered.
>>>>>>>>> Or you could also modify the password authenticator and make it run md5 the
>>>>>>>>> value of the input password for users that haven't updated their password
>>>>>>>>> yet.
>>>>>>>>>
>>>>>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>>
>>>>>>>>>> Ok, so i guess i'll have to go with a workaround, password reset,
>>>>>>>>>> etc as i've described.
>>>>>>>>>>
>>>>>>>>>> Thanks Stian
>>>>>>>>>>
>>>>>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <
>>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>>>>>
>>>>>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to create some migration scripts that will port
>>>>>>>>>>>> users from Application1 into keycloak. Users in Application1 already have
>>>>>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>>>>>
>>>>>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>>>>>
>>>>>>>>>>>> The only solution i've come down to is store the password as
>>>>>>>>>>>> they are in keycloak (md5ed) and tell the users to use the hashed value
>>>>>>>>>>>> instead of the plaintext one wieh signing in. Then, force them to reset
>>>>>>>>>>>> passwords. Not the best UX :-(
>>>>>>>>>>>>
>>>>>>>>>>>> Is there a way to tell keycloak that "these passwords are
>>>>>>>>>>>> already hashed in md5" so, "store them as they are" and "when a user tries
>>>>>>>>>>>> to sign in, first hash his password with md5 and the compare to the value
>>>>>>>>>>>> stored in db" or sth like that?
>>>>>>>>>>>>
>>>>>>>>>>>> Any alternatives come to mind ?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>>
>>>>>>>>>>>> Orestis
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/260fcb0d/attachment.html
More information about the keycloak-user
mailing list