[keycloak-user] Hash Algorithm

Bob McWhirter bmcwhirt at redhat.com
Mon Oct 5 13:17:23 EDT 2015


I think it could be useful that if a Keycloak is using an alternate hash
(possibly insecure or sub-optimal), that it hashes the cleartext with
ALT-HASH, and if successful, re-hashes the cleartext with KEYCLOAK-HASH and
stores the new hash in the canonical Keycloak DB.  This would allow for
rolling migration of accounts as users login.

This way you could effectively rehash the passwords without forcing a
global password reset.  After so many days (90, 120, whatever your policy),
you could determine who has not logged in successfully, by finding those
who don't have a KC-stored password, and force them to reset upon next
login or whatnot.

On Mon, Oct 5, 2015 at 1:08 PM, Bill Burke <bburke at redhat.com> wrote:

> Yeah, for now, federation provider would be the correct approach.  But
> if you're migrating we should provide a facility to plug in hash
> algorithm.  I'll add a jira.
>
> On 10/5/2015 11:59 AM, Remi Cartier wrote:
> > Hey guys,
> >
> > I will have to migrate from a custom in house user management system to
> > keycloak.
> > We are using this algorithm to store salted/hashed password :
> >
> >      public static String hashPassword(String password, String salt) {
> >          try {
> >              KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
> > salt.getBytes(), 2048, 160);
> >              SecretKeyFactory secretKeyFactory =
> > SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
> >              byte[] hash =
> > secretKeyFactory.generateSecret(keySpec).getEncoded();
> >              return new BigInteger(1, hash).toString(16);
> >          } catch (Exception x) {
> >              throw new IllegalStateException(x);
> >          }
> >      }
> >
> > I was wondering, in order to ease the migration, if I could configure
> > keycloak to use the same hash algorithm ?
> >
> > Or if there was any other ways ? Like maybe a federation provider, but
> > then comes the question when to push things into keycloak, at password
> > change ?
> >
> > What do you think ?
> >
> > Sincerely.
> >
> > ------------------------------------------------------------------------
> >
> >
> > REMI CARTIER
> >
> > B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
> >
> > *IMETRIK GLOBAL INC.*
> > *T :* +1 514 448-6407 x2009
> > *T :* +1 866 276-5382 (toll free)
> > *F :* +1 514 904-0611
> >
> > 740 Notre Dame St. West, Suite 1575
> > Montreal, Quebec, Canada H3C 3X6
> > imetrik.com <http://www.imetrik.com/>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/780ae53d/attachment.html 


More information about the keycloak-user mailing list