[keycloak-user] Keycloak 3.2.0 issue with PasswordHashProvider SPI

Sarp Kaya akaya at expedia.com
Wed Jul 19 01:01:14 EDT 2017


Hi Marek,

The below are the steps to reproduce it:


  1.  Deploy a keycloak version 3.1.0
  2.  Deploy another keycloak instance v3.1; make sure they’re clustered
  3.  Login to admin master field
  4.  Change the encryption
  5.  Logout/login to make sure that iterations work as expected
  6.  Now re-deploy one of the keycloak instances with v3.2.0
  7.  Try to login on the keycloak instance v3.2; iterations will be -1

Thanks,
Sarp

From: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>
Date: Tuesday, July 18, 2017 at 8:06 PM
To: Abdullah Sarp <akaya at expedia.com<mailto:akaya at expedia.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Keycloak 3.2.0 issue with PasswordHashProvider SPI

I've tried to reproduce but wasn't able. What I did was:
- Start 3.2.0
- During initial creation of admin user, I can see that it uses iterations -1, so it defaults to 27500 iterations, which is the default for Pbkdf2Sha256PasswordHashProviderFactory.
- I've manually changed the password policy in admin console and added Hash Iterations to be 10000.
- After relogin of admin user, I can see that it uses configured 10000 iterations. New users are always created with 10000 iterations.

Marek

On 18/07/17 02:32, Sarp Kaya wrote:

Hello,

I know that this is an internal SPI but I believe it’s broken.

I realised that interface has been changed, now it’s giving the iterations directly for the “encode” method. The problem is it’s always calling encode method with iterations valued –1 regardless of what you put in the UI. I realised that in keycloak for "Pbkdf2PasswordHashProvider” it’s defaulting to 20000 iterations; but if you want this to be higher or lower, it doesn’t work either (since iterations will always be –1)

My question is, could you please check this? Also if you don’t support “internal SPIs” how are we going to use other encryption methods such as bcrypt or scrypt etc?
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list