[keycloak-user] Keycloak 3.2.0 issue with PasswordHashProvider SPI

Marek Posolda mposolda at redhat.com
Wed Jul 19 03:28:19 EDT 2017


Hi Sarp,

Ah, so it happens after migration from 3.1.0.

Could you please try with your steps, but after your step 6 do also:

7. re-deploy also the second keycloak instance with v 3.2.0
8. Try to login on any of the keycloak instance (both should be on v3.2) 
and doublecheck the behaviour?

The reason is, that we don't support the cluster when one node is 
running on v3.2 and second on v3.1. Both keycloak nodes should run on 
same version, otherwise the behaviour is unexpected. Also in step 6, 
once the first node with v3.2 is started, the DB is migrated to v3.2 and 
it's not supported to run keycloak with 3.1 or older version at this point.

If the issue still happens after both nodes migrated to v3.2, please 
create JIRA with the steps.

Thanks,
Marek


On 19/07/17 07:01, Sarp Kaya wrote:
> Hi Marek,
>
> The below are the steps to reproduce it:
>
>  1. Deploy a keycloak version 3.1.0
>  2. Deploy another keycloak instance v3.1; make sure they’re clustered
>  3. Login to admin master field
>  4. Change the encryption
>  5. Logout/login to make sure that iterations work as expected
>  6. Now re-deploy one of the keycloak instances with v3.2.0
>  7. Try to login on the keycloak instance v3.2; iterations will be -1
>
>
> Thanks,
> Sarp
>
> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
> Date: Tuesday, July 18, 2017 at 8:06 PM
> To: Abdullah Sarp <akaya at expedia.com <mailto:akaya at expedia.com>>, 
> "keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>" 
> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Keycloak 3.2.0 issue with 
> PasswordHashProvider SPI
>
> I've tried to reproduce but wasn't able. What I did was:
> - Start 3.2.0
> - During initial creation of admin user, I can see that it uses 
> iterations -1, so it defaults to 27500 iterations, which is the 
> default for Pbkdf2Sha256PasswordHashProviderFactory.
> - I've manually changed the password policy in admin console and added 
> Hash Iterations to be 10000.
> - After relogin of admin user, I can see that it uses configured 10000 
> iterations. New users are always created with 10000 iterations.
>
> Marek
>
> On 18/07/17 02:32, Sarp Kaya wrote:
>> Hello,
>>
>> I know that this is an internal SPI but I believe it’s broken.
>>
>> I realised that interface has been changed, now it’s giving the iterations directly for the “encode” method. The problem is it’s always calling encode method with iterations valued –1 regardless of what you put in the UI. I realised that in keycloak for "Pbkdf2PasswordHashProvider” it’s defaulting to 20000 iterations; but if you want this to be higher or lower, it doesn’t work either (since iterations will always be –1)
>>
>> My question is, could you please check this? Also if you don’t support “internal SPIs” how are we going to use other encryption methods such as bcrypt or scrypt etc?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>



More information about the keycloak-user mailing list