[keycloak-user] Password Hashing in custom User Storage Provider

Danny Trunk dtrunk90 at gmail.com
Sun Mar 26 09:51:06 EDT 2017


Hi,

when implementing my own User Storage Provider I've noticed that the
password has to be raw in my database as no Password Hash Provider is
getting triggered.

The User Storage Provider is based on the JPA Example located here:
https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-jpa

When adding some logging into the isValid method of the Provider to see
whats the content of password and cred.getValue() I can see that
password (the one from the database) is hashed whereas cred.getValue()
isn't. That's why it mismatches and the user can see an invalid
credentials error message.

Do I have to call all (as I could have multiple algorithms in my
database without any information which algorithm it is)
PasswordHashProvider myself in this method? I guess that's not the
intended behaviour of the Password Hash Providers?!

Could it be a bug in Keycloak?



More information about the keycloak-user mailing list