[keycloak-user] Password Hashing in custom User Storage Provider
Bill Burke
bburke at redhat.com
Sun Mar 26 11:18:33 EDT 2017
If your external store stores passwords, then your UserStorageProvider
is responsible for validating and storing these passwords. This means
that your provider must implement the CredtialInputValidator and
CredentialInputUpdater interfaces. You'll notice that these interfades
provide no way of getting at the raw credential. So therefore, if you
do not store passwords in Keycloak, the PasswordHashProviders are not
invoked. This is by design.
On 3/26/17 9:51 AM, Danny Trunk wrote:
> Hi,
>
> when implementing my own User Storage Provider I've noticed that the
> password has to be raw in my database as no Password Hash Provider is
> getting triggered.
>
> The User Storage Provider is based on the JPA Example located here:
> https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-jpa
>
> When adding some logging into the isValid method of the Provider to see
> whats the content of password and cred.getValue() I can see that
> password (the one from the database) is hashed whereas cred.getValue()
> isn't. That's why it mismatches and the user can see an invalid
> credentials error message.
>
> Do I have to call all (as I could have multiple algorithms in my
> database without any information which algorithm it is)
> PasswordHashProvider myself in this method? I guess that's not the
> intended behaviour of the Password Hash Providers?!
>
> Could it be a bug in Keycloak?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list