[keycloak-user] Password Hashing in custom User Storage Provider

[Danny Trunk]

Thank you. That helped me a lot.


Am 26.03.2017 um 17:18 schrieb Bill Burke:
> If your external store stores passwords, then your UserStorageProvider 
> is responsible for validating and storing these passwords.  This means 
> that your provider must implement the CredtialInputValidator and 
> CredentialInputUpdater interfaces. You'll notice that these interfades 
> provide no way of getting at the raw credential.  So therefore, if you 
> do not store passwords in Keycloak, the PasswordHashProviders are not 
> invoked.   This is by design.
>
> On 3/26/17 9:51 AM, Danny Trunk wrote:
>> Hi,
>>
>> when implementing my own User Storage Provider I've noticed that the
>> password has to be raw in my database as no Password Hash Provider is
>> getting triggered.
>>
>> The User Storage Provider is based on the JPA Example located here:
>> https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-jpa
>>
>> When adding some logging into the isValid method of the Provider to see
>> whats the content of password and cred.getValue() I can see that
>> password (the one from the database) is hashed whereas cred.getValue()
>> isn't. That's why it mismatches and the user can see an invalid
>> credentials error message.
>>
>> Do I have to call all (as I could have multiple algorithms in my
>> database without any information which algorithm it is)
>> PasswordHashProvider myself in this method? I guess that's not the
>> intended behaviour of the Password Hash Providers?!
>>
>> Could it be a bug in Keycloak?
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user