[keycloak-user] Keycloak 8: CredentialRepresentation algorithm
Doswald Alistair
alistair.doswald at elca.ch
Tue Nov 19 05:04:16 EST 2019
Hello Leonid,
Can I have a more complete description of your use case? Without knowing how you imported from the legacy storage, I'm not sure how to answer this.
However, I can give some context into the new credential format and why the previous methods were deprecated, and maybe it'll help:
Before credentials were only password and OTP, but now it's intended that keycloak handle any number of credential types, both in keycloak (for example WebAuthn that was added in keycloak 8), and with extensions that 3rd parties wish to add. The definition of credentials in the database has been modified to accommodate this change, there's information in the documentation on this here: https://www.keycloak.org/docs/latest/server_development/index.html#extending-the-credentialmodel-class. Basically, credential-type specific information is now held as json within two fields:
* secret_data: for information that must not leave the database,
* credential_data: for non-sensitive data that is available in the administration GUI, and can be transmitted via the REST API.
There are classes in Keycloak that allow the serialization and de- serialization of this json. For passwords it is now the PasswordCredentialModel (see https://github.com/keycloak/keycloak/blob/master/server-spi/src/main/java/org/keycloak/models/credential/PasswordCredentialModel.java) . If you're passing by a CredentialRepresentation object for importing legacy passwords, you can:
1. Use the static method PasswordCredentialModel.createFromValues (String algorithm, byte[] salt, int hashIterations, String encodedPassword), which will create a CredentialModel with the correct format.
2. Use the static method ModelToRepresentation.toRepresentation(CredentialModel cred) to get a CredentialRepresentation.
I hope this helps, and if not, I'll try to answer your next questions.
Alistair Doswald
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Leonid Rozenblyum
Sent: lundi, 18 novembre 2019 09:46
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak 8: CredentialRepresentation algorithm
Hello!
Before Keycloak 8.0.0 it was possible to use org.keycloak.representations.idm.CredentialRepresentation methods setAlgorithm setHashedSaltedValue
in order to support import from a legacy storage with some custom algorithm not supported by Keycloak.
During https://github.com/keycloak/keycloak/pull/6459 those methods were removed, fields were deprecated.
What's the correct way to provide Credentials for a user with some custom algorithm right now?
Thanks for explanation.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list