[keycloak-user] Keycloak 8: CredentialRepresentation algorithm

Tue Nov 19 05:45:27 EST 2019

Hello Alistair!
Your suggestions PasswordCredentialModel.createFromValues and
ModelToRepresentation.toRepresentation are matching our needs really good.
We're migrating from a legacy *MD5*-based storage and this combination
suits perfectly.
Thanks for the deep explanation on the new credentials model!

Just wondering: I found that this code
org.keycloak.models.utils.RepresentationToModel.convertDeprecatedCredentialsFormat(UserRepresentation)
doesn't execute direct serialization for passwords and instead handcrafts
the JSON.
// Created this manually to avoid conversion from Base64 and back
cred.setSecretData("{\"value\":\"" + cred.getHashedSaltedValue() +
"\",\"salt\":\"" + cred.getSalt() + "\"}");

Is it due to performance reasons or possible escaping issues?
(I'm going to execute the methods you suggested but anyway maybe there are
some issues I should take care about).

On Tue, Nov 19, 2019 at 12:04 PM Doswald Alistair <alistair.doswald at elca.ch>
wrote:

> Hello Leonid,
>
> Can I have a more complete description of your use case? Without knowing
> how you imported from the legacy storage, I'm not sure how to answer this.
>
> However, I can give some context into the new credential format and why
> the previous methods were deprecated, and maybe it'll help:
>
> Before credentials were only password and OTP, but now it's intended that
> keycloak handle any number of credential types, both in keycloak (for
> example WebAuthn that was added in keycloak 8), and with extensions that
> 3rd parties wish to add. The definition of credentials in the database has
> been modified to accommodate this change, there's information in the
> documentation on this here:
> https://www.keycloak.org/docs/latest/server_development/index.html#extending-the-credentialmodel-class.
> Basically, credential-type specific information is now held as json within
> two fields:
> * secret_data: for information that must not leave the database,
> * credential_data: for non-sensitive data that is available in the
> administration GUI, and can be transmitted via the REST API.
>
> There are classes in Keycloak that allow the serialization and de-
> serialization of this json. For passwords it is now the
> PasswordCredentialModel (see
> https://github.com/keycloak/keycloak/blob/master/server-spi/src/main/java/org/keycloak/models/credential/PasswordCredentialModel.java)
> . If you're passing by a CredentialRepresentation object for importing
> legacy passwords, you can:
>
> 1. Use the static method PasswordCredentialModel.createFromValues (String
> algorithm, byte[] salt, int hashIterations, String encodedPassword), which
> will create a CredentialModel with the correct format.
> 2. Use the static method
> ModelToRepresentation.toRepresentation(CredentialModel cred) to get a
> CredentialRepresentation.
>
> I hope this helps, and if not, I'll try to answer your next questions.
>
> Alistair Doswald
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Leonid Rozenblyum
> Sent: lundi, 18 novembre 2019 09:46
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Keycloak 8: CredentialRepresentation algorithm
>
> Hello!
> Before Keycloak 8.0.0 it was possible to use
> org.keycloak.representations.idm.CredentialRepresentation methods
> setAlgorithm setHashedSaltedValue
>
> in order to support import from a legacy storage with some custom
> algorithm not supported by Keycloak.
>
> During https://github.com/keycloak/keycloak/pull/6459 those methods were
> removed, fields were deprecated.
> What's the correct way to provide Credentials for a user with some custom
> algorithm right now?
> Thanks for explanation.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>