<div dir="ltr">We are planning to add a Password Hashing SPI, which will allow plugging in additional hashing mechanisms. It's not ready quite yet though.</div><div class="gmail_extra"><br><div class="gmail_quote">On 1 December 2015 at 13:25, Orestis Tsakiridis <span dir="ltr"><<a href="mailto:orestis.tsakiridis@telestax.com" target="_blank">orestis.tsakiridis@telestax.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Hello,<br><br></div>I'm trying to create some migration scripts that will port users from Application1 into keycloak. Users in Application1 already have usernames, passwords etc. I use the admin rest api to create the users.<br><br></div>The problem i'm facing is that user passwords in Application1 database are already hashed using md5. So, i don't really know the actual passwords (security wise that makes sense). <br><br></div><div>The only solution i've come down to is store the password as they are in keycloak (md5ed) and tell the users to use the hashed value instead of the plaintext one wieh signing in. Then, force them to reset passwords. Not the best UX :-(<br></div><div><br></div>Is there a way to tell keycloak that "these passwords are already hashed in md5" so, "store them as they are" and "when a user tries to sign in, first hash his password with md5 and the compare to the value stored in db" or sth like that?<br><br></div>Any alternatives come to mind ?<br><div><div><div><div><div><br><br></div><div>Regards <br><span class="HOEnZb"><font color="#888888"><br>Orestis<br></font></span></div></div></div></div></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>