Hey,
Ran into something implementing a user federation example. My user
federation example stores passwords in plain text. So, I wrote a plain
text password hasher. The first time the password is validated, the
hashing iterations don't match from the returned
UserCredentialValueModel. The user fed provider always returns 0
because its plain text. The CredentialValidation class sees that the
hash iterations dont' match with the default realm's hashing iterations,
so the password is rehashed. Rehashed with the default realm
algorithm. There is a bug here in that the algorithm is not set to the
realm's hashing algorithm, so, once a user is validated once, they can
never be validated again...at least in this scenario.
I assume it works this way, for case that the old passwords are
imported from some legacy storage into Keycloak DB. Those passwords
might be hashed with some weak algorithm or they might be just in
plain-text. So after successful validation of plain-text password is
the stored plain-text password dropped and new password credential
is created and saved again into Keycloak DB with the official realm
algorithm (pbkdf2 + 20000 iterations).