Re: [keycloak-dev] Rehash password after each login

The o.k.credential.PasswordCredentialProvider.isValid() method in its end [1] rehashes and stores the credentials upon successful authentication. This has benefits in that whenever hashing algorithm or policy changes (e.g. number of iterations), after a login the user password would be stored again. If nothing changes, the password is at least rehashed with another salt. Actually, as the password policy/algorithm usually does not change too often, it also induces unnecessary network traffic: because a user invalidation sent to other nodes in cluster (and other DCs) after each successful login. One way to mitigate the issue is to invalidate the current encoded password only if the variant encoded using the same salt as original password and current password policy is different to the stored one. If occasional rehashing would be a must, it would be possible to update credentials after login with new hash only once in a given period of time (e.g. at most weekly, this can be determined from the password created date). WDYT? --Hynek [1] https://github.com/keycloak/keycloak/blob/master/services/ src/main/java/org/keycloak/credential/PasswordCredentialProvider. java#L210-L215 _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev