Re: [keycloak-user] Porting user passwords to keycloak

Ok Stian. I will try to implement auth_spi. Btw, if you need any early adopters for your new Password Hashing SPI feature, we will gladly use it in our new "Restcomm as a Service" implementation and send feedback. Thanks Orestis Telestax On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: > > http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html > > On 1 December 2015 at 15:39, Orestis Tsakiridis < > orestis.tsakiridis(a)telestax.com&gt; wrote: > >> Thanks Stian. >> >> Can you send me some documentation or source code pointers about >> "modifying the password authenticator" ? Are we talking about a Java class, >> overriding login form ? sth else? >> >> >> >> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >>> So looks like we will indeed have password hash spi in 1.8. It'll be >>> released in early January. >>> >>> If you can't wait for that I think it would be better to not import >>> users with a password at all and instead send reset password links to their >>> email address. That would assume all users have emails registered. Or you >>> could also modify the password authenticator and make it run md5 the value >>> of the input password for users that haven't updated their password yet. >>> >>> On 1 December 2015 at 13:36, Orestis Tsakiridis < >>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>> >>>> Ok, so i guess i'll have to go with a workaround, password reset, etc >>>> as i've described. >>>> >>>> Thanks Stian >>>> >>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; >>>> wrote: >>>> >>>>> We are planning to add a Password Hashing SPI, which will allow >>>>> plugging in additional hashing mechanisms. It's not ready quite yet though. >>>>> >>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis < >>>>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> I'm trying to create some migration scripts that will port users >>>>>> from Application1 into keycloak. Users in Application1 already have >>>>>> usernames, passwords etc. I use the admin rest api to create the users. >>>>>> >>>>>> The problem i'm facing is that user passwords in Application1 >>>>>> database are already hashed using md5. So, i don't really know the actual >>>>>> passwords (security wise that makes sense). >>>>>> >>>>>> The only solution i've come down to is store the password as they >>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead >>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords. >>>>>> Not the best UX :-( >>>>>> >>>>>> Is there a way to tell keycloak that "these passwords are already >>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign >>>>>> in, first hash his password with md5 and the compare to the value stored in >>>>>> db" or sth like that? >>>>>> >>>>>> Any alternatives come to mind ? >>>>>> >>>>>> >>>>>> Regards >>>>>> >>>>>> Orestis >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> >