Re: [keycloak-user] Porting user passwords to keycloak

Thanks Stian. Can you send me some documentation or source code pointers about "modifying the password authenticator" ? Are we talking about a Java class, overriding login form ? sth else? On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: > So looks like we will indeed have password hash spi in 1.8. It'll be > released in early January. > > If you can't wait for that I think it would be better to not import users > with a password at all and instead send reset password links to their email > address. That would assume all users have emails registered. Or you could > also modify the password authenticator and make it run md5 the value of the > input password for users that haven't updated their password yet. > > On 1 December 2015 at 13:36, Orestis Tsakiridis < > orestis.tsakiridis(a)telestax.com&gt; wrote: > >> Ok, so i guess i'll have to go with a workaround, password reset, etc as >> i've described. >> >> Thanks Stian >> >> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >>> We are planning to add a Password Hashing SPI, which will allow >>> plugging in additional hashing mechanisms. It's not ready quite yet though. >>> >>> On 1 December 2015 at 13:25, Orestis Tsakiridis < >>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>> >>>> Hello, >>>> >>>> I'm trying to create some migration scripts that will port users from >>>> Application1 into keycloak. Users in Application1 already have usernames, >>>> passwords etc. I use the admin rest api to create the users. >>>> >>>> The problem i'm facing is that user passwords in Application1 database >>>> are already hashed using md5. So, i don't really know the actual passwords >>>> (security wise that makes sense). >>>> >>>> The only solution i've come down to is store the password as they are >>>> in keycloak (md5ed) and tell the users to use the hashed value instead of >>>> the plaintext one wieh signing in. Then, force them to reset passwords. Not >>>> the best UX :-( >>>> >>>> Is there a way to tell keycloak that "these passwords are already >>>> hashed in md5" so, "store them as they are" and "when a user tries to sign >>>> in, first hash his password with md5 and the compare to the value stored in >>>> db" or sth like that? >>>> >>>> Any alternatives come to mind ? >>>> >>>> >>>> Regards >>>> >>>> Orestis >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >