Re: [keycloak-user] Porting user passwords to keycloak

Great! I will keep an eye on it. BR Orestis On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: > That'd be great. If you watch this > https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in > master. > > Hopefully it should be added within a few days. > > On 3 December 2015 at 10:08, Orestis Tsakiridis < > orestis.tsakiridis(a)telestax.com&gt; wrote: > >> Ok Stian. >> >> I will try to implement auth_spi. >> >> Btw, if you need any early adopters for your new Password Hashing SPI >> feature, we will gladly use it in our new "Restcomm as a Service" >> implementation and send feedback. >> >> >> Thanks >> >> Orestis >> >> Telestax >> >> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >>> >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html >>> >>> On 1 December 2015 at 15:39, Orestis Tsakiridis < >>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>> >>>> Thanks Stian. >>>> >>>> Can you send me some documentation or source code pointers about >>>> "modifying the password authenticator" ? Are we talking about a Java class, >>>> overriding login form ? sth else? >>>> >>>> >>>> >>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; >>>> wrote: >>>> >>>>> So looks like we will indeed have password hash spi in 1.8. It'll be >>>>> released in early January. >>>>> >>>>> If you can't wait for that I think it would be better to not import >>>>> users with a password at all and instead send reset password links to their >>>>> email address. That would assume all users have emails registered. Or you >>>>> could also modify the password authenticator and make it run md5 the value >>>>> of the input password for users that haven't updated their password yet. >>>>> >>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis < >>>>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>>>> >>>>>> Ok, so i guess i'll have to go with a workaround, password reset, >>>>>> etc as i've described. >>>>>> >>>>>> Thanks Stian >>>>>> >>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen < >>>>>> sthorger(a)redhat.com&gt; wrote: >>>>>> >>>>>>> We are planning to add a Password Hashing SPI, which will allow >>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though. >>>>>>> >>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis < >>>>>>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I'm trying to create some migration scripts that will port users >>>>>>>> from Application1 into keycloak. Users in Application1 already have >>>>>>>> usernames, passwords etc. I use the admin rest api to create the users. >>>>>>>> >>>>>>>> The problem i'm facing is that user passwords in Application1 >>>>>>>> database are already hashed using md5. So, i don't really know the actual >>>>>>>> passwords (security wise that makes sense). >>>>>>>> >>>>>>>> The only solution i've come down to is store the password as they >>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead >>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords. >>>>>>>> Not the best UX :-( >>>>>>>> >>>>>>>> Is there a way to tell keycloak that "these passwords are already >>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign >>>>>>>> in, first hash his password with md5 and the compare to the value stored in >>>>>>>> db" or sth like that? >>>>>>>> >>>>>>>> Any alternatives come to mind ? >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> Orestis >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user(a)lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >