I think it could be useful that if a Keycloak is using an alternate hash (possibly insecure or sub-optimal), that it hashes the cleartext with ALT-HASH, and if successful, re-hashes the cleartext with KEYCLOAK-HASH and stores the new hash in the canonical Keycloak DB.  This would allow for rolling migration of accounts as users login.

This way you could effectively rehash the passwords without forcing a global password reset.  After so many days (90, 120, whatever your policy), you could determine who has not logged in successfully, by finding those who don't have a KC-stored password, and force them to reset upon next login or whatnot.

On Mon, Oct 5, 2015 at 1:08 PM, Bill Burke <bburke@redhat.com> wrote:
Yeah, for now, federation provider would be the correct approach.  But
if you're migrating we should provide a facility to plug in hash
algorithm.  I'll add a jira.

On 10/5/2015 11:59 AM, Remi Cartier wrote:
> Hey guys,
>
> I will have to migrate from a custom in house user management system to
> keycloak.
> We are using this algorithm to store salted/hashed password :
>
>      public static String hashPassword(String password, String salt) {
>          try {
>              KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
> salt.getBytes(), 2048, 160);
>              SecretKeyFactory secretKeyFactory =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>              byte[] hash =
> secretKeyFactory.generateSecret(keySpec).getEncoded();
>              return new BigInteger(1, hash).toString(16);
>          } catch (Exception x) {
>              throw new IllegalStateException(x);
>          }
>      }
>
> I was wondering, in order to ease the migration, if I could configure
> keycloak to use the same hash algorithm ?
>
> Or if there was any other ways ? Like maybe a federation provider, but
> then comes the question when to push things into keycloak, at password
> change ?
>
> What do you think ?
>
> Sincerely.
>
> ------------------------------------------------------------------------
>
>
> REMI CARTIER
>
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user