Great explanation Scott, thank you for the details.
Thanks to bill too for his reply.
________________________________
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>
On Oct 5, 2015, at 1:13 PM, Scott Rossillo
<srossillo@smartling.com<mailto:srossillo@smartling.com>> wrote:
I’d recommend using a federation provider. Others may have another opinion but here’s the
approach I like, using a federation provider:
Create the user when Keycloak calls one of these methods on the federation provider and
the user exists in the legacy system:
UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()
This creates the federation link. However, do not set a password for the user yet (you
wouldn’t know what to set it to yet anyway). Then, when Keycloak calls:
UserFederationProvider.validCredentials(RealmModel realm, UserModel user,
List<UserCredentialModel> input)
query your legacy system to see if the given user and password combination is valid. If
so:
1. Update the user (in Keycloak) to have password supplied in
List<UserCredentialModel> input
2. Break the federation link (session.userStorage().getUserById(user.getId(),
realm).setFederationLink(null);)
I’m going to publish a template for migrating users using this approach soon. For now, I
hope this is enough to get you going in the right direction if you choose the federation
provider approach.
~ Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo@smartling.com<mailto:srossillo@smartling.com>
[Latest News +
Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[Powered by
Sigstr]<http://www.sigstr.com/>
On Oct 5, 2015, at 11:59 AM, Remi Cartier
<remi.cartier@imetrik.com<mailto:remi.cartier@imetrik.com>> wrote:
Hey guys,
I will have to migrate from a custom in house user management system to keycloak.
We are using this algorithm to store salted/hashed password :
public static String hashPassword(String password, String salt) {
try {
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(),
2048, 160);
SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
return new BigInteger(1, hash).toString(16);
} catch (Exception x) {
throw new IllegalStateException(x);
}
}
I was wondering, in order to ease the migration, if I could configure keycloak to use the
same hash algorithm ?
Or if there was any other ways ? Like maybe a federation provider, but then comes the
question when to push things into keycloak, at password change ?
What do you think ?
Sincerely.
________________________________
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user