3:08 a.m.
Ok Stian.
I will try to implement auth_spi.
Btw, if you need any early adopters for your new Password Hashing SPI
feature, we will gladly use it in our new "Restcomm as a Service"
implementation and send feedback.
Thanks
Orestis
Telestax
On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
On 1 December 2015 at 15:39, Orestis Tsakiridis <
orestis.tsakiridis(a)telestax.com> wrote:
> Thanks Stian.
>
> Can you send me some documentation or source code pointers about
> "modifying the password authenticator" ? Are we talking about a Java
class,
> overriding login form ? sth else?
>
>
>
> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> So looks like we will indeed have password hash spi in 1.8. It'll be
>> released in early January.
>>
>> If you can't wait for that I think it would be better to not import
>> users with a password at all and instead send reset password links to their
>> email address. That would assume all users have emails registered. Or you
>> could also modify the password authenticator and make it run md5 the value
>> of the input password for users that haven't updated their password yet.
>>
>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>> orestis.tsakiridis(a)telestax.com> wrote:
>>
>>> Ok, so i guess i'll have to go with a workaround, password reset, etc
>>> as i've described.
>>>
>>> Thanks Stian
>>>
>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger(a)redhat.com>
>>> wrote:
>>>
>>>> We are planning to add a Password Hashing SPI, which will allow
>>>> plugging in additional hashing mechanisms. It's not ready quite yet
though.
>>>>
>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>> orestis.tsakiridis(a)telestax.com> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I'm trying to create some migration scripts that will port users
from
>>>>> Application1 into keycloak. Users in Application1 already have
usernames,
>>>>> passwords etc. I use the admin rest api to create the users.
>>>>>
>>>>> The problem i'm facing is that user passwords in Application1
>>>>> database are already hashed using md5. So, i don't really know
the actual
>>>>> passwords (security wise that makes sense).
>>>>>
>>>>> The only solution i've come down to is store the password as they
are
>>>>> in keycloak (md5ed) and tell the users to use the hashed value
instead of
>>>>> the plaintext one wieh signing in. Then, force them to reset
passwords. Not
>>>>> the best UX :-(
>>>>>
>>>>> Is there a way to tell keycloak that "these passwords are
already
>>>>> hashed in md5" so, "store them as they are" and
"when a user tries to sign
>>>>> in, first hash his password with md5 and the compare to the value
stored in
>>>>> db" or sth like that?
>>>>>
>>>>> Any alternatives come to mind ?
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> Orestis
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>