Re: [keycloak-user] Porting user passwords to keycloak

Btw, hHere is a screenshot of the 'switch' i referred to: On Mon, Dec 21, 2015 at 2:47 PM, Orestis Tsakiridis < orestis.tsakiridis(a)telestax.com&gt; wrote: > Hello again! > > So, i've recently pulled your master branch and started working on it > (HEAD was 0197c69ac3d6e8d90a6e7c93e1eaf) and implemented the password > hashing SPI. > > Actually, i implemented PasswordHashProvider and > PasswordHashProviderFactory and created a provider .jar as described in > http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html > . > > So, all went fine there. Deployment on keycloak had no issues too. > > I'm wondering however how i enable this custom Password Hash Provider. Is > there a switch that instead of using the "Pbkdf2PasswordHashProvider" to > use my custom "RestcommPasswordHashProvider". > > All i've found is the "Authentication/Password Policy/Hash algorithm" in > the Administration Console UI that directly maps to > "Pbkdf2PasswordHashProvider" but adding a new entry and changing this > to "restcomm-md5" (the id of the new provider) seems to have no effect. > > Any ideas ? > > > > On Thu, Dec 3, 2015 at 1:22 PM, Orestis Tsakiridis < > orestis.tsakiridis(a)telestax.com&gt; wrote: > >> Great! I will keep an eye on it. >> >> BR >> >> Orestis >> >> On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >>> That'd be great. If you watch this >>> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in >>> master. >>> >>> Hopefully it should be added within a few days. >>> >>> On 3 December 2015 at 10:08, Orestis Tsakiridis < >>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>> >>>> Ok Stian. >>>> >>>> I will try to implement auth_spi. >>>> >>>> Btw, if you need any early adopters for your new Password Hashing SPI >>>> feature, we will gladly use it in our new "Restcomm as a Service" >>>> implementation and send feedback. >>>> >>>> >>>> Thanks >>>> >>>> Orestis >>>> >>>> Telestax >>>> >>>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger(a)redhat.com&gt; >>>> wrote: >>>> >>>>> >>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html >>>>> >>>>> On 1 December 2015 at 15:39, Orestis Tsakiridis < >>>>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>>>> >>>>>> Thanks Stian. >>>>>> >>>>>> Can you send me some documentation or source code pointers about >>>>>> "modifying the password authenticator" ? Are we talking about a Java class, >>>>>> overriding login form ? sth else? >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen < >>>>>> sthorger(a)redhat.com&gt; wrote: >>>>>> >>>>>>> So looks like we will indeed have password hash spi in 1.8. It'll >>>>>>> be released in early January. >>>>>>> >>>>>>> If you can't wait for that I think it would be better to not import >>>>>>> users with a password at all and instead send reset password links to their >>>>>>> email address. That would assume all users have emails registered. Or you >>>>>>> could also modify the password authenticator and make it run md5 the value >>>>>>> of the input password for users that haven't updated their password yet. >>>>>>> >>>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis < >>>>>>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>>>>>> >>>>>>>> Ok, so i guess i'll have to go with a workaround, password reset, >>>>>>>> etc as i've described. >>>>>>>> >>>>>>>> Thanks Stian >>>>>>>> >>>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen < >>>>>>>> sthorger(a)redhat.com&gt; wrote: >>>>>>>> >>>>>>>>> We are planning to add a Password Hashing SPI, which will allow >>>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though. >>>>>>>>> >>>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis < >>>>>>>>> orestis.tsakiridis(a)telestax.com&gt; wrote: >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I'm trying to create some migration scripts that will port users >>>>>>>>>> from Application1 into keycloak. Users in Application1 already have >>>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users. >>>>>>>>>> >>>>>>>>>> The problem i'm facing is that user passwords in Application1 >>>>>>>>>> database are already hashed using md5. So, i don't really know the actual >>>>>>>>>> passwords (security wise that makes sense). >>>>>>>>>> >>>>>>>>>> The only solution i've come down to is store the password as >>>>>>>>>> they are in keycloak (md5ed) and tell the users to use the hashed value >>>>>>>>>> instead of the plaintext one wieh signing in. Then, force them to reset >>>>>>>>>> passwords. Not the best UX :-( >>>>>>>>>> >>>>>>>>>> Is there a way to tell keycloak that "these passwords are >>>>>>>>>> already hashed in md5" so, "store them as they are" and "when a user tries >>>>>>>>>> to sign in, first hash his password with md5 and the compare to the value >>>>>>>>>> stored in db" or sth like that? >>>>>>>>>> >>>>>>>>>> Any alternatives come to mind ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> >>>>>>>>>> Orestis >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user(a)lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >