Re: [keycloak-user] Password Hashing in custom User Storage Provider

Sunday, 26 March 2017

If your external store stores passwords, then your UserStorageProvider 
is responsible for validating and storing these passwords.  This means 
that your provider must implement the CredtialInputValidator and 
CredentialInputUpdater interfaces. You'll notice that these interfades 
provide no way of getting at the raw credential.  So therefore, if you 
do not store passwords in Keycloak, the PasswordHashProviders are not 
invoked.   This is by design.

On 3/26/17 9:51 AM, Danny Trunk wrote:
...
 Hi,

 when implementing my own User Storage Provider I've noticed that the
 password has to be raw in my database as no Password Hash Provider is
 getting triggered.

 The User Storage Provider is based on the JPA Example located here:
 https://github.com/keycloak/keycloak/tree/master/examples/providers/user-...

 When adding some logging into the isValid method of the Provider to see
 whats the content of password and cred.getValue() I can see that
 password (the one from the database) is hashed whereas cred.getValue()
 isn't. That's why it mismatches and the user can see an invalid
 credentials error message.

 Do I have to call all (as I could have multiple algorithms in my
 database without any information which algorithm it is)
 PasswordHashProvider myself in this method? I guess that's not the
 intended behaviour of the Password Hash Providers?!

 Could it be a bug in Keycloak?

 _______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user 

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Password Hashing in custom User Storage Provider