If your external store stores passwords, then your UserStorageProvider is responsible for validating and storing these passwords. This means that your provider must implement the CredtialInputValidator and CredentialInputUpdater interfaces. You'll notice that these interfades provide no way of getting at the raw credential. So therefore, if you do not store passwords in Keycloak, the PasswordHashProviders are not invoked. This is by design. On 3/26/17 9:51 AM, Danny Trunk wrote: > Hi, > > when implementing my own User Storage Provider I've noticed that the > password has to be raw in my database as no Password Hash Provider is > getting triggered. > > The User Storage Provider is based on the JPA Example located here: > https://github.com/keycloak/keycloak/tree/master/examples/providers/user-... > > When adding some logging into the isValid method of the Provider to see > whats the content of password and cred.getValue() I can see that > password (the one from the database) is hashed whereas cred.getValue() > isn't. That's why it mismatches and the user can see an invalid > credentials error message. > > Do I have to call all (as I could have multiple algorithms in my > database without any information which algorithm it is) > PasswordHashProvider myself in this method? I guess that's not the > intended behaviour of the Password Hash Providers?! > > Could it be a bug in Keycloak? > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user