10:59 a.m.
Hey guys,
I will have to migrate from a custom in house user management system to keycloak.
We are using this algorithm to store salted/hashed password :
public static String hashPassword(String password, String salt) {
try {
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(),
2048, 160);
SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
return new BigInteger(1, hash).toString(16);
} catch (Exception x) {
throw new IllegalStateException(x);
}
}
I was wondering, in order to ease the migration, if I could configure keycloak to use the
same hash algorithm ?
Or if there was any other ways ? Like maybe a federation provider, but then comes the
question when to push things into keycloak, at password change ?
What do you think ?
Sincerely.
________________________________
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>
12:08 p.m.
Yeah, for now, federation provider would be the correct approach. But
if you're migrating we should provide a facility to plug in hash
algorithm. I'll add a jira.
On 10/5/2015 11:59 AM, Remi Cartier wrote:
Hey guys,
I will have to migrate from a custom in house user management system to
keycloak.
We are using this algorithm to store salted/hashed password :
public static String hashPassword(String password, String salt) {
try {
KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
salt.getBytes(), 2048, 160);
SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hash =
secretKeyFactory.generateSecret(keySpec).getEncoded();
return new BigInteger(1, hash).toString(16);
} catch (Exception x) {
throw new IllegalStateException(x);
}
}
I was wondering, in order to ease the migration, if I could configure
keycloak to use the same hash algorithm ?
Or if there was any other ways ? Like maybe a federation provider, but
then comes the question when to push things into keycloak, at password
change ?
What do you think ?
Sincerely.
------------------------------------------------------------------------
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
*IMETRIK GLOBAL INC.*
*T :* +1 514 448-6407 x2009
*T :* +1 866 276-5382 (toll free)
*F :* +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com <http://www.imetrik.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:17 p.m.
I think it could be useful that if a Keycloak is using an alternate hash
(possibly insecure or sub-optimal), that it hashes the cleartext with
ALT-HASH, and if successful, re-hashes the cleartext with KEYCLOAK-HASH and
stores the new hash in the canonical Keycloak DB. This would allow for
rolling migration of accounts as users login.
This way you could effectively rehash the passwords without forcing a
global password reset. After so many days (90, 120, whatever your policy),
you could determine who has not logged in successfully, by finding those
who don't have a KC-stored password, and force them to reset upon next
login or whatnot.
On Mon, Oct 5, 2015 at 1:08 PM, Bill Burke <bburke(a)redhat.com> wrote:
Yeah, for now, federation provider would be the correct approach.
But
if you're migrating we should provide a facility to plug in hash
algorithm. I'll add a jira.
On 10/5/2015 11:59 AM, Remi Cartier wrote:
> Hey guys,
>
> I will have to migrate from a custom in house user management system to
> keycloak.
> We are using this algorithm to store salted/hashed password :
>
> public static String hashPassword(String password, String salt) {
> try {
> KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
> salt.getBytes(), 2048, 160);
> SecretKeyFactory secretKeyFactory =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
> byte[] hash =
> secretKeyFactory.generateSecret(keySpec).getEncoded();
> return new BigInteger(1, hash).toString(16);
> } catch (Exception x) {
> throw new IllegalStateException(x);
> }
> }
>
> I was wondering, in order to ease the migration, if I could configure
> keycloak to use the same hash algorithm ?
>
> Or if there was any other ways ? Like maybe a federation provider, but
> then comes the question when to push things into keycloak, at password
> change ?
>
> What do you think ?
>
> Sincerely.
>
> ------------------------------------------------------------------------
>
>
> REMI CARTIER
>
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:13 p.m.
I’d recommend using a federation provider. Others may have another opinion but here’s the
approach I like, using a federation provider:
Create the user when Keycloak calls one of these methods on the federation provider and
the user exists in the legacy system:
UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()
This creates the federation link. However, do not set a password for the user yet (you
wouldn’t know what to set it to yet anyway). Then, when Keycloak calls:
UserFederationProvider.validCredentials(RealmModel realm, UserModel user,
List<UserCredentialModel> input)
query your legacy system to see if the given user and password combination is valid. If
so:
1. Update the user (in Keycloak) to have password supplied in
List<UserCredentialModel> input
2. Break the federation link (session.userStorage().getUserById(user.getId(),
realm).setFederationLink(null);)
I’m going to publish a template for migrating users using this approach soon. For now, I
hope this is enough to get you going in the right direction if you choose the federation
provider approach.
~ Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
<http://www.sigstr.com/>
On Oct 5, 2015, at 11:59 AM, Remi Cartier
<remi.cartier(a)imetrik.com> wrote:
Hey guys,
I will have to migrate from a custom in house user management system to keycloak.
We are using this algorithm to store salted/hashed password :
public static String hashPassword(String password, String salt) {
try {
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(),
2048, 160);
SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
return new BigInteger(1, hash).toString(16);
} catch (Exception x) {
throw new IllegalStateException(x);
}
}
I was wondering, in order to ease the migration, if I could configure keycloak to use the
same hash algorithm ?
Or if there was any other ways ? Like maybe a federation provider, but then comes the
question when to push things into keycloak, at password change ?
What do you think ?
Sincerely.
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com <http://www.imetrik.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:16 p.m.
Great explanation Scott, thank you for the details.
Thanks to bill too for his reply.
________________________________
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>
On Oct 5, 2015, at 1:13 PM, Scott Rossillo
<srossillo@smartling.com<mailto:srossillo@smartling.com>> wrote:
I’d recommend using a federation provider. Others may have another opinion but here’s the
approach I like, using a federation provider:
Create the user when Keycloak calls one of these methods on the federation provider and
the user exists in the legacy system:
UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()
This creates the federation link. However, do not set a password for the user yet (you
wouldn’t know what to set it to yet anyway). Then, when Keycloak calls:
UserFederationProvider.validCredentials(RealmModel realm, UserModel user,
List<UserCredentialModel> input)
query your legacy system to see if the given user and password combination is valid. If
so:
1. Update the user (in Keycloak) to have password supplied in
List<UserCredentialModel> input
2. Break the federation link (session.userStorage().getUserById(user.getId(),
realm).setFederationLink(null);)
I’m going to publish a template for migrating users using this approach soon. For now, I
hope this is enough to get you going in the right direction if you choose the federation
provider approach.
~ Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo@smartling.com<mailto:srossillo@smartling.com>
[Latest News + Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[Powered by Sigstr]<http://www.sigstr.com/>
On Oct 5, 2015, at 11:59 AM, Remi Cartier
<remi.cartier@imetrik.com<mailto:remi.cartier@imetrik.com>> wrote:
Hey guys,
I will have to migrate from a custom in house user management system to keycloak.
We are using this algorithm to store salted/hashed password :
public static String hashPassword(String password, String salt) {
try {
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(),
2048, 160);
SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
return new BigInteger(1, hash).toString(16);
} catch (Exception x) {
throw new IllegalStateException(x);
}
}
I was wondering, in order to ease the migration, if I could configure keycloak to use the
same hash algorithm ?
Or if there was any other ways ? Like maybe a federation provider, but then comes the
question when to push things into keycloak, at password change ?
What do you think ?
Sincerely.
________________________________
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:17 p.m.
Me again,
I have written some simple FederationProvider for my migration case.
I put them on pastebin here :
http://pastebin.com/sqt2Pm3P - JdbcUserFederationProviderFactory
http://pastebin.com/5JJyb7bm - JdbcUserFederationProvider
I tried to follow your recommendations.
Does it seem to make sense ?
Thank you guys !
________________________________
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>
On Oct 5, 2015, at 1:13 PM, Scott Rossillo
<srossillo@smartling.com<mailto:srossillo@smartling.com>> wrote:
I’d recommend using a federation provider. Others may have another opinion but here’s the
approach I like, using a federation provider:
Create the user when Keycloak calls one of these methods on the federation provider and
the user exists in the legacy system:
UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()
This creates the federation link. However, do not set a password for the user yet (you
wouldn’t know what to set it to yet anyway). Then, when Keycloak calls:
UserFederationProvider.validCredentials(RealmModel realm, UserModel user,
List<UserCredentialModel> input)
query your legacy system to see if the given user and password combination is valid. If
so:
1. Update the user (in Keycloak) to have password supplied in
List<UserCredentialModel> input
2. Break the federation link (session.userStorage().getUserById(user.getId(),
realm).setFederationLink(null);)
I’m going to publish a template for migrating users using this approach soon. For now, I
hope this is enough to get you going in the right direction if you choose the federation
provider approach.
~ Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo@smartling.com<mailto:srossillo@smartling.com>
[Latest News + Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[Powered by Sigstr]<http://www.sigstr.com/>
On Oct 5, 2015, at 11:59 AM, Remi Cartier
<remi.cartier@imetrik.com<mailto:remi.cartier@imetrik.com>> wrote:
Hey guys,
I will have to migrate from a custom in house user management system to keycloak.
We are using this algorithm to store salted/hashed password :
public static String hashPassword(String password, String salt) {
try {
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(),
2048, 160);
SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
return new BigInteger(1, hash).toString(16);
} catch (Exception x) {
throw new IllegalStateException(x);
}
}
I was wondering, in order to ease the migration, if I could configure keycloak to use the
same hash algorithm ?
Or if there was any other ways ? Like maybe a federation provider, but then comes the
question when to push things into keycloak, at password change ?
What do you think ?
Sincerely.
________________________________
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com<http://www.imetrik.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:21 p.m.
Looks good. To answer your question on PasteBin about setting fields: this
is going to be implementation specific but the way to set them on the
Keycloak user model is below.
RemoteUser remoteUser = // get legacy system user, replace getters
below with methods matching your domain
userModel.setFederationLink(model.getId());
userModel.setEnabled(remoteUser.isEnabled()); // or set to true
userModel.setEmail(username); // assume username is email, if not
get email from data source
userModel.setEmailVerified(remoteUser.isEmailVerified()); // or set
to true
userModel.setFirstName(remoteUser.getFirstName());
userModel.setLastName(remoteUser.getLastName());
~ Scott
On Mon, Oct 5, 2015 at 2:17 PM, Remi Cartier <remi.cartier(a)imetrik.com>
wrote:
Me again,
I have written some simple FederationProvider for my migration case.
I put them on pastebin here :
http://pastebin.com/sqt2Pm3P - JdbcUserFederationProviderFactory
http://pastebin.com/5JJyb7bm - JdbcUserFederationProvider
I tried to follow your recommendations.
Does it seem to make sense ?
Thank you guys !
------------------------------
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
*IMETRIK GLOBAL INC.*
*T :* +1 514 448-6407 x2009
*T :* +1 866 276-5382 (toll free)
*F :* +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com <http://www.imetrik.com/>
On Oct 5, 2015, at 1:13 PM, Scott Rossillo <srossillo(a)smartling.com>
wrote:
I’d recommend using a federation provider. Others may have another opinion
but here’s the approach I like, using a federation provider:
Create the user when Keycloak calls one of these methods on the federation
provider and the user exists in the legacy system:
UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()
This creates the federation link. However, do not set a password for the
user yet (you wouldn’t know what to set it to yet anyway). Then, when
Keycloak calls:
UserFederationProvider.validCredentials(RealmModel realm, UserModel
user, List<UserCredentialModel> input)
query your legacy system to see if the given user and password combination
is valid. If so:
1. Update the user (in Keycloak) to have password supplied in
List<UserCredentialModel> input
2. Break the federation link
(session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);)
I’m going to publish a template for migrating users using this approach
soon. For now, I hope this is enough to get you going in the right
direction if you choose the federation provider approach.
~ Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
[image: Latest News + Events]
<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[image: Powered by Sigstr] <http://www.sigstr.com/>
On Oct 5, 2015, at 11:59 AM, Remi Cartier <remi.cartier(a)imetrik.com>
wrote:
Hey guys,
I will have to migrate from a custom in house user management system to
keycloak.
We are using this algorithm to store salted/hashed password :
public static String hashPassword(String password, String salt) {
try {
KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
salt.getBytes(), 2048, 160);
SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hash =
secretKeyFactory.generateSecret(keySpec).getEncoded();
return new BigInteger(1, hash).toString(16);
} catch (Exception x) {
throw new IllegalStateException(x);
}
}
I was wondering, in order to ease the migration, if I could configure
keycloak to use the same hash algorithm ?
Or if there was any other ways ? Like maybe a federation provider, but
then comes the question when to push things into keycloak, at password
change ?
What do you think ?
Sincerely.
------------------------------
REMI CARTIER
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
*IMETRIK GLOBAL INC.*
*T :* +1 514 448-6407 x2009
*T :* +1 866 276-5382 (toll free)
*F :* +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
imetrik.com <http://www.imetrik.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3374
days inactive
3374
days old
6 comments
4 participants
participants (4)
-
Bill Burke -
Bob McWhirter -
Remi Cartier -
Scott Rossillo