8:59 a.m.
Hi,
I've implemented a custom user storage provider and a custom password
hash provider as the user storage doesn't use Pbkdf2.
I added some logging to check if I can see it in the server.log but
there's no output from my custom password hash provider:
public class MyPasswordHashProvider implements
PasswordHashProviderFactory, PasswordHashProvider {
private static final Logger logger =
Logger.getLogger(MyPasswordHashProvider.class);
public static final String ID = "XX";
public PasswordHashProvider create(KeycloakSession session) {
logger.info(">>>>>> Creating factory");
return this;
}
public void close() {
logger.info("<<<<<< Closing provider/factory");
}
public void encode(String rawPassword, PasswordPolicy policy,
CredentialModel credential) {
logger.info("Encoding password");
String salt = getSalt();
String encodedPassword = encode(rawPassword, salt);
credential.setType(UserCredentialModel.PASSWORD);
credential.setValue(encodedPassword);
credential.setSalt(salt.getBytes());
credential.setAlgorithm(ID);
logger.info("Credential model: " + credential);
}
}
In src/main/resources/META-INF/services I've created a file called
org.keycloak.credential.hash.PasswordHashProviderFactory which contains
the fully qualified class name (including package):
com.example.keycloak.credential.hash.MyPasswordHashProvider
This is the log I can see while trying to login:
2017-03-14 14:57:14,215 INFO
[com.example.keycloak.storage.MyUserStorageProviderFactory] (default
task-4) >>>>>> Creating factory
2017-03-14 14:57:14,217 WARN [org.keycloak.events] (default task-4)
type=LOGIN_ERROR, realmId=test, clientId=test,
userId=f:dbXXXXbb-aXXf-XXXX-befb-XXXeaXcbXXbb:john.doe@example.com,
ipAddress=127.0.0.1, error=invalid_user_credentials,
auth_method=openid-connect, auth_type=code,
redirect_uri=https://XXX.XXX.XX.XX:8443/login.html,
code_id=fbfXbXXX-dfdX-Xfba-bfXX-XXXXacXXXeXe, username=john.doe(a)example.com
Do I miss something?
10:21 a.m.
Hmm, the log message should be popping up. How are you deploying your
hash provider? Is it in the same jar as the User Storage Provider? How
do you deploy this jar? What version of Keycloak?
On 3/14/17 9:59 AM, Danny Trunk wrote:
Hi,
I've implemented a custom user storage provider and a custom password
hash provider as the user storage doesn't use Pbkdf2.
I added some logging to check if I can see it in the server.log but
there's no output from my custom password hash provider:
public class MyPasswordHashProvider implements
PasswordHashProviderFactory, PasswordHashProvider {
private static final Logger logger =
Logger.getLogger(MyPasswordHashProvider.class);
public static final String ID = "XX";
public PasswordHashProvider create(KeycloakSession session) {
logger.info(">>>>>> Creating factory");
return this;
}
public void close() {
logger.info("<<<<<< Closing provider/factory");
}
public void encode(String rawPassword, PasswordPolicy policy,
CredentialModel credential) {
logger.info("Encoding password");
String salt = getSalt();
String encodedPassword = encode(rawPassword, salt);
credential.setType(UserCredentialModel.PASSWORD);
credential.setValue(encodedPassword);
credential.setSalt(salt.getBytes());
credential.setAlgorithm(ID);
logger.info("Credential model: " + credential);
}
}
In src/main/resources/META-INF/services I've created a file called
org.keycloak.credential.hash.PasswordHashProviderFactory which contains
the fully qualified class name (including package):
com.example.keycloak.credential.hash.MyPasswordHashProvider
This is the log I can see while trying to login:
2017-03-14 14:57:14,215 INFO
[com.example.keycloak.storage.MyUserStorageProviderFactory] (default
task-4) >>>>>> Creating factory
2017-03-14 14:57:14,217 WARN [org.keycloak.events] (default task-4)
type=LOGIN_ERROR, realmId=test, clientId=test,
userId=f:dbXXXXbb-aXXf-XXXX-befb-XXXeaXcbXXbb:john.doe@example.com,
ipAddress=127.0.0.1, error=invalid_user_credentials,
auth_method=openid-connect, auth_type=code,
redirect_uri=https://XXX.XXX.XX.XX:8443/login.html,
code_id=fbfXbXXX-dfdX-Xfba-bfXX-XXXXacXXXeXe, username=john.doe(a)example.com
Do I miss something?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:06 a.m.
I deployed the hash provider the same way I deployed the user storage
provider: I've put the jar files into standalone/deployments:
2017-03-15 08:03:06,012 INFO [org.jboss.as.repository]
(DeploymentScanner-threads - 2) WFLYDR0001: Content added at location
/opt/keycloak/standalone/data/content/5b/7be86171d601f1b725cec361a2ec9e4b8fb766/content
2017-03-15 08:03:06,015 INFO [org.jboss.as.server.deployment] (MSC
service thread 1-4) WFLYSRV0027: Starting deployment of
"keycloak-navcrypt-provider.jar" (runtime-name:
"keycloak-navcrypt-provider.jar")
2017-03-15 08:03:06,029 WARN [org.jboss.as.dependency.private] (MSC
service thread 1-4) WFLYSRV0018: Deployment
"deployment.keycloak-navcrypt-provider.jar" is using a private module
("org.apache.commons.codec:main") which may be changed or removed in
future versions without notice.
2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC
service thread 1-4) WFLYSRV0018: Deployment
"deployment.keycloak-navcrypt-provider.jar" is using a private module
("org.apache.commons.lang:main") which may be changed or removed in
future versions without notice.
2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC
service thread 1-4) WFLYSRV0018: Deployment
"deployment.keycloak-navcrypt-provider.jar" is using a private module
("org.keycloak.keycloak-server-spi-private:main") which may be changed
or removed in future versions without notice.
2017-03-15 08:03:06,040 INFO
[org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
(MSC service thread 1-3) Deploying Keycloak provider: {0}
2017-03-15 08:03:06,076 INFO [org.jboss.as.server]
(DeploymentScanner-threads - 2) WFLYSRV0010: Deployed
"keycloak-navcrypt-provider.jar" (runtime-name :
"keycloak-navcrypt-provider.jar")
Keycloak version is 2.5.4.Final
In Server Info > Providers I can see my provider:
password-hashing
pbkdf2
navcrypt
Maybe I misunderstood the SPI? I'm expecting the hash provider to be
called while authentication process.
Am 14.03.2017 um 16:21 schrieb Bill Burke:
Hmm, the log message should be popping up. How are you deploying
your
hash provider? Is it in the same jar as the User Storage Provider? How
do you deploy this jar? What version of Keycloak?
4:52 a.m.
This is my CredentialInputValidator.isValid implementation of the user
storage provider:
public boolean isValid(RealmModel realm, UserModel user, CredentialInput
input) {
if (!supportsCredentialType(input.getType()) || !(input instanceof
UserCredentialModel)) {
return false;
}
UserCredentialModel cred = (UserCredentialModel) input;
String password = getPassword(user);
logger.info("isValid: " + password + " - " + cred.getValue());
return password != null && password.equals(cred.getValue());
}
After adding the logging here I can see that password is the hashed
password from the db and cred.getValue() returns the raw password.
That's why I get an invalid credentials error message.
But I don't know why it's raw in cred.getValue().
Do I have to add the hash provider there manually?
Am 15.03.2017 um 08:06 schrieb Danny Trunk:
I deployed the hash provider the same way I deployed the user
storage
provider: I've put the jar files into standalone/deployments:
2017-03-15 08:03:06,012 INFO [org.jboss.as.repository]
(DeploymentScanner-threads - 2) WFLYDR0001: Content added at location
/opt/keycloak/standalone/data/content/5b/7be86171d601f1b725cec361a2ec9e4b8fb766/content
2017-03-15 08:03:06,015 INFO [org.jboss.as.server.deployment] (MSC
service thread 1-4) WFLYSRV0027: Starting deployment of
"keycloak-navcrypt-provider.jar" (runtime-name:
"keycloak-navcrypt-provider.jar")
2017-03-15 08:03:06,029 WARN [org.jboss.as.dependency.private] (MSC
service thread 1-4) WFLYSRV0018: Deployment
"deployment.keycloak-navcrypt-provider.jar" is using a private module
("org.apache.commons.codec:main") which may be changed or removed in
future versions without notice.
2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC
service thread 1-4) WFLYSRV0018: Deployment
"deployment.keycloak-navcrypt-provider.jar" is using a private module
("org.apache.commons.lang:main") which may be changed or removed in
future versions without notice.
2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC
service thread 1-4) WFLYSRV0018: Deployment
"deployment.keycloak-navcrypt-provider.jar" is using a private module
("org.keycloak.keycloak-server-spi-private:main") which may be changed
or removed in future versions without notice.
2017-03-15 08:03:06,040 INFO
[org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
(MSC service thread 1-3) Deploying Keycloak provider: {0}
2017-03-15 08:03:06,076 INFO [org.jboss.as.server]
(DeploymentScanner-threads - 2) WFLYSRV0010: Deployed
"keycloak-navcrypt-provider.jar" (runtime-name :
"keycloak-navcrypt-provider.jar")
Keycloak version is 2.5.4.Final
In Server Info > Providers I can see my provider:
password-hashing
pbkdf2
navcrypt
Maybe I misunderstood the SPI? I'm expecting the hash provider to be
called while authentication process.
Am 14.03.2017 um 16:21 schrieb Bill Burke:
> Hmm, the log message should be popping up. How are you deploying your
> hash provider? Is it in the same jar as the User Storage Provider? How
> do you deploy this jar? What version of Keycloak?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:07 a.m.
The User Storage Provider is based on the JPA Example and the Password
Hash Provider is based on the builtin Pbkdf2.
Could this be a bug in Keycloak?
Am 15.03.2017 um 10:52 schrieb Danny Trunk:
This is my CredentialInputValidator.isValid implementation of the
user
storage provider:
public boolean isValid(RealmModel realm, UserModel user, CredentialInput
input) {
if (!supportsCredentialType(input.getType()) || !(input instanceof
UserCredentialModel)) {
return false;
}
UserCredentialModel cred = (UserCredentialModel) input;
String password = getPassword(user);
logger.info("isValid: " + password + " - " + cred.getValue());
return password != null && password.equals(cred.getValue());
}
After adding the logging here I can see that password is the hashed
password from the db and cred.getValue() returns the raw password.
That's why I get an invalid credentials error message.
But I don't know why it's raw in cred.getValue().
Do I have to add the hash provider there manually?
Am 15.03.2017 um 08:06 schrieb Danny Trunk:
> I deployed the hash provider the same way I deployed the user storage
> provider: I've put the jar files into standalone/deployments:
>
> 2017-03-15 08:03:06,012 INFO [org.jboss.as.repository]
> (DeploymentScanner-threads - 2) WFLYDR0001: Content added at location
>
/opt/keycloak/standalone/data/content/5b/7be86171d601f1b725cec361a2ec9e4b8fb766/content
> 2017-03-15 08:03:06,015 INFO [org.jboss.as.server.deployment] (MSC
> service thread 1-4) WFLYSRV0027: Starting deployment of
> "keycloak-navcrypt-provider.jar" (runtime-name:
> "keycloak-navcrypt-provider.jar")
> 2017-03-15 08:03:06,029 WARN [org.jboss.as.dependency.private] (MSC
> service thread 1-4) WFLYSRV0018: Deployment
> "deployment.keycloak-navcrypt-provider.jar" is using a private module
> ("org.apache.commons.codec:main") which may be changed or removed in
> future versions without notice.
> 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC
> service thread 1-4) WFLYSRV0018: Deployment
> "deployment.keycloak-navcrypt-provider.jar" is using a private module
> ("org.apache.commons.lang:main") which may be changed or removed in
> future versions without notice.
> 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC
> service thread 1-4) WFLYSRV0018: Deployment
> "deployment.keycloak-navcrypt-provider.jar" is using a private module
> ("org.keycloak.keycloak-server-spi-private:main") which may be changed
> or removed in future versions without notice.
> 2017-03-15 08:03:06,040 INFO
> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
> (MSC service thread 1-3) Deploying Keycloak provider: {0}
> 2017-03-15 08:03:06,076 INFO [org.jboss.as.server]
> (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed
> "keycloak-navcrypt-provider.jar" (runtime-name :
> "keycloak-navcrypt-provider.jar")
>
> Keycloak version is 2.5.4.Final
>
> In Server Info > Providers I can see my provider:
>
> password-hashing
>
> pbkdf2
> navcrypt
>
> Maybe I misunderstood the SPI? I'm expecting the hash provider to be
> called while authentication process.
>
> Am 14.03.2017 um 16:21 schrieb Bill Burke:
>> Hmm, the log message should be popping up. How are you deploying your
>> hash provider? Is it in the same jar as the User Storage Provider? How
>> do you deploy this jar? What version of Keycloak?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:50 a.m.
Maybe someone could help me finding the location where the password
hashing provider should be called.
So I could take a look into the code what happens.
Am 17.03.2017 um 12:07 schrieb Danny Trunk:
The User Storage Provider is based on the JPA Example and the
Password
Hash Provider is based on the builtin Pbkdf2.
Could this be a bug in Keycloak?
Am 15.03.2017 um 10:52 schrieb Danny Trunk:
> This is my CredentialInputValidator.isValid implementation of the user
> storage provider:
>
> public boolean isValid(RealmModel realm, UserModel user, CredentialInput
> input) {
> if (!supportsCredentialType(input.getType()) || !(input instanceof
> UserCredentialModel)) {
> return false;
> }
>
> UserCredentialModel cred = (UserCredentialModel) input;
> String password = getPassword(user);
>
> logger.info("isValid: " + password + " - " +
cred.getValue());
> return password != null && password.equals(cred.getValue());
> }
>
> After adding the logging here I can see that password is the hashed
> password from the db and cred.getValue() returns the raw password.
>
> That's why I get an invalid credentials error message.
>
> But I don't know why it's raw in cred.getValue().
>
> Do I have to add the hash provider there manually?
>
>
> Am 15.03.2017 um 08:06 schrieb Danny Trunk:
>> I deployed the hash provider the same way I deployed the user storage
>> provider: I've put the jar files into standalone/deployments:
>>
>> 2017-03-15 08:03:06,012 INFO [org.jboss.as.repository]
>> (DeploymentScanner-threads - 2) WFLYDR0001: Content added at location
>>
/opt/keycloak/standalone/data/content/5b/7be86171d601f1b725cec361a2ec9e4b8fb766/content
>> 2017-03-15 08:03:06,015 INFO [org.jboss.as.server.deployment] (MSC
>> service thread 1-4) WFLYSRV0027: Starting deployment of
>> "keycloak-navcrypt-provider.jar" (runtime-name:
>> "keycloak-navcrypt-provider.jar")
>> 2017-03-15 08:03:06,029 WARN [org.jboss.as.dependency.private] (MSC
>> service thread 1-4) WFLYSRV0018: Deployment
>> "deployment.keycloak-navcrypt-provider.jar" is using a private module
>> ("org.apache.commons.codec:main") which may be changed or removed in
>> future versions without notice.
>> 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC
>> service thread 1-4) WFLYSRV0018: Deployment
>> "deployment.keycloak-navcrypt-provider.jar" is using a private module
>> ("org.apache.commons.lang:main") which may be changed or removed in
>> future versions without notice.
>> 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC
>> service thread 1-4) WFLYSRV0018: Deployment
>> "deployment.keycloak-navcrypt-provider.jar" is using a private module
>> ("org.keycloak.keycloak-server-spi-private:main") which may be changed
>> or removed in future versions without notice.
>> 2017-03-15 08:03:06,040 INFO
>> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
>> (MSC service thread 1-3) Deploying Keycloak provider: {0}
>> 2017-03-15 08:03:06,076 INFO [org.jboss.as.server]
>> (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed
>> "keycloak-navcrypt-provider.jar" (runtime-name :
>> "keycloak-navcrypt-provider.jar")
>>
>> Keycloak version is 2.5.4.Final
>>
>> In Server Info > Providers I can see my provider:
>>
>> password-hashing
>>
>> pbkdf2
>> navcrypt
>>
>> Maybe I misunderstood the SPI? I'm expecting the hash provider to be
>> called while authentication process.
>>
>> Am 14.03.2017 um 16:21 schrieb Bill Burke:
>>> Hmm, the log message should be popping up. How are you deploying your
>>> hash provider? Is it in the same jar as the User Storage Provider? How
>>> do you deploy this jar? What version of Keycloak?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2843
days inactive
2850
days old
5 comments
2 participants
participants (2)
-
Bill Burke -
Danny Trunk