Hello Leonid,
I think this was for performance reasons, simply to avoid two unnecessary (in this case)
base64 transformations.
Cheers,
Alistair
From: Leonid Rozenblyum <lrozenblyum(a)gmail.com>
Sent: mardi, 19 novembre 2019 11:45
To: Doswald Alistair <alistair.doswald(a)elca.ch>
Cc: keycloak-user(a)lists.jboss.org; Poiffaut Romain <romain.poiffaut(a)elca.ch>
Subject: Re: [keycloak-user] Keycloak 8: CredentialRepresentation algorithm
Hello Alistair!
Your suggestions PasswordCredentialModel.createFromValues and
ModelToRepresentation.toRepresentation are matching our needs really good.
We're migrating from a legacy MD5-based storage and this combination suits
perfectly.
Thanks for the deep explanation on the new credentials model!
Just wondering: I found that this code
org.keycloak.models.utils.RepresentationToModel.convertDeprecatedCredentialsFormat(UserRepresentation)
doesn't execute direct serialization for passwords and instead handcrafts the JSON.
// Created this manually to avoid conversion from Base64 and back
cred.setSecretData("{\"value\":\"" + cred.getHashedSaltedValue()
+ "\",\"salt\":\"" + cred.getSalt() +
"\"}");
Is it due to performance reasons or possible escaping issues?
(I'm going to execute the methods you suggested but anyway maybe there are some issues
I should take care about).
On Tue, Nov 19, 2019 at 12:04 PM Doswald Alistair
<alistair.doswald@elca.ch<mailto:alistair.doswald@elca.ch>> wrote:
Hello Leonid,
Can I have a more complete description of your use case? Without knowing how you imported
from the legacy storage, I'm not sure how to answer this.
However, I can give some context into the new credential format and why the previous
methods were deprecated, and maybe it'll help:
Before credentials were only password and OTP, but now it's intended that keycloak
handle any number of credential types, both in keycloak (for example WebAuthn that was
added in keycloak 8), and with extensions that 3rd parties wish to add. The definition of
credentials in the database has been modified to accommodate this change, there's
information in the documentation on this here:
https://www.keycloak.org/docs/latest/server_development/index.html#extend....
Basically, credential-type specific information is now held as json within two fields:
* secret_data: for information that must not leave the database,
* credential_data: for non-sensitive data that is available in the administration GUI, and
can be transmitted via the REST API.
There are classes in Keycloak that allow the serialization and de- serialization of this
json. For passwords it is now the PasswordCredentialModel (see
https://github.com/keycloak/keycloak/blob/master/server-spi/src/main/java...)
. If you're passing by a CredentialRepresentation object for importing legacy
passwords, you can:
1. Use the static method PasswordCredentialModel.createFromValues (String algorithm,
byte[] salt, int hashIterations, String encodedPassword), which will create a
CredentialModel with the correct format.
2. Use the static method ModelToRepresentation.toRepresentation(CredentialModel cred) to
get a CredentialRepresentation.
I hope this helps, and if not, I'll try to answer your next questions.
Alistair Doswald
-----Original Message-----
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
On Behalf Of Leonid Rozenblyum
Sent: lundi, 18 novembre 2019 09:46
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] Keycloak 8: CredentialRepresentation algorithm
Hello!
Before Keycloak 8.0.0 it was possible to use
org.keycloak.representations.idm.CredentialRepresentation methods setAlgorithm
setHashedSaltedValue
in order to support import from a legacy storage with some custom algorithm not supported
by Keycloak.
During
https://github.com/keycloak/keycloak/pull/6459 those methods were removed, fields
were deprecated.
What's the correct way to provide Credentials for a user with some custom algorithm
right now?
Thanks for explanation.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user