Hello Leonid, Can I have a more complete description of your use case? Without knowing how you imported from the legacy storage, I'm not sure how to answer this. However, I can give some context into the new credential format and why the previous methods were deprecated, and maybe it'll help: Before credentials were only password and OTP, but now it's intended that keycloak handle any number of credential types, both in keycloak (for example WebAuthn that was added in keycloak 8), and with extensions that 3rd parties wish to add. The definition of credentials in the database has been modified to accommodate this change, there's information in the documentation on this here: https://www.keycloak.org/docs/latest/server_development/index.html#extend.... Basically, credential-type specific information is now held as json within two fields: * secret_data: for information that must not leave the database, * credential_data: for non-sensitive data that is available in the administration GUI, and can be transmitted via the REST API. There are classes in Keycloak that allow the serialization and de- serialization of this json. For passwords it is now the PasswordCredentialModel (see https://github.com/keycloak/keycloak/blob/master/server-spi/src/main/java...) . If you're passing by a CredentialRepresentation object for importing legacy passwords, you can: 1. Use the static method PasswordCredentialModel.createFromValues (String algorithm, byte[] salt, int hashIterations, String encodedPassword), which will create a CredentialModel with the correct format. 2. Use the static method ModelToRepresentation.toRepresentation(CredentialModel cred) to get a CredentialRepresentation. I hope this helps, and if not, I'll try to answer your next questions. Alistair Doswald -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Leonid Rozenblyum Sent: lundi, 18 novembre 2019 09:46 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Keycloak 8: CredentialRepresentation algorithm Hello! Before Keycloak 8.0.0 it was possible to use org.keycloak.representations.idm.CredentialRepresentation methods setAlgorithm setHashedSaltedValue in order to support import from a legacy storage with some custom algorithm not supported by Keycloak. During https://github.com/keycloak/keycloak/pull/6459 those methods were removed, fields were deprecated. What's the correct way to provide Credentials for a user with some custom algorithm right now? Thanks for explanation. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hello Leonid, I think this was for performance reasons, simply to avoid two unnecessary (in this case) base64 transformations. Cheers, Alistair From: Leonid Rozenblyum <lrozenblyum(a)gmail.com&gt; Sent: mardi, 19 novembre 2019 11:45 To: Doswald Alistair <alistair.doswald(a)elca.ch&gt; Cc: keycloak-user(a)lists.jboss.org; Poiffaut Romain <romain.poiffaut(a)elca.ch&gt; Subject: Re: [keycloak-user] Keycloak 8: CredentialRepresentation algorithm Hello Alistair! Your suggestions PasswordCredentialModel.createFromValues and ModelToRepresentation.toRepresentation are matching our needs really good. We're migrating from a legacy MD5-based storage and this combination suits perfectly. Thanks for the deep explanation on the new credentials model! Just wondering: I found that this code org.keycloak.models.utils.RepresentationToModel.convertDeprecatedCredentialsFormat(UserRepresentation) doesn't execute direct serialization for passwords and instead handcrafts the JSON. // Created this manually to avoid conversion from Base64 and back cred.setSecretData("{\"value\":\"" + cred.getHashedSaltedValue() + "\",\"salt\":\"" + cred.getSalt() + "\"}"); Is it due to performance reasons or possible escaping issues? (I'm going to execute the methods you suggested but anyway maybe there are some issues I should take care about). On Tue, Nov 19, 2019 at 12:04 PM Doswald Alistair <alistair.doswald@elca.ch<mailto:alistair.doswald@elca.ch>> wrote: Hello Leonid, Can I have a more complete description of your use case? Without knowing how you imported from the legacy storage, I'm not sure how to answer this. However, I can give some context into the new credential format and why the previous methods were deprecated, and maybe it'll help: Before credentials were only password and OTP, but now it's intended that keycloak handle any number of credential types, both in keycloak (for example WebAuthn that was added in keycloak 8), and with extensions that 3rd parties wish to add. The definition of credentials in the database has been modified to accommodate this change, there's information in the documentation on this here: https://www.keycloak.org/docs/latest/server_development/index.html#extend.... Basically, credential-type specific information is now held as json within two fields: * secret_data: for information that must not leave the database, * credential_data: for non-sensitive data that is available in the administration GUI, and can be transmitted via the REST API. There are classes in Keycloak that allow the serialization and de- serialization of this json. For passwords it is now the PasswordCredentialModel (see https://github.com/keycloak/keycloak/blob/master/server-spi/src/main/java...) . If you're passing by a CredentialRepresentation object for importing legacy passwords, you can: 1. Use the static method PasswordCredentialModel.createFromValues (String algorithm, byte[] salt, int hashIterations, String encodedPassword), which will create a CredentialModel with the correct format. 2. Use the static method ModelToRepresentation.toRepresentation(CredentialModel cred) to get a CredentialRepresentation. I hope this helps, and if not, I'll try to answer your next questions. Alistair Doswald -----Original Message----- From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> On Behalf Of Leonid Rozenblyum Sent: lundi, 18 novembre 2019 09:46 To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: [keycloak-user] Keycloak 8: CredentialRepresentation algorithm Hello! Before Keycloak 8.0.0 it was possible to use org.keycloak.representations.idm.CredentialRepresentation methods setAlgorithm setHashedSaltedValue in order to support import from a legacy storage with some custom algorithm not supported by Keycloak. During https://github.com/keycloak/keycloak/pull/6459 those methods were removed, fields were deprecated. What's the correct way to provide Credentials for a user with some custom algorithm right now? Thanks for explanation. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user