Hi Sarp,
Ah, so it happens after migration from 3.1.0.
Could you please try with your steps, but after your step 6 do also:
7. re-deploy also the second keycloak instance with v 3.2.0
8. Try to login on any of the keycloak instance (both should be on v3.2)
and doublecheck the behaviour?
The reason is, that we don't support the cluster when one node is
running on v3.2 and second on v3.1. Both keycloak nodes should run on
same version, otherwise the behaviour is unexpected. Also in step 6,
once the first node with v3.2 is started, the DB is migrated to v3.2 and
it's not supported to run keycloak with 3.1 or older version at this point.
If the issue still happens after both nodes migrated to v3.2, please
create JIRA with the steps.
Thanks,
Marek
On 19/07/17 07:01, Sarp Kaya wrote:
Hi Marek,
The below are the steps to reproduce it:
1. Deploy a keycloak version 3.1.0
2. Deploy another keycloak instance v3.1; make sure they’re clustered
3. Login to admin master field
4. Change the encryption
5. Logout/login to make sure that iterations work as expected
6. Now re-deploy one of the keycloak instances with v3.2.0
7. Try to login on the keycloak instance v3.2; iterations will be -1
Thanks,
Sarp
From: Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>>
Date: Tuesday, July 18, 2017 at 8:06 PM
To: Abdullah Sarp <akaya(a)expedia.com <mailto:akaya@expedia.com>>,
"keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>"
<keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Keycloak 3.2.0 issue with
PasswordHashProvider SPI
I've tried to reproduce but wasn't able. What I did was:
- Start 3.2.0
- During initial creation of admin user, I can see that it uses
iterations -1, so it defaults to 27500 iterations, which is the
default for Pbkdf2Sha256PasswordHashProviderFactory.
- I've manually changed the password policy in admin console and added
Hash Iterations to be 10000.
- After relogin of admin user, I can see that it uses configured 10000
iterations. New users are always created with 10000 iterations.
Marek
On 18/07/17 02:32, Sarp Kaya wrote:
> Hello,
>
> I know that this is an internal SPI but I believe it’s broken.
>
> I realised that interface has been changed, now it’s giving the iterations directly
for the “encode” method. The problem is it’s always calling encode method with iterations
valued –1 regardless of what you put in the UI. I realised that in keycloak for
"Pbkdf2PasswordHashProvider” it’s defaulting to 20000 iterations; but if you want
this to be higher or lower, it doesn’t work either (since iterations will always be –1)
>
> My question is, could you please check this? Also if you don’t support “internal
SPIs” how are we going to use other encryption methods such as bcrypt or scrypt etc?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user