[keycloak-dev] KEYCLOAK-1900 - Pluggable password hashing algorithm
Kunal K
kunal at plivo.com
Tue Dec 1 08:05:11 EST 2015
Hi Stian,
I've added password hashing as a SPI with default encoder
as Pbkdf2PasswordEncoder. Some code clean up is remaining. I'll send out a
PR by Wednesday 3rd Dec.
On Tue, Dec 1, 2015 at 6:16 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> Hi,
>
> Just wondering what is the status on this? We'd like to make sure it makes
> it into 1.8 release
>
> On 18 November 2015 at 15:09, Kunal K <kunal at plivo.com> wrote:
>
>> Hi Stian,
>>
>> Could you please review this code -
>> https://github.com/tsudot/keycloak/commit/ce58d795bfea9e6c19663fa40d7a499d2d78aeab
>>
>> I'm having trouble figuring out how to call session.getProvider(PasswordHashProvider.class,
>> algorithm) to replace Pbkdf2PasswordEncoder.
>>
>> I checked
>> https://github.com/tsudot/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java#L399
>> but couldn't find any instance of KeycloakSession. Am I missing something?
>>
>> On Tue, Nov 17, 2015 at 11:07 PM, Kunal K <kunal at plivo.com> wrote:
>>
>>> Thanks for those notes Stian, I will read up and document my progress on
>>> this thread.
>>>
>>> On Tue, Nov 17, 2015 at 8:50 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> That would be awesome.
>>>>
>>>> First step would be to read
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
>>>> to understand how Keycloak provides SPIs.
>>>>
>>>> Next thing would be to add:
>>>>
>>>> * class PasswordHashSPI
>>>> * interface PasswordHashProviderFactory
>>>> * interface PasswordHashProvider
>>>>
>>>> These should be added to services module. You would also need to
>>>> change Pbkdf2PasswordEncoder to be the default implementation.
>>>>
>>>> Instead of using Pbkdf2PasswordEncoder directly code should use
>>>> session.getProvider(PasswordHashProvider.class, algorithm). algorithm
>>>> should be set to on credential entities
>>>> (UserCredentialValueModel.algorithm). We also need a mechanism to specify
>>>> the default algorithm (that would be used when users sets new password and
>>>> also for existing users in the db).
>>>>
>>>>
>>>> On 17 November 2015 at 16:06, Kunal K <kunal at plivo.com> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I would like to start a discussion on how to implement -
>>>>> https://issues.jboss.org/browse/KEYCLOAK-1900
>>>>>
>>>>> I have a django web app and all of my users are in a postgres database
>>>>> with salted passwords hashed using SHA. I have been reading how I can use
>>>>> UserFederation to implement by own credential validation, but the drawback
>>>>> here would be that I'll have to keep maintaining my old database.
>>>>>
>>>>> For starters, I was thinking of replacing all occurrences of
>>>>> Pbkdf2PasswordEncoder with an equivalent SHAPasswordEncoder, which is a
>>>>> very crude approach and I'm not sure if it will even work. After some bit
>>>>> of reading I saw this ticket -
>>>>> https://issues.jboss.org/browse/KEYCLOAK-1900
>>>>>
>>>>> I would like to implement a custom hashing SPI and would love to get
>>>>> some pointers on how to go about it.
>>>>>
>>>>> Thanks
>>>>>
>>>>> --
>>>>> *KUNAL KERKAR *| PRODUCT ENGINEER
>>>>> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>>>>> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>,
>>>>> @tsudot <http://twitter.com/tsudot>
>>>>>
>>>>> Free Incoming SMS for All US Short Codes – Get One Today!
>>>>> <https://www.plivo.com/sms-short-code/?utm=emailsig>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> *KUNAL KERKAR *| PRODUCT ENGINEER
>>> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>>> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
>>> <http://twitter.com/tsudot>
>>>
>>> Free Incoming SMS for All US Short Codes – Get One Today!
>>> <https://www.plivo.com/sms-short-code/?utm=emailsig>
>>>
>>
>>
>>
>> --
>> *KUNAL KERKAR *| PRODUCT ENGINEER
>> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
>> <http://twitter.com/tsudot>
>>
>> Free Incoming SMS for All US Short Codes – Get One Today!
>> <https://www.plivo.com/sms-short-code/?utm=emailsig>
>>
>
>
--
*KUNAL KERKAR *| PRODUCT ENGINEER
Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
<http://twitter.com/tsudot>
Free Incoming SMS for All US Short Codes – Get One Today!
<https://www.plivo.com/sms-short-code/?utm=emailsig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151201/356e9f1f/attachment.html
More information about the keycloak-dev
mailing list