[keycloak-dev] KEYCLOAK-1900 - Pluggable password hashing algorithm

Stian Thorgersen sthorger at redhat.com
Tue Nov 17 10:20:16 EST 2015


Hi,

That would be awesome.

First step would be to read
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
to understand how Keycloak provides SPIs.

Next thing would be to add:

* class PasswordHashSPI
* interface PasswordHashProviderFactory
* interface PasswordHashProvider

These should be added to services module. You would also need to
change Pbkdf2PasswordEncoder to be the default implementation.

Instead of using Pbkdf2PasswordEncoder directly code should use
session.getProvider(PasswordHashProvider.class, algorithm). algorithm
should be set to on credential entities
(UserCredentialValueModel.algorithm). We also need a mechanism to specify
the default algorithm (that would be used when users sets new password and
also for existing users in the db).


On 17 November 2015 at 16:06, Kunal K <kunal at plivo.com> wrote:

> Hi all,
>
> I would like to start a discussion on how to implement -
> https://issues.jboss.org/browse/KEYCLOAK-1900
>
> I have a django web app and all of my users are in a postgres database
> with salted passwords hashed using SHA. I have been reading how I can use
> UserFederation to implement by own credential validation, but the drawback
> here would be that I'll have to keep maintaining my old database.
>
> For starters, I was thinking of replacing all occurrences of
> Pbkdf2PasswordEncoder with an equivalent SHAPasswordEncoder, which is a
> very crude approach and I'm not sure if it will even work. After some bit
> of reading I saw this ticket -
> https://issues.jboss.org/browse/KEYCLOAK-1900
>
> I would like to implement a custom hashing SPI and would love to get some
> pointers on how to go about it.
>
> Thanks
>
> --
> *KUNAL KERKAR *| PRODUCT ENGINEER
> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
> <http://twitter.com/tsudot>
>
> Free Incoming SMS for All US Short Codes – Get One Today!
> <https://www.plivo.com/sms-short-code/?utm=emailsig>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151117/9587d71a/attachment.html 


More information about the keycloak-dev mailing list