[keycloak-dev] KEYCLOAK-1900 - Pluggable password hashing algorithm

Kunal K kunal at plivo.com
Wed Nov 18 09:09:44 EST 2015


Hi Stian,

Could you please review this code -
https://github.com/tsudot/keycloak/commit/ce58d795bfea9e6c19663fa40d7a499d2d78aeab

I'm having trouble figuring out how to call
session.getProvider(PasswordHashProvider.class,
algorithm) to replace Pbkdf2PasswordEncoder.

I checked
https://github.com/tsudot/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java#L399
but couldn't find any instance of KeycloakSession. Am I missing something?

On Tue, Nov 17, 2015 at 11:07 PM, Kunal K <kunal at plivo.com> wrote:

> Thanks for those notes Stian, I will read up and document my progress on
> this thread.
>
> On Tue, Nov 17, 2015 at 8:50 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Hi,
>>
>> That would be awesome.
>>
>> First step would be to read
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
>> to understand how Keycloak provides SPIs.
>>
>> Next thing would be to add:
>>
>> * class PasswordHashSPI
>> * interface PasswordHashProviderFactory
>> * interface PasswordHashProvider
>>
>> These should be added to services module. You would also need to
>> change Pbkdf2PasswordEncoder to be the default implementation.
>>
>> Instead of using Pbkdf2PasswordEncoder directly code should use
>> session.getProvider(PasswordHashProvider.class, algorithm). algorithm
>> should be set to on credential entities
>> (UserCredentialValueModel.algorithm). We also need a mechanism to specify
>> the default algorithm (that would be used when users sets new password and
>> also for existing users in the db).
>>
>>
>> On 17 November 2015 at 16:06, Kunal K <kunal at plivo.com> wrote:
>>
>>> Hi all,
>>>
>>> I would like to start a discussion on how to implement -
>>> https://issues.jboss.org/browse/KEYCLOAK-1900
>>>
>>> I have a django web app and all of my users are in a postgres database
>>> with salted passwords hashed using SHA. I have been reading how I can use
>>> UserFederation to implement by own credential validation, but the drawback
>>> here would be that I'll have to keep maintaining my old database.
>>>
>>> For starters, I was thinking of replacing all occurrences of
>>> Pbkdf2PasswordEncoder with an equivalent SHAPasswordEncoder, which is a
>>> very crude approach and I'm not sure if it will even work. After some bit
>>> of reading I saw this ticket -
>>> https://issues.jboss.org/browse/KEYCLOAK-1900
>>>
>>> I would like to implement a custom hashing SPI and would love to get
>>> some pointers on how to go about it.
>>>
>>> Thanks
>>>
>>> --
>>> *KUNAL KERKAR *| PRODUCT ENGINEER
>>> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
>>> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
>>> <http://twitter.com/tsudot>
>>>
>>> Free Incoming SMS for All US Short Codes – Get One Today!
>>> <https://www.plivo.com/sms-short-code/?utm=emailsig>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>
>
> --
> *KUNAL KERKAR *| PRODUCT ENGINEER
> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
> Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
> <http://twitter.com/tsudot>
>
> Free Incoming SMS for All US Short Codes – Get One Today!
> <https://www.plivo.com/sms-short-code/?utm=emailsig>
>



-- 
*KUNAL KERKAR *| PRODUCT ENGINEER
Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
<http://twitter.com/tsudot>

Free Incoming SMS for All US Short Codes – Get One Today!
<https://www.plivo.com/sms-short-code/?utm=emailsig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151118/56f7e52c/attachment-0001.html 


More information about the keycloak-dev mailing list