[keycloak-dev] Password Hashing in custom User Storage Provider

Danny Trunk dtrunk90 at gmail.com
Sat Mar 25 14:00:48 EDT 2017


Hi,

when implementing my own User Storage Provider I've noticed that the
password has to be raw in my database as no Password Hash Provider is
getting triggered.

The User Storage Provider is based on the JPA Example located here:
https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-jpa

When adding some logging into the isValid method of the Provider to see
whats the content of password and cred.getValue() I can see that
password (the one from the database) is hashed whereas cred.getValue()
isn't. That's why it mismatches and the user can see an invalid
credentials error message.

Do I have to call all (as I could have multiple algorithms in my
database without any information which algorithm it is)
PasswordHashProvider myself in this method? I guess that's not the
intended behaviour of the Password Hash Providers?!


More information about the keycloak-dev mailing list