[keycloak-user] Porting user passwords to keycloak

Stian Thorgersen sthorger at redhat.com
Tue Dec 1 07:29:15 EST 2015


We are planning to add a Password Hashing SPI, which will allow plugging in
additional hashing mechanisms. It's not ready quite yet though.

On 1 December 2015 at 13:25, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Hello,
>
> I'm trying to create some migration scripts that will port users from
> Application1 into keycloak. Users in Application1 already have usernames,
> passwords etc. I use the admin rest api to create the users.
>
> The problem i'm facing is that user passwords in Application1 database are
> already hashed using md5. So, i don't really know the actual passwords
> (security wise that makes sense).
>
> The only solution i've come down to is store the password as they are in
> keycloak (md5ed) and tell the users to use the hashed value instead of the
> plaintext one wieh signing in. Then, force them to reset passwords. Not the
> best UX  :-(
>
> Is there a way to tell keycloak that "these passwords are already hashed
> in md5" so, "store them as they are" and "when a user tries to sign in,
> first hash his password with md5 and the compare to the value stored in
> db"  or sth like that?
>
> Any alternatives come to mind ?
>
>
> Regards
>
> Orestis
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/f85c9619/attachment.html 


More information about the keycloak-user mailing list