[keycloak-user] Porting user passwords to keycloak

Stian Thorgersen sthorger at redhat.com
Tue Dec 1 08:12:24 EST 2015


So looks like we will indeed have password hash spi in 1.8. It'll be
released in early January.

If you can't wait for that I think it would be better to not import users
with a password at all and instead send reset password links to their email
address. That would assume all users have emails registered. Or you could
also modify the password authenticator and make it run md5 the value of the
input password for users that haven't updated their password yet.

On 1 December 2015 at 13:36, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Ok, so i guess i'll have to go with a workaround, password reset, etc as
> i've described.
>
> Thanks Stian
>
> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> We are planning to add a Password Hashing SPI, which will allow plugging
>> in additional hashing mechanisms. It's not ready quite yet though.
>>
>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to create some migration scripts that will port users from
>>> Application1 into keycloak. Users in Application1 already have usernames,
>>> passwords etc. I use the admin rest api to create the users.
>>>
>>> The problem i'm facing is that user passwords in Application1 database
>>> are already hashed using md5. So, i don't really know the actual passwords
>>> (security wise that makes sense).
>>>
>>> The only solution i've come down to is store the password as they are in
>>> keycloak (md5ed) and tell the users to use the hashed value instead of the
>>> plaintext one wieh signing in. Then, force them to reset passwords. Not the
>>> best UX  :-(
>>>
>>> Is there a way to tell keycloak that "these passwords are already hashed
>>> in md5" so, "store them as they are" and "when a user tries to sign in,
>>> first hash his password with md5 and the compare to the value stored in
>>> db"  or sth like that?
>>>
>>> Any alternatives come to mind ?
>>>
>>>
>>> Regards
>>>
>>> Orestis
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/f74ddc5e/attachment.html 


More information about the keycloak-user mailing list