[keycloak-user] Porting user passwords to keycloak
Orestis Tsakiridis
orestis.tsakiridis at telestax.com
Tue Dec 1 09:39:00 EST 2015
Thanks Stian.
Can you send me some documentation or source code pointers about "modifying
the password authenticator" ? Are we talking about a Java class, overriding
login form ? sth else?
On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> So looks like we will indeed have password hash spi in 1.8. It'll be
> released in early January.
>
> If you can't wait for that I think it would be better to not import users
> with a password at all and instead send reset password links to their email
> address. That would assume all users have emails registered. Or you could
> also modify the password authenticator and make it run md5 the value of the
> input password for users that haven't updated their password yet.
>
> On 1 December 2015 at 13:36, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Ok, so i guess i'll have to go with a workaround, password reset, etc as
>> i've described.
>>
>> Thanks Stian
>>
>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> We are planning to add a Password Hashing SPI, which will allow plugging
>>> in additional hashing mechanisms. It's not ready quite yet though.
>>>
>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm trying to create some migration scripts that will port users from
>>>> Application1 into keycloak. Users in Application1 already have usernames,
>>>> passwords etc. I use the admin rest api to create the users.
>>>>
>>>> The problem i'm facing is that user passwords in Application1 database
>>>> are already hashed using md5. So, i don't really know the actual passwords
>>>> (security wise that makes sense).
>>>>
>>>> The only solution i've come down to is store the password as they are
>>>> in keycloak (md5ed) and tell the users to use the hashed value instead of
>>>> the plaintext one wieh signing in. Then, force them to reset passwords. Not
>>>> the best UX :-(
>>>>
>>>> Is there a way to tell keycloak that "these passwords are already
>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>> in, first hash his password with md5 and the compare to the value stored in
>>>> db" or sth like that?
>>>>
>>>> Any alternatives come to mind ?
>>>>
>>>>
>>>> Regards
>>>>
>>>> Orestis
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/f792ad8a/attachment.html
More information about the keycloak-user
mailing list