[keycloak-user] Porting user passwords to keycloak
Orestis Tsakiridis
orestis.tsakiridis at telestax.com
Thu Dec 3 04:08:16 EST 2015
Ok Stian.
I will try to implement auth_spi.
Btw, if you need any early adopters for your new Password Hashing SPI
feature, we will gladly use it in our new "Restcomm as a Service"
implementation and send feedback.
Thanks
Orestis
Telestax
On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>
> On 1 December 2015 at 15:39, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Thanks Stian.
>>
>> Can you send me some documentation or source code pointers about
>> "modifying the password authenticator" ? Are we talking about a Java class,
>> overriding login form ? sth else?
>>
>>
>>
>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>> released in early January.
>>>
>>> If you can't wait for that I think it would be better to not import
>>> users with a password at all and instead send reset password links to their
>>> email address. That would assume all users have emails registered. Or you
>>> could also modify the password authenticator and make it run md5 the value
>>> of the input password for users that haven't updated their password yet.
>>>
>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Ok, so i guess i'll have to go with a workaround, password reset, etc
>>>> as i've described.
>>>>
>>>> Thanks Stian
>>>>
>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>
>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm trying to create some migration scripts that will port users from
>>>>>> Application1 into keycloak. Users in Application1 already have usernames,
>>>>>> passwords etc. I use the admin rest api to create the users.
>>>>>>
>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>> passwords (security wise that makes sense).
>>>>>>
>>>>>> The only solution i've come down to is store the password as they are
>>>>>> in keycloak (md5ed) and tell the users to use the hashed value instead of
>>>>>> the plaintext one wieh signing in. Then, force them to reset passwords. Not
>>>>>> the best UX :-(
>>>>>>
>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>> db" or sth like that?
>>>>>>
>>>>>> Any alternatives come to mind ?
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Orestis
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/25911947/attachment-0001.html
More information about the keycloak-user
mailing list