[keycloak-user] Porting user passwords to keycloak

Stian Thorgersen sthorger at redhat.com
Thu Dec 3 05:18:15 EST 2015


That'd be great. If you watch this
https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
master.

Hopefully it should be added within a few days.

On 3 December 2015 at 10:08, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Ok Stian.
>
> I will try to implement auth_spi.
>
> Btw, if you need any early adopters for your new Password Hashing SPI
> feature, we will gladly use it in our new "Restcomm as a Service"
> implementation and send feedback.
>
>
> Thanks
>
> Orestis
>
> Telestax
>
> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>>
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>
>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Thanks Stian.
>>>
>>> Can you send me some documentation or source code pointers about
>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>> overriding login form ? sth else?
>>>
>>>
>>>
>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>>> released in early January.
>>>>
>>>> If you can't wait for that I think it would be better to not import
>>>> users with a password at all and instead send reset password links to their
>>>> email address. That would assume all users have emails registered. Or you
>>>> could also modify the password authenticator and make it run md5 the value
>>>> of the input password for users that haven't updated their password yet.
>>>>
>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>
>>>>> Ok, so i guess i'll have to go with a workaround, password reset, etc
>>>>> as i've described.
>>>>>
>>>>> Thanks Stian
>>>>>
>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>
>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>
>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>> passwords (security wise that makes sense).
>>>>>>>
>>>>>>> The only solution i've come down to is store the password as they
>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead
>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords.
>>>>>>> Not the best UX  :-(
>>>>>>>
>>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>>> db"  or sth like that?
>>>>>>>
>>>>>>> Any alternatives come to mind ?
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Orestis
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/7230c5d3/attachment.html 


More information about the keycloak-user mailing list