[keycloak-user] Porting user passwords to keycloak

Orestis Tsakiridis orestis.tsakiridis at telestax.com
Thu Dec 3 06:22:18 EST 2015


Great! I will keep an eye on it.

BR

Orestis

On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> That'd be great. If you watch this
> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
> master.
>
> Hopefully it should be added within a few days.
>
> On 3 December 2015 at 10:08, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Ok Stian.
>>
>> I will try to implement auth_spi.
>>
>> Btw, if you need any early adopters for your new Password Hashing SPI
>> feature, we will gladly use it in our new "Restcomm as a Service"
>> implementation and send feedback.
>>
>>
>> Thanks
>>
>> Orestis
>>
>> Telestax
>>
>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>>
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>
>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Thanks Stian.
>>>>
>>>> Can you send me some documentation or source code pointers about
>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>> overriding login form ? sth else?
>>>>
>>>>
>>>>
>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>>>> released in early January.
>>>>>
>>>>> If you can't wait for that I think it would be better to not import
>>>>> users with a password at all and instead send reset password links to their
>>>>> email address. That would assume all users have emails registered. Or you
>>>>> could also modify the password authenticator and make it run md5 the value
>>>>> of the input password for users that haven't updated their password yet.
>>>>>
>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>
>>>>>> Ok, so i guess i'll have to go with a workaround, password reset, etc
>>>>>> as i've described.
>>>>>>
>>>>>> Thanks Stian
>>>>>>
>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>
>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>
>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>
>>>>>>>> The only solution i've come down to is store the password as they
>>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead
>>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords.
>>>>>>>> Not the best UX  :-(
>>>>>>>>
>>>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>>>> db"  or sth like that?
>>>>>>>>
>>>>>>>> Any alternatives come to mind ?
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Orestis
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/92296fc3/attachment.html 


More information about the keycloak-user mailing list