[keycloak-user] Porting user passwords to keycloak

Orestis Tsakiridis orestis.tsakiridis at telestax.com
Mon Dec 21 07:48:19 EST 2015


Btw, hHere is a screenshot of the 'switch' i referred to:

On Mon, Dec 21, 2015 at 2:47 PM, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Hello again!
>
> So, i've recently pulled your master branch and started working on it
> (HEAD was 0197c69ac3d6e8d90a6e7c93e1eaf) and implemented the password
> hashing SPI.
>
> Actually, i implemented PasswordHashProvider and
> PasswordHashProviderFactory and created a  provider .jar as described in
> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
> .
>
> So, all went fine there. Deployment on keycloak had no issues too.
>
> I'm wondering however how i enable this custom Password Hash Provider. Is
> there a switch that instead of using the "Pbkdf2PasswordHashProvider" to
> use my custom "RestcommPasswordHashProvider".
>
> All i've found is the "Authentication/Password Policy/Hash algorithm"  in
> the Administration Console UI that directly maps to
> "Pbkdf2PasswordHashProvider" but adding a new entry and changing this
> to "restcomm-md5" (the id of the new provider) seems to have no effect.
>
> Any ideas ?
>
>
>
> On Thu, Dec 3, 2015 at 1:22 PM, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Great! I will keep an eye on it.
>>
>> BR
>>
>> Orestis
>>
>> On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> That'd be great. If you watch this
>>> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
>>> master.
>>>
>>> Hopefully it should be added within a few days.
>>>
>>> On 3 December 2015 at 10:08, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Ok Stian.
>>>>
>>>> I will try to implement auth_spi.
>>>>
>>>> Btw, if you need any early adopters for your new Password Hashing SPI
>>>> feature, we will gladly use it in our new "Restcomm as a Service"
>>>> implementation and send feedback.
>>>>
>>>>
>>>> Thanks
>>>>
>>>> Orestis
>>>>
>>>> Telestax
>>>>
>>>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>>
>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>>>
>>>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>
>>>>>> Thanks Stian.
>>>>>>
>>>>>> Can you send me some documentation or source code pointers about
>>>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>>>> overriding login form ? sth else?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>>>>>> released in early January.
>>>>>>>
>>>>>>> If you can't wait for that I think it would be better to not import
>>>>>>> users with a password at all and instead send reset password links to their
>>>>>>> email address. That would assume all users have emails registered. Or you
>>>>>>> could also modify the password authenticator and make it run md5 the value
>>>>>>> of the input password for users that haven't updated their password yet.
>>>>>>>
>>>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>
>>>>>>>> Ok, so i guess i'll have to go with a workaround, password reset,
>>>>>>>> etc as i've described.
>>>>>>>>
>>>>>>>> Thanks Stian
>>>>>>>>
>>>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>>>
>>>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>>>
>>>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>>>
>>>>>>>>>> The only solution i've come down to is store the password as they
>>>>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead
>>>>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords.
>>>>>>>>>> Not the best UX  :-(
>>>>>>>>>>
>>>>>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>>>>>> db"  or sth like that?
>>>>>>>>>>
>>>>>>>>>> Any alternatives come to mind ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>>
>>>>>>>>>> Orestis
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/05e77f99/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auth_password_policy.png
Type: image/png
Size: 39986 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/05e77f99/attachment-0001.png 


More information about the keycloak-user mailing list