[keycloak-user] Hash Algorithm

Scott Rossillo srossillo at smartling.com
Mon Oct 5 13:13:13 EDT 2015 

I’d recommend using a federation provider. Others may have another opinion but here’s the approach I like, using a federation provider:

Create the user when Keycloak calls one of these methods on the federation provider and the user exists in the legacy system:

UserFederationProvider.getUserByUsername()
UserFederationProvider.getUserByEmail()

This creates the federation link. However, do not set a password for the user yet (you wouldn’t know what to set it to yet anyway). Then, when Keycloak calls:

UserFederationProvider.validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)

query your legacy system to see if the given user and password combination is valid. If so:

1. Update the user (in Keycloak) to have password supplied in List<UserCredentialModel> input
2. Break the federation link (session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);)

I’m going to publish a template for migrating users using this approach soon. For now, I hope this is enough to get you going in the right direction if you choose the federation provider approach.

~ Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
 <http://www.sigstr.com/>
> On Oct 5, 2015, at 11:59 AM, Remi Cartier <remi.cartier at imetrik.com> wrote:
> 
> Hey guys,
> 
> I will have to migrate from a custom in house user management system to keycloak.
> We are using this algorithm to store salted/hashed password :
> 
>     public static String hashPassword(String password, String salt) {
>         try {
>             KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), 2048, 160);
>             SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>             byte[] hash = secretKeyFactory.generateSecret(keySpec).getEncoded();
>             return new BigInteger(1, hash).toString(16);
>         } catch (Exception x) {
>             throw new IllegalStateException(x);
>         }
>     }
> 
> I was wondering, in order to ease the migration, if I could configure keycloak to use the same hash algorithm ?
> 
> Or if there was any other ways ? Like maybe a federation provider, but then comes the question when to push things into keycloak, at password change ?
> 
> What do you think ?
> 
> Sincerely.
> 
> 
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
> 
> IMETRIK GLOBAL INC. 
> T : +1 514 448-6407 x2009
> T : +1 866 276-5382 (toll free) 
> F : +1 514 904-0611 
> 
> 740 Notre Dame St. West, Suite 1575 
> Montreal, Quebec, Canada H3C 3X6 
> imetrik.com <http://www.imetrik.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/70c163c9/attachment-0001.html

More information about the keycloak-user mailing list