[keycloak-user] Hash Algorithm

Scott Rossillo srossillo at smartling.com
Mon Oct 5 15:21:03 EDT 2015


Looks good. To answer your question on PasteBin about setting fields: this
is going to be implementation specific but the way to set them on the
Keycloak user model is below.

       RemoteUser remoteUser = // get legacy system user, replace getters
below with methods matching your domain

        userModel.setFederationLink(model.getId());
        userModel.setEnabled(remoteUser.isEnabled()); // or set to true
        userModel.setEmail(username); // assume username is email, if not
get email from data source
        userModel.setEmailVerified(remoteUser.isEmailVerified()); // or set
to true
        userModel.setFirstName(remoteUser.getFirstName());
        userModel.setLastName(remoteUser.getLastName());

~ Scott


On Mon, Oct 5, 2015 at 2:17 PM, Remi Cartier <remi.cartier at imetrik.com>
wrote:

> Me again,
>
> I have written some simple FederationProvider for my migration case.
> I put them on pastebin here :
>
> http://pastebin.com/sqt2Pm3P - JdbcUserFederationProviderFactory
> http://pastebin.com/5JJyb7bm - JdbcUserFederationProvider
>
> I tried to follow your recommendations.
>
> Does it seem to make sense ?
>
> Thank you guys !
>
> ------------------------------
>
>
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
> On Oct 5, 2015, at 1:13 PM, Scott Rossillo <srossillo at smartling.com>
> wrote:
>
> I’d recommend using a federation provider. Others may have another opinion
> but here’s the approach I like, using a federation provider:
>
> Create the user when Keycloak calls one of these methods on the federation
> provider and the user exists in the legacy system:
>
> UserFederationProvider.getUserByUsername()
> UserFederationProvider.getUserByEmail()
>
> This creates the federation link. However, do not set a password for the
> user yet (you wouldn’t know what to set it to yet anyway). Then, when
> Keycloak calls:
>
> UserFederationProvider.validCredentials(RealmModel realm, UserModel
> user, List<UserCredentialModel> input)
>
> query your legacy system to see if the given user and password combination
> is valid. If so:
>
> 1. Update the user (in Keycloak) to have password supplied in
> List<UserCredentialModel> input
> 2. Break the federation link
> (session.userStorage().getUserById(user.getId(), realm).setFederationLink(null);)
>
> I’m going to publish a template for migrating users using this approach
> soon. For now, I hope this is enough to get you going in the right
> direction if you choose the federation provider approach.
>
> ~ Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Latest News + Events]
> <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Oct 5, 2015, at 11:59 AM, Remi Cartier <remi.cartier at imetrik.com>
> wrote:
>
> Hey guys,
>
> I will have to migrate from a custom in house user management system to
> keycloak.
> We are using this algorithm to store salted/hashed password :
>
>     public static String hashPassword(String password, String salt) {
>         try {
>             KeySpec keySpec = new PBEKeySpec(password.toCharArray(),
> salt.getBytes(), 2048, 160);
>             SecretKeyFactory secretKeyFactory =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>             byte[] hash =
> secretKeyFactory.generateSecret(keySpec).getEncoded();
>             return new BigInteger(1, hash).toString(16);
>         } catch (Exception x) {
>             throw new IllegalStateException(x);
>         }
>     }
>
> I was wondering, in order to ease the migration, if I could configure
> keycloak to use the same hash algorithm ?
>
> Or if there was any other ways ? Like maybe a federation provider, but
> then comes the question when to push things into keycloak, at password
> change ?
>
> What do you think ?
>
> Sincerely.
>
> ------------------------------
>
>
> REMI CARTIER
> B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
>
> *IMETRIK GLOBAL INC.*
> *T :* +1 514 448-6407 x2009
> *T :* +1 866 276-5382 (toll free)
> *F :* +1 514 904-0611
>
> 740 Notre Dame St. West, Suite 1575
> Montreal, Quebec, Canada H3C 3X6
> imetrik.com <http://www.imetrik.com/>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/15c09003/attachment-0001.html 


More information about the keycloak-user mailing list