Migration of password hashes #11794

psachmann · 2022-05-02T10:56:20Z

psachmann
May 2, 2022

Hello,

we are currently in the process of migrating our custom user store including credentials to Keycloak. Our user store uses BCrypt for password hashing and we want use Keycloak's default hashing algorithm. We observed that Keycloak will update old password hashes using the hashing algorithm set in the password policy. This allows a soft transition between BCrypt and Keycloak which is really handy for us. I couldn't find any documentation about this behavior and would like to ask, if this behavior is intended and can be used for a soft migration.

Kind regards,
Patrick

MerlijnElderhuis · 2022-05-03T13:20:37Z

MerlijnElderhuis
May 3, 2022

Hi! I'm currently dealing with the same issue as you are.
I found some resources about the way the data should be formatted, but logging still will not work.

Resources:

https://github.com/keycloak/keycloak/blob/04415d34eab5ed577c472802df4ca11fbafabc7e/server-spi/src/main/java/org/keycloak/models/credential/dto/PasswordSecretData.java
keycloak/server-spi/src/main/java/org/keycloak/models/credential/dto/PasswordCredentialData.java

Line 6 in 04415d3

public class PasswordCredentialData {
CredentialRepresentation section on https://www.keycloak.org/docs-api/11.0/rest-api/#_credentialrepresentation
and the discussion over here: https://groups.google.com/g/keycloak-user/c/XgUbXJr2xsM (even though they are not dealing with bcrypt over there)
Also found this repo, which I think is aimed at including a bcrypt adapter within keycloak: https://github.com/leroyguillaume/keycloak-bcrypt

It seems that the data you need to send to the create_user endpoint should be in the following format, where b64_salt is actually the base64 encoded value of the salt part of the bcrypt password value.(we're using python so this is what I've tried)

{
    "email": email,
    "username": email,
    "enabled": True,
    "emailVerified": True,
    "credentials": [
        {
            "type": "password",
            "credentialData": json.dumps({"hashIterations": 12, "algorithm": "bcrypt"}),
            "secretData": json.dumps({"value": value, "salt": b64_salt}),
        }
    ],
}

If anyone has some tips on how to continue, this would be very welcome. If I ever manage to do it, I will provide an update.

0 replies

MerlijnElderhuis · 2022-05-03T14:53:37Z

MerlijnElderhuis
May 3, 2022

Update:
Managed to get it working by installing a release of this repo in the keycloak application: https://github.com/leroyguillaume/keycloak-bcrypt

Used the curl command below (ran from inside a docker container, after which I restarted the container).
ENV values:

KEYCLOAK_BCRYPT_VERSION=1.5.0
KEYCLOAK_HOME=~/keycloak

curl -L https://github.com/leroyguillaume/keycloak-bcrypt/releases/download/${KEYCLOAK_BCRYPT_VERSION}/keycloak-bcrypt-${KEYCLOAK_BCRYPT_VERSION}.jar > ${KEYCLOAK_HOME}/standalone/deployments/keycloak-bcrypt-${KEYCLOAK_BCRYPT_VERSION}.jar

After having done that, I could insert existing users in the db by using the following as input for the user_create endpoint:
pw_hashed is the hashed password including salt, so basically the old value in your db.

{
    "email": email,
    "username": email,
    "enabled": True,
    "emailVerified": True,
    "credentials": [
        {
            "type": "password",
            "hashIterations": "12",
            "hashedSaltedValue": pw_hashed,
            "algorithm": "bcrypt",
        }
    ]
}

1 reply

psachmann May 4, 2022
Author

Thank you for your answer. Maybe I was not precise enough. We have already a working proof of concept here https://github.com/hpi-schul-cloud/erwin-idm/tree/feature/EW-133-bcrypt-spike, which already uses Keycloak BCrypt Plugin and Keycloak Admin CLI to access Keycloak. Our main concern is how we migrate the password hashes, because we want to avoid having dependencies to third party plugins/libraries in the long run, that might need maintenance from us.

During the work on the proof we found out that Keycloak 17 + 18 (tested from us) will automatically update hashes to the default password hashing algorithm set in the password policy during a new user login. This behavior is not documented (or I didn't found it) and would greatly aid our migration process.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Migration of password hashes #11794

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Migration of password hashes #11794

Uh oh!

psachmann May 2, 2022

Replies: 2 comments · 1 reply

Uh oh!

Uh oh!

MerlijnElderhuis May 3, 2022

Uh oh!

MerlijnElderhuis May 3, 2022

Uh oh!

psachmann May 4, 2022 Author

psachmann
May 2, 2022

Replies: 2 comments 1 reply

MerlijnElderhuis
May 3, 2022

MerlijnElderhuis
May 3, 2022

psachmann May 4, 2022
Author