Background
I need to migrate a user database for a bespoke app into Keycloak. I have created a keycloak-add-user.json
file that imports the users successfully. Migrated user passwords are hashed in the original system, however I've implemented a Keycloak Password Hash SPI service class that uses the existing algorithm to validate the hash and salt value of a migrated user. The Hash SPI class implements PasswordHashProviderFactory
and PasswordHashProvider
from the Keycloak SPI and is based on `Pbkdf2PasswordHashProvider'.
public class MyPasswordHashProvider implements PasswordHashProviderFactory, PasswordHashProvider {
public static final String ID = "XXXX";
The issue
When a migrated user tries to authenticate with keycloak an error is logged by org.keycloak.hash.PasswordHashManager
Could not find hash provider XXXX for password
My jar contains an initialisation file META-INF/services/org.keycloak.models.PasswordHashProviderFactory
with a single line containing the full classname of the HashProvider implementation.
my.folder.MyPasswordHashProvider
This was based on the Federation SPI doco, but documentation for the Keycloak Password Hash SPI seems to be non-existent. What am I missing, or what do I need to do to register and use my Hash Provider with Keycloak?
This turned out to be a copy/paste error - the initialisation file had the wrong package name 'model' rather than 'hash' and therefore didn't match the PasswordHashProviderFactory
.
In the provider jar the initialisation file needs to be named:
META-INF/services/org.keycloak.credential.hash.PasswordHashProviderFactory
and contain a single line with the full name of the implementation factory class - in this case:
my.folder.MyPasswordHashProvider