Search code examples
javaphpsymfonykeycloakpassword-encryption

Keycloack is a MessageDigestPasswordEncoder sha512 exists?

I am in the process of migrating users from an OAuth 2 system made with Symfony to Keycloak. Create the users in Keycloak with the encrypted password is ok, but I can't find an algorithm equivalent to mine.

example of user creation:

Post
{
    "firstName": "test_encryption",
    "lastName":"test_encryption", 
    "email":"jeremy.rafflin.test@ageo.fr", 
    "credentials": [{
        "type":"password",        
        "secretData":"{\"value\":\"zeR2Uapc+a/2qD5QR56gh3mVb+KOeZ2XU+rkWMK6B5A=\",\"salt\":\"OThjajM1WnVZWlI3UzZOLk12WjJsQS9VWWZXQXp0WGZGLm5tL2hGSVFzbw==\"}​​​​​​​",
        "credentialData": "{\"algorithm\":\"sha512\",\"hashIterations\":5000}"
    }]
}

For the current encryption in PHP I am using https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php. Which amounts to:

$password = 'toto';
$salt = '1234';
$salted = $password.'{'.$salt.'}';
$digest = hash('sha512', $salted, true);

for ($i=1; $i<5000; $i++) {
    $digest = hash('sha512', $digest.$salted, true);
}

$encodedPassword = base64_encode($digest);

In the spring documentation, https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html I see :

package org.springframework.security.crypto.factory;

public class PasswordEncoderFactories {
    ...
    public static PasswordEncoder createDelegatingPasswordEncoder() {
        String encodingId = "bcrypt"; 
        Map<String, PasswordEncoder> encoders = new HashMap<>();
        encoders.put(encodingId, new BCryptPasswordEncoder()); 
        encoders.put("ldap", new LdapShaPasswordEncoder());
        encoders.put("MD4", new Md4PasswordEncoder());
        encoders.put("MD5", new MessageDigestPasswordEncoder("MD5"));
        encoders.put("noop", NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
        encoders.put("scrypt", new SCryptPasswordEncoder());
        encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1"));
        encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256"));
        encoders.put("sha256", new StandardPasswordEncoder());

        return new DelegatingPasswordEncoder(encodingId, encoders);
    }
    ...
}

So I thought my algorithm matched MessageDigestPasswordEncoder ("SHA-512") and tried to create a user, but it doesn't work: "credentialData": "{"algorithm":"SHA-512","hashIterations":5000}"

Does my algorithm exist in keycloak or do I have to create a custom credential algorithm ?

Solution

  • Does my algorithm exist in keycloak or do I have to create a custom credential algorithm ?

    From the Keycloak Documentation:

    Here’s an explanation of each policy type:

    HashAlgorithm

    Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated. The only built-in and default algorithm available is PBKDF2.

    Nevertheless, Keycloak allows you to customized and deploy your own algorithm by taking advantage of Service Provider Interfaces.