You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Keycloak currently supports SHA-256/SHA-512, and Argon2 as native hashing algorithms, but Bcrypt is absent from this list of algorithms. This absence of native support seen with Bcrypt means that users would have to implement their own "PasswordHashProvider" Service Provider Interface in order to allow support for the hashing algorithms, or alternatively use another piece of third party software.
The main use case for Bcrypt compatibility with keycloak would be with legacy database migration. There still exists a large suite of software built on frameworks like Spring Security and Laravel as examples, both of which default to Bcrypt for password hashing. Due to the lack of native support for the algorithm, this means that the only work arounds are to:
Force a password reset for all users
Write and maintain a custom SPI for your application
Or, temporarily store unhashed passwords during migration
Alternatively, one could use third-party software like keycloak-bcrypt in order to support the algorithm, but notably this example has stopped being consistently maintained by its own author (leroyguillame) indicating that having built in support for Bcrypt is likely a better long-term solution.
Ultimately, this feature implementation would consist of a handful of steps including the actual creation of a Bcrypt hash provider itself, the explicit description of it as a legacy/migration provider in documentation alongside warnings discouraging use for new user databases, as well as verification of the algorithm through rigorous testing.
I would love to know if this is something that has been discussed extensively before and I had just missed it, as well as if this functionality is in scope for implementation directly with Keycloak.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Keycloak currently supports SHA-256/SHA-512, and Argon2 as native hashing algorithms, but Bcrypt is absent from this list of algorithms. This absence of native support seen with Bcrypt means that users would have to implement their own "PasswordHashProvider" Service Provider Interface in order to allow support for the hashing algorithms, or alternatively use another piece of third party software.
The main use case for Bcrypt compatibility with keycloak would be with legacy database migration. There still exists a large suite of software built on frameworks like Spring Security and Laravel as examples, both of which default to Bcrypt for password hashing. Due to the lack of native support for the algorithm, this means that the only work arounds are to:
Alternatively, one could use third-party software like keycloak-bcrypt in order to support the algorithm, but notably this example has stopped being consistently maintained by its own author (leroyguillame) indicating that having built in support for Bcrypt is likely a better long-term solution.
Ultimately, this feature implementation would consist of a handful of steps including the actual creation of a Bcrypt hash provider itself, the explicit description of it as a legacy/migration provider in documentation alongside warnings discouraging use for new user databases, as well as verification of the algorithm through rigorous testing.
I would love to know if this is something that has been discussed extensively before and I had just missed it, as well as if this functionality is in scope for implementation directly with Keycloak.
Thanks in advance,
Sebastian C.
Beta Was this translation helpful? Give feedback.
All reactions