Keycloak 是一个 MessageDigestPasswordEncoder sha512 存在吗?
Keycloack is a MessageDigestPasswordEncoder sha512 exists?
我正在将用户从使用 Symfony 制作的 OAuth 2 系统迁移到 Keycloak。
在Keycloak中用加密后的密码创建用户是可以的,但是我找不到与我的算法等价的算法。
用户创建示例:
Post
{
"firstName": "test_encryption",
"lastName":"test_encryption",
"email":"jeremy.rafflin.test@ageo.fr",
"credentials": [{
"type":"password",
"secretData":"{\"value\":\"zeR2Uapc+a/2qD5QR56gh3mVb+KOeZ2XU+rkWMK6B5A=\",\"salt\":\"OThjajM1WnVZWlI3UzZOLk12WjJsQS9VWWZXQXp0WGZGLm5tL2hGSVFzbw==\"}",
"credentialData": "{\"algorithm\":\"sha512\",\"hashIterations\":5000}"
}]
}
对于 PHP 中的当前加密,我正在使用 https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php。
相当于:
$password = 'toto';
$salt = '1234';
$salted = $password.'{'.$salt.'}';
$digest = hash('sha512', $salted, true);
for ($i=1; $i<5000; $i++) {
$digest = hash('sha512', $digest.$salted, true);
}
$encodedPassword = base64_encode($digest);
在 spring 文档中,https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html 我看到了:
包 org.springframework.security.crypto.factory;
public class PasswordEncoderFactories {
...
public static PasswordEncoder createDelegatingPasswordEncoder() {
String encodingId = "bcrypt";
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put(encodingId, new BCryptPasswordEncoder());
encoders.put("ldap", new LdapShaPasswordEncoder());
encoders.put("MD4", new Md4PasswordEncoder());
encoders.put("MD5", new MessageDigestPasswordEncoder("MD5"));
encoders.put("noop", NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1"));
encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256"));
encoders.put("sha256", new StandardPasswordEncoder());
return new DelegatingPasswordEncoder(encodingId, encoders);
}
...
}
所以我认为我的算法匹配 MessageDigestPasswordEncoder ("SHA-512") 并尝试创建一个用户,但它不起作用:
"credentialData": "{"algorithm":"SHA-512","hashIterations":5000}"
我的算法是否存在于 keycloak 中,或者我是否必须创建自定义凭证算法?
Does my algorithm exist in keycloak or do I have to create a custom
credential algorithm ?
以下是对每种政策类型的解释:
HashAlgorithm
Passwords are not stored as clear text. Instead they are
hashed using standard hashing algorithms before they are stored or
validated. The only built-in and default algorithm available is
PBKDF2.
不过,Keycloak 允许您利用 Service Provider Interfaces.
自定义和部署自己的算法
我正在将用户从使用 Symfony 制作的 OAuth 2 系统迁移到 Keycloak。 在Keycloak中用加密后的密码创建用户是可以的,但是我找不到与我的算法等价的算法。
用户创建示例:
Post
{
"firstName": "test_encryption",
"lastName":"test_encryption",
"email":"jeremy.rafflin.test@ageo.fr",
"credentials": [{
"type":"password",
"secretData":"{\"value\":\"zeR2Uapc+a/2qD5QR56gh3mVb+KOeZ2XU+rkWMK6B5A=\",\"salt\":\"OThjajM1WnVZWlI3UzZOLk12WjJsQS9VWWZXQXp0WGZGLm5tL2hGSVFzbw==\"}",
"credentialData": "{\"algorithm\":\"sha512\",\"hashIterations\":5000}"
}]
}
对于 PHP 中的当前加密,我正在使用 https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php。 相当于:
$password = 'toto';
$salt = '1234';
$salted = $password.'{'.$salt.'}';
$digest = hash('sha512', $salted, true);
for ($i=1; $i<5000; $i++) {
$digest = hash('sha512', $digest.$salted, true);
}
$encodedPassword = base64_encode($digest);
在 spring 文档中,https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html 我看到了:
包 org.springframework.security.crypto.factory;
public class PasswordEncoderFactories {
...
public static PasswordEncoder createDelegatingPasswordEncoder() {
String encodingId = "bcrypt";
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put(encodingId, new BCryptPasswordEncoder());
encoders.put("ldap", new LdapShaPasswordEncoder());
encoders.put("MD4", new Md4PasswordEncoder());
encoders.put("MD5", new MessageDigestPasswordEncoder("MD5"));
encoders.put("noop", NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1"));
encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256"));
encoders.put("sha256", new StandardPasswordEncoder());
return new DelegatingPasswordEncoder(encodingId, encoders);
}
...
}
所以我认为我的算法匹配 MessageDigestPasswordEncoder ("SHA-512") 并尝试创建一个用户,但它不起作用: "credentialData": "{"algorithm":"SHA-512","hashIterations":5000}"
我的算法是否存在于 keycloak 中,或者我是否必须创建自定义凭证算法?
Does my algorithm exist in keycloak or do I have to create a custom credential algorithm ?
以下是对每种政策类型的解释:
HashAlgorithm
Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated. The only built-in and default algorithm available is PBKDF2.
不过,Keycloak 允许您利用 Service Provider Interfaces.
自定义和部署自己的算法