diff --git a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.8.0.xml b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.8.0.xml index 5771c12ba9..5900f8cca0 100755 --- a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.8.0.xml +++ b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.8.0.xml @@ -111,4 +111,14 @@ + + + + + + + TYPE in ('password-history', 'password') AND ALGORITHM is 'HmacSHA1' + + + \ No newline at end of file diff --git a/server-spi/src/main/java/org/keycloak/hash/PasswordHashManager.java b/server-spi/src/main/java/org/keycloak/hash/PasswordHashManager.java index 60effdbb4d..329284fe7d 100644 --- a/server-spi/src/main/java/org/keycloak/hash/PasswordHashManager.java +++ b/server-spi/src/main/java/org/keycloak/hash/PasswordHashManager.java @@ -1,5 +1,6 @@ package org.keycloak.hash; +import org.jboss.logging.Logger; import org.keycloak.models.*; /** @@ -7,6 +8,8 @@ import org.keycloak.models.*; */ public class PasswordHashManager { + private static final Logger log = Logger.getLogger(PasswordHashManager.class); + public static UserCredentialValueModel encode(KeycloakSession session, RealmModel realm, String rawPassword) { return encode(session, realm.getPasswordPolicy(), rawPassword); } @@ -17,9 +20,10 @@ public class PasswordHashManager { if (iterations < 1) { iterations = 1; } - PasswordHashProvider provider = session.getProvider(PasswordHashProvider.class, algorithm); + PasswordHashProvider provider = session.getProvider(PasswordHashProvider.class, passwordPolicy.getHashAlgorithm()); if (provider == null) { - throw new RuntimeException("Password hash provider for algorithm " + algorithm + " not found"); + log.warnv("Could not find hash provider {0} from password policy, using default provider {1}", algorithm, Constants.DEFAULT_HASH_ALGORITHM); + provider = session.getProvider(PasswordHashProvider.class, Constants.DEFAULT_HASH_ALGORITHM); } return provider.encode(rawPassword, iterations); } @@ -31,6 +35,10 @@ public class PasswordHashManager { public static boolean verify(KeycloakSession session, PasswordPolicy passwordPolicy, String password, UserCredentialValueModel credential) { String algorithm = credential.getAlgorithm() != null ? credential.getAlgorithm() : passwordPolicy.getHashAlgorithm(); PasswordHashProvider provider = session.getProvider(PasswordHashProvider.class, algorithm); + if (provider == null) { + log.warnv("Could not find hash provider {0} for password", algorithm); + return false; + } return provider.verify(password, credential); }