Store the (virtual) mail password in keycloak
We will store a password hash in the Keycloak user attributes. The attrs are writable <=> the user can manage his own account. This implies that we shall not save any data to the attrs that the user is not allowed to change. But his own mail password is fine.
- attribute to use:
mail_password_hash - no other attribute is saved
- preferably use the java on the server side for hashing
We also want to do some basic password validation (length > X). Keycloak already has something builtin which we should be able to use. We just need to expose it.
The custom attribute needs to be added to the Account Console. The new account console is written in React and use the REST endpoints so we will need to edit that to use our custom endpoints.
For custom provider deployment see here for reference.
TODOs:
-
Modify theme to add a custom attribute "mail_password_hash" to the account management console -
Implement a domain extension to provide custom REST endpoint for bcrypt with cost 12 and 2b variant (use Bouncy Castle library - make sure to use the crypt encoded version implemented in OpenBSD) -
Implement an add "password-validate" REST endpoint which use the internal Keycloak API -
Ensure the password hash attribute in Keycloak can be modified (via the templating engine) -
Discuss which pw hash algo to use (bcrypt) -
Update mail credential syncer script to use 2b variant -
write manual how to change the mail pw -
ping all arch mail users to store their passwords
References:
- https://www.keycloak.org/docs/latest/server_development/#_extensions_rest
- https://github.com/keycloak/keycloak/tree/master/examples/providers/rest
- https://github.com/keycloak/keycloak/tree/master/examples/providers/domain-extension
- https://www.keycloak.org/docs/latest/server_development/#account-management-console
- https://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/generators/OpenBSDBCrypt.html
Edited by Ira ¯\_(ツ)_/¯