keycloak - how to get current user password or store encrypted data?

Question

The java ee application (deployed to wildfly) stores sensitive data like access keys, etc. for different users in a DB. In order to decrypt these data - it needs a master password associated with the current user. A password entered when the user logs in to application is used for this.

Now I'm considering a possibility of using keycloak to secure this application. But it looks like there's no way to obtain a password for a currently logged in user with keycloak (as it operates with tokens)? Asking user to enter the password again in the application is not an option.

The question is - is it possible to configure keycloak to provide a constant (secret) value in a token for a current user which will not be stored unencrypted in the keycloak db?

Keycloak more than likely stores passwords as a [one-way hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function). It is virtually impossible to decrypt it back into the original password. — Steve C, Apr 09 '16 at 03:23
Picketlink, for example, allows access to the current user credentials. As far as I was going to run keycloak and app in the same container - I'd be happy if keycloak could give back the password to the application. — Oleg Khaschansky, Apr 09 '16 at 03:42
Have you looked into assertions with Keycloak? http://keycloak.github.io/docs/userguide/saml-client-adapter/html/assertions.html http://stackoverflow.com/a/32890003 You could store the encryption key for each user. As far as encrypting the encryption key, may need to look into DBMS encryption to handle that scenario. — pygator, Apr 10 '16 at 14:42
Thanks for your suggestion, could you elaborate a little bit? I understand that it's possible to add to KeycloakPrincipal any custom attribute. How SAML assertions may help here? But the question is if these attributes could be encrypted in the keycloak DB. And as soon as the keycloak DB is going to be in the same place as a main DB - it require the same approach with the encryption - it should be encrypted with the user passwords. I am not quite sure if it is possible to configure keycloak to do this. — Oleg Khaschansky, Apr 11 '16 at 00:03

score 0 · Answer 1 · answered Apr 11 '16 at 05:13

0

It looks like it is possible to get hold of the password or the data derived from it using the custom Authenticator API. I am not 100% sure that it works but it seems to be a possible answer.

answered Apr 11 '16 at 05:13

Oleg Khaschansky

296
3
10

No. We didn't try that – Oleg Khaschansky May 17 '18 at 11:53

keycloak - how to get current user password or store encrypted data?

1 Answers1