Skip to content

Commit 86b897e

Browse files
dreezeydreezey
authored
Merge pull request #4 from RobertHeim/master
Do not assume `argon2` based hashes
2 parents 67d9119 + 03eab1f commit 86b897e

File tree

1 file changed

+8
-2
lines changed

1 file changed

+8
-2
lines changed

src/main/java/be/cronos/keycloak/credential/hash/Argon2PasswordHashProvider.java

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,14 +27,20 @@ public Argon2PasswordHashProvider(String providerId, KeycloakSession session) {
2727
@Override
2828
public boolean policyCheck(PasswordPolicy policy, PasswordCredentialModel credential) {
2929
LOG.debugf("> policyCheck()");
30+
// Check it it is an argon2 encoded password.
31+
if (!providerId.equals(credential.getPasswordCredentialData().getAlgorithm())) {
32+
LOG.debugf("< policyCheck() -> Stored password uses a different algorithm and hence does not meet the Realm Password Policy.");
33+
return false;
34+
}
35+
// The stored password is a argon2 hash and hence checking the specific parameters of the policy is required.
36+
3037
// Get the credential's Argon2 parameters
3138
Argon2EncodingUtils.Argon2Parameters storedArgon2Parameters = Argon2EncodingUtils.extractArgon2ParametersFromEncodedPassword(credential.getPasswordSecretData().getValue());
3239
// Get the configured Argon2 parameters
3340
Argon2EncodingUtils.Argon2Parameters configuredArgon2Parameters = getConfiguredArgon2Parameters();
3441

3542
// Perform a comparison on whether a re-hash is needed
36-
boolean meetsRealmPolicy = providerId.equals(credential.getPasswordCredentialData().getAlgorithm())
37-
&& storedArgon2Parameters.getArgon2Variant().getArgon2BouncyCastle() == configuredArgon2Parameters.getArgon2Variant().getArgon2BouncyCastle()
43+
boolean meetsRealmPolicy = storedArgon2Parameters.getArgon2Variant().getArgon2BouncyCastle() == configuredArgon2Parameters.getArgon2Variant().getArgon2BouncyCastle()
3844
&& storedArgon2Parameters.getVersion() == configuredArgon2Parameters.getVersion()
3945
&& storedArgon2Parameters.getMemory() == configuredArgon2Parameters.getMemory()
4046
&& storedArgon2Parameters.getIterations() == configuredArgon2Parameters.getIterations()

0 commit comments

Comments
 (0)