Custom password hash requires username

Hi Guys,

I’m a new user of KeyCloak. My company is currently transferring from a legacy monolith server to microservices. Therefore we are starting a migration process to KeyCloak. Up till now, it is going very well. However, our legacy user management password-hashing method uses both password and username, but in KeyCloak the PasswordHashProvider.encodedCredential method accepts only the raw password as a parameter. Is there a way to override this behavior?
I will be happy to get some feedback.


You could write a custom Authenticator to override UsernamePasswordForm (if that’s what you’re using in your auth flow) and then update the form value for the password to something like “{username}{special delimiter}{password}”. Then your PasswordHashProvider could parse out the username and password.

Hi, Thanks for your answer!
I was wandering, can I create my own UserStorageProvider that overrides the UserStorageProvider, CredentialInputValidator,
UserStorageProviderFactory interfaces and change behavior from there?
I’m asking because I need to override both isValid and createCredential methods. Does it make sense?

Yes. That would also work, but that is assuming you want to continue using the legacy user store, rather than import things into Keycloak.

I used it and it worked. I actually want to continue using the algorithm even after the legacy system will not be in use.

Thanks a lot for your help!