Keycloak Password Handling

I’m trying to figure out how Keycloak handles/stores passwords. I’m glad to look through documentation, but in my searching I haven’t found anything that addresses this yet.

I have two primary questions about how Keycloak password handling.

  1. Is Keycloak hashing passwords?
  2. Is Keycloak salting passwords?

And if Keycloak is not salting passwords, is there a recommended way to do our own salting? The only thing I can think to do currently would be to set up a database just to store salt, but that would be a lot of work just to store a salt.

Yes. Keycloak hashes and salts.

Great. Thank you! Do you know where that might be documented?

The built-in algo is PBKDF2 and default hash iterations is 20.000.
See also here:

And the implementation is here keycloak/ at master · keycloak/keycloak · GitHub