Password decryption using custom SPI giving invalid request error on loading login page

Hi everyone,
I’m trying to extend my Keycloak login authentication with a custom SPI keycloak-password-encryptor by using code from https://github.com/edwin/keycloak-password-encryptor . any chance someone did a similar thing already?

Basically, I’d like to decrypt user credentials coming from login page.

After setting up custom keycloak-password-encryptor SPI with the authentication flow, I managed to deploy the SPI, having Keycloak display it.

But, If I tried to load the login page, for the GET request, keycloak prompts me with below error.

{“error”:“invalid_request”,“error_description”:“No Username”}

Is there any method to bypass GET request from this custom SPI?

Hi,

could you explain in more details the problem that GitHub - edwin/keycloak-password-encryptor: an SPI or plugin to do a simple password encryption-decryption for Keycloak or Red Hat Single Sign-On (RHSSO) is helping you solve?

Looking at the code, I see that this plugin gives you an authenticator that receives the password encrypted with a pre-shared key. Probably because this request would be made from another application.

But, if you are using newer versions of keycloak (15+), I don’t see why you would want to do that, given that the login page is provided by Keycloak itself.

If you need to authenticate this user against a legacy database, you can write a SPI to talk to the legacy database.