Is there any way to encrypt the password present in an .ftl file before passing it to keycloak server? or is it possible for a keycloak to decrypt the encrypted password received from front end ?
Yes, this is what https does magically for you…
1 Like
Thank you @bpedersen2 ,We are using a customized keycloak login file of type ftl which have a password input field. Actually when the user submit the form data, this password is visible in the payload section of network tab(developer tools). We need to encrypt this information before sending to the keycloak and decrypt it before it start processing in the keycloak server.
1 Like
You need to understand how https work, the transfer is enrecypted, in the browser (what you see in the network tab it is of course not (yet) encrypted.
Hi Bpedersen2,
Thanks for your input on this topic. It seems like this is a major issue, as many people are asking this question. Yes, SSL/TLS can provide encryption, but it’s only one level of security. If SSL is compromised for any reason, then there is nothing left. Many companies nowadays demand that usernames and passwords not be shown as plain text in browsers. I am also looking for a way to encrypt usernames and passwords for an extra layer of security. Is it possible to do this in Keycloak? What options do we have?
Thanks!
1 Like
What you ask for does not really make any sense. The browser always sees the keystrokes the user types. If you need more security, enforce multifactor authenication.
For any encryption you would need a way to securly exchange encryption keys, and that is where do not gain over using TLS.
2 Likes
I doubt.
There were some approaches years ago, but they never made into wide distribution, as it’s not that secure as thought in the beginnings…
Do what @bpedersen2 says… use TLS properly.
I think, If you are using Rest APIs for registering, sign-in, and resetting password functionalities then you can encrypt that password at the point of registering from the front end (One-way Encrypt is recommended) and use the same mechanism for the sign-in and reset password.
is this fine?