{"id":22268192,"url":"https://github.com/curityio/pbkdf2-credential-dap","last_synced_at":"2025-07-10T16:35:17.379Z","repository":{"id":74437583,"uuid":"331960820","full_name":"curityio/pbkdf2-credential-dap","owner":"curityio","description":"Open source example of how to use a Data Access Provider to validate pbkdf2 hashed credentials","archived":false,"fork":false,"pushed_at":"2021-01-22T14:42:46.000Z","size":325,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-07T03:35:48.447Z","etag":null,"topics":["data-access-provider","pbkdf2","plugin"],"latest_commit_sha":null,"homepage":"https://curity.io/resources/learn/pbkdf2/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-22T13:54:36.000Z","updated_at":"2023-04-26T16:35:27.000Z","dependencies_parsed_at":"2023-02-26T18:31:46.681Z","dependency_job_id":null,"html_url":"https://github.com/curityio/pbkdf2-credential-dap","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/curityio/pbkdf2-credential-dap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fpbkdf2-credential-dap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fpbkdf2-credential-dap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fpbkdf2-credential-dap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fpbkdf2-credential-dap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/pbkdf2-credential-dap/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fpbkdf2-credential-dap/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264608246,"owners_count":23636691,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["data-access-provider","pbkdf2","plugin"],"created_at":"2024-12-03T11:11:51.618Z","updated_at":"2025-07-10T16:35:17.360Z","avatar_url":"https://github.com/curityio.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"PBKDF2 Credential Data Access Provider Plugin\n=============================================\n\n.. image:: https://img.shields.io/badge/quality-experiment-red\n    :target: https://curity.io/resources/code-examples/status/\n\n.. image:: https://img.shields.io/badge/availability-source-blue\n    :target: https://curity.io/resources/code-examples/status/\n\nThis repository contains an open-source Data Access Provider (DAP) plugin for the Curity Identity Server. This DAP does not have all features of a regular DAP but serves to validate credentials which have been hashed with the PBKDF2 algorithm.\n\nThe idea of this DAP is that it should be in between another DAP which can fetch the password hash as an attribute and a credential manager which is configured to use handle ``plaintext``, thus leaving the validation to this plugin.\n\nBuilding the Plugin\n~~~~~~~~~~~~~~~~~~~\n\nYou can build the plugin by issue the command ``gradle build``. This will produce a JAR file in the ``build/libs`` directory, which can be installed.\n\nInstalling the Plugin\n~~~~~~~~~~~~~~~~~~~~~\n\nTo install the plugin, copy the compiled JAR into the ``${IDSVR_HOME}/usr/share/plugins/${pluginGroup}`` on each node, including the admin node. For more information about installing plugins, refer to the plugins `documentation \u003chttps://developer.curity.io/docs/latest/developer-guide/plugins/index.html#plugin-installation/\u003e`_.\n\nConfiguration\n~~~~~~~~~~~~~\n\nFirst configure a data source to be able to fetch the attribute which contains the password hash. All other attributes fetched which is not the password hash will be added to the subject attributes. This could be any type of data source. In the example below we use a JDBC.\n\n.. figure:: images/update-datasource.png\n    :align: center\n    :width: 600px\n\nNext up is to create a new DAP with the type ``pbkdf2-credential``. Select your first data source as attribute source, which algorithm parameters to use and which attribute that contains the hash. \n\n.. figure:: images/plugin-config.png\n    :align: center\n    :width: 600px\n\nLast thing is to configure a ``Credential Manager`` to use your credential DAP. Either modify a current one or create a new one which should use the ``plaintext`` algorithm and the credential dap as Data source.\n\n.. figure:: images/credential-manager.png\n    :align: center\n    :width: 600px\n\nYou can then use this Credential Manager in for example your Authenticators.\n\nLimitations\n~~~~~~~~~~~\n\nSince the plugin relies on attributes from another DAP it cannot update the password using that DAP. Password update will have to be implemented to talk to the actual data source directly.\n\nThe plugin assumes that the hash is stored in this format:\n\n``\u003cBase64(salt)\u003e:\u003cBase64(hash)\u003e``\n\nAn example would be\n\n``EHuGEOTebG0donCRunK3AelIkLvKlpJohXpeFKYJYqP80HPE/PaBuf+VvF5HbRU5A3rbOLMLaBVacRkli6l7MQ==:3pyfz3Mq4WOvv350xSVWnK8g6NBuWrN115DAUJ6OwPtx9p5mLVzu7SWhHWcEa816m0q7ymFcW5fRyd9s3pIIsA==```\n\nWhich represents first the salt and then the hash from the password \"``1234``\" with ``SHA1``, ``10000`` iterations and ``512`` bits of key length.\n\nIf you have configured your data source to return all attributes (including password hash) keep in mind that if use the attribute data source again, e.g. for a claims provider, you will get the hash there as well. The subject attributes will however have all attributes but the hash.\n\nContributing\n~~~~~~~~~~~~\n\nPull requests are welcome. To do so, just fork this repo, and submit a pull request.\n\nLicense\n~~~~~~~\n\nThe files and resources maintained in this repository are licensed under the `Apache 2 license \u003cLICENSE\u003e`_.\n\nMore Information\n~~~~~~~~~~~~~~~~\n\nPlease visit `curity.io \u003chttps://curity.io/\u003e`_ for more information about the Curity Identity Server.\n\nCopyright (C) 2021 Curity AB.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fpbkdf2-credential-dap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Fpbkdf2-credential-dap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fpbkdf2-credential-dap/lists"}