Thanks for the suggestion. Unfortunately it still doesn't work.
I suppose this policy is used for new passwords, while the password validation function is using the hashIterations value that is stored with each password.
Here is an extract from my Keycloak database:
username
credential_data
secret_data
{"hashIterations":180000,"algorithm":"pbkdf2-sha256","additionalParameters":{}}
{"value":"f0PWE2EuMgBkH3cwv79I9ZM0yv0xVMo9JjT3MgTDrBMjZ/kT7+OpQxsoJIzFeACWIHYvHZJNl96ViTeaBBWY8Q==","salt":"PWhIp0vdMbSHrjDEeSTHCw==","additionalParameters":{}}
{"hashIterations":180000,"algorithm":"pbkdf2-sha256","additionalParameters":{}}
{"value":"Gdf7QXtuAA6S330T/w4Ul5LzcReOgDBx7/Ds6TFJWKs=","salt":"TAWdyXjZhOxy","additionalParameters":{}}
The first user (
ad...@example.org, password = adminpassword) was created in Keycloak while the other one was created using the API as described in my first message (
us...@example.org, password = userpassword).
The only clear difference I notice is the length of the hash and the salt which are both half the size of the ones created by Keycloak.
Could it be that 180000 iterations isn't supported by Keycloak?
Bruno Parmentier