Export user with credentials/passwords

Hi everyone,

We are in the midst of migrating the user database to a different system (GIGYA/SAP customer cloud) and would like it to be as seamless for the user as possible. Is there a way to export the user passwords/credentials with their data so we can move it over without requiring users to reactivate their account again?

RTFM: Importing and Exporting Realms - Keycloak

Thanks Niko! Will this allow user passwords to also be exported?
Our keycloak partner mentioned that passwords could not be exported and quoted this link: The encryption and decryption rules of password in keycloak.

Keycloak exports the credentials with the hashes of the passwords. Of course, as no plaintext passwords are stored!

Keycloak uses PBKDF2 as default algorithm for hashing the passwords. So your new system should also be able to create the same hash from the entered password together with the stored salt, using the proper iterations and then being able to validate the created hash with the stored one.

If your target system isn’t able to use PBKDF2, then no, you can’t export plaintext passwords. So, it’s not Keycloak what should be able to do something, but your target system.

(If you used a custom hashing algorithm, other than PBKDF2, then, of course, your target system has to be able to use your custom algorithm.)

Would this work for DB Migration? As in, right now we’re using MySQL as backend. We want to move the KeyCloak to MSSQL. If I export all that data into a dir from the existing MySQL KeyCloak instance, start up a fresh instance of KeyCloak pointing to MSSQL with no data and run the import will it bring all the users, clients, realm settings and config and passwords as well. I tried realm specific export from UI and command line. The data came in but the logins and passwords for users didn’t work. The export without any flags to a dir will help my situation?

From my experience, this can work, but is not guaranteed, as the ex-/import might be incomplete. It should be complete and might work for your environment, but you have to test it.
In my tests, exported and imported users were able to authenticate again with their passwords, no errors observed.

1 Like

Happy to report that it worked. Stopped KeyCloak service, did a full export to a dir. No extra flags or files or switches. Just plain and full export like so:
kc.sh export --dir /path/to/dir
Changed the config file to point to newly created blank MSSQL schema for KeyCloak.
Rebuilt the instance. Did the import.
kc.sh import --dir /path/to/dir
Started the service and it worked.

Cheers,
A.