Hi everyone,
We are in the midst of migrating the user database to a different system (GIGYA/SAP customer cloud) and would like it to be as seamless for the user as possible. Is there a way to export the user passwords/credentials with their data so we can move it over without requiring users to reactivate their account again?
Thanks Niko! Will this allow user passwords to also be exported?
Our keycloak partner mentioned that passwords could not be exported and quoted this link: The encryption and decryption rules of password in keycloak.
Keycloak exports the credentials with the hashes of the passwords. Of course, as no plaintext passwords are stored!
Keycloak uses PBKDF2 as default algorithm for hashing the passwords. So your new system should also be able to create the same hash from the entered password together with the stored salt, using the proper iterations and then being able to validate the created hash with the stored one.
If your target system isn’t able to use PBKDF2, then no, you can’t export plaintext passwords. So, it’s not Keycloak what should be able to do something, but your target system.
(If you used a custom hashing algorithm, other than PBKDF2, then, of course, your target system has to be able to use your custom algorithm.)