I have a use case where I want to migrate users from a legacy application into keycloak. The legacy application currently handles it’s own login via email / password which is stored in the legacy application’s database.
The goal is to gradually import users into keycloak as they log in. I’ve successfully integrated keycloak for login into the legacy application. I’ve also implemented a custom user storage spi which can perform email / password verification from the legacy application.
The issue that I’m facing is that I’m unsure how to make these imported users completely keycloak managed after their first login. Ideally after first keycloak login they would then immediately be prompted to change their password since their password in the legacy application is encrypted.
I’ve been looking at the code for the in-built ldap user federation provider and it does seem to actually import the users into keycloak but once I delete the ldap provider (which would be the end game after all users are imported into keycloak) all the users are then deleted from keycloak.
I know I can just do a bulk import into keycloak and then add the update password required action but the requirement is for gradual migration.
Does anyone know how to import a user in a custom user storage spi so they (1) become completely keycloak managed from that point and (2) immediately prompt them to update password?