We running old version of keycloak (version: 6.x.x) and now setup a new infrastructure using latest keycloak (18.0.1). We want to migrate all the data in legacy infrastructure to the new infrastructure.
I have tested and found that it is possible migrate clients with existing secrets using APIs. However, is there any way to migrate the users with existing passwords to the new infrastructure.
Thanks for the suggestion. However our old infrastructure is on VMs and database as Microsoft SQL server. There is limited scalability and visibility in the old infra. But new infrastructure is based on kubernetes and database is Postgres. We want to use the new infra going forward and do not want to go on with the SQL server db. Hence the requirement to migrate the data to the new infrastructure.
That being the case, I’d suggest a migration strategy where you create a custom authenticator on the old keycloak, receive the username and password, pass those credentials to a backend service which will recreate the user using the REST api.
When enough users complete the migration you can then switch clients to the new keycloak.
Why so complicated? Why not just exporting them in the old version and importing them in the new environment?
Export docs for the oldest version I‘ve found: Server Administration Guide (it‘s version 9.x, but this shouldn‘t matter, export hopefully worked the same since the the beginning of Keycloak, AFAIR)
That’s not 100% correct. If you know the hashing algorithm and have access to the hashing metadata, you could implement a HashProvider SPI. This way Keycloak can verify against existing password hashes.
I’ve done that already, works pretty well. But requirement is to have access to the algorithm used and the metadata.
Event though legacy system can be used as a broad term - can, or would, you also migrate these hashes on a new login?
Just curious about the options here.
What I’ve already done is, migrate the hashes to KC, create a HashProvider. When user signs in, recognize that the user has a credential hashed with a legacy algorithm, then, automatically create a new hash based on a more secure algorithm.
Yes, that’s quite a bit more effort to implement all this, but it’s completely transparent to the user and he/she is still able to use the existing password, while the hashes will be more up to date.
What I’ve already done is, migrate the hashes to KC, create a HashProvider
I assume you created an implementation for PasswordHashProvider and not HashProvider. The latter seems to be related to hashing access tokens etc. Can you please confirm @dasniko?