Hi,
We running old version of keycloak (version: 6.x.x) and now setup a new infrastructure using latest keycloak (18.0.1). We want to migrate all the data in legacy infrastructure to the new infrastructure.
I have tested and found that it is possible migrate clients with existing secrets using APIs. However, is there any way to migrate the users with existing passwords to the new infrastructure.
Please share your thoughts.
Regards,
Anoop
There is probably a better way, but what about step by step (minor versions) upgrade from 6.x.x to 18.0.1?
Every minor upgrade will migrate the database, but I never tried from anything lesser than 15.
Thanks for the suggestion. However our old infrastructure is on VMs and database as Microsoft SQL server. There is limited scalability and visibility in the old infra. But new infrastructure is based on kubernetes and database is Postgres. We want to use the new infra going forward and do not want to go on with the SQL server db. Hence the requirement to migrate the data to the new infrastructure.
That being the case, I’d suggest a migration strategy where you create a custom authenticator on the old keycloak, receive the username and password, pass those credentials to a backend service which will recreate the user using the REST api.
When enough users complete the migration you can then switch clients to the new keycloak.
Thanks @weltonrodrigo. Is it possible to migrate users without password and obtain the password from old system at the time of user login?
Why so complicated? Why not just exporting them in the old version and importing them in the new environment?
Export docs for the oldest version I‘ve found: Server Administration Guide (it‘s version 9.x, but this shouldn‘t matter, export hopefully worked the same since the the beginning of Keycloak, AFAIR)
Import docs for the most recent version, based on Quarkus: Importing and Exporting Realms - Keycloak
My old user and credential in some legacy system which is not keycloak. I want to migrate but do not want to force user to change there password
Most likely hasing algorithms and salts will not be the same. Without access to cleartext passwords there is no way to achieve this.
That’s not 100% correct. If you know the hashing algorithm and have access to the hashing metadata, you could implement a HashProvider SPI. This way Keycloak can verify against existing password hashes.
I’ve done that already, works pretty well. But requirement is to have access to the algorithm used and the metadata.
The first part plays into that.
Event though legacy system can be used as a broad term - can, or would, you also migrate these hashes on a new login?
Just curious about the options here.
What I’ve already done is, migrate the hashes to KC, create a HashProvider. When user signs in, recognize that the user has a credential hashed with a legacy algorithm, then, automatically create a new hash based on a more secure algorithm.
Yes, that’s quite a bit more effort to implement all this, but it’s completely transparent to the user and he/she is still able to use the existing password, while the hashes will be more up to date.
What I’ve already done is, migrate the hashes to KC, create a HashProvider
I assume you created an implementation for PasswordHashProvider and not HashProvider. The latter seems to be related to hashing access tokens etc. Can you please confirm @dasniko?
Thank you for sharing your approach here BTW.
Yes, of course the PasswordHashingProvider.