Strategy to migrate to Keycloak

We are looking to migrate multiple applications that currently have their own user databases with hashed passwords.

We have developed an SPI that authenticates via REST to allow users to login using their existing password. In the end point for password verification, when the user is found to match, we want to then create the user with the supplied credentials on Keycloak internal storage to complete the migration of the user.

However we keep getting a 409 error, even though the user does not yet exist on Keycloak. We suspect this is caused because federation creates the user in memory. Could this be the cause? Is there some cache we can disable or a way to side-step this cache?

I found Storage SPI user migration … since we are not a Java company, we want to keep the amount of Java code to a minimum and so prefer to create the user via REST but I am looking into their strategy to migrate the user within the Keycloak SPI.

Or is there a better strategy for such a smooth migration?

@lsmith77 Have you tried this extension? GitHub - daniel-frak/keycloak-user-migration: A Keycloak plugin for migrating users from legacy systems

I usually point people to that if they have the use case you describe. It’s mature and I’ve used it many times.

1 Like

awesome thanks.

I also now found User Migration API | Phase Two enhanced Keycloak as a Service but they have essentially just forked that project

Correct. It is just a fork of that project uses in our distribution and our hosting platform.

ah, didn’t realize you work for phasetwo :slight_smile:

we are also looking at your distribution for the organization support and potentially then also at hosting with phasetwo.

1 Like

You can use the REST API to create the user and save the password credential representation indicating the existing hashing algorithm and hash iterations.
You just need to develop a small script that iterates over the existing users and create them on Keycloak using the rest api
Something like:

token="..." // get your access token from master realm for example
 curl 'http://keycloak-http/auth/admin/realms/testrealm/users/f:60f0ff50-2cc5-492d-8222-04ac0a9964e1:217b93e8-2830-4392-83e3-9feceea94575' \
    -X PUT \
    -H "Authorization: $token" \
    -H "Content-Type: application/json" \
    --data '{"credentials": [ { "algorithm": "pbkdf2-sha512", "hashedSaltedValue": "{hashedpassword}", "hashIterations": 30000, "type": "password", "salt":"{salt}"}]}'