We are looking to migrate multiple applications that currently have their own user databases with hashed passwords.
We have developed an SPI that authenticates via REST to allow users to login using their existing password. In the end point for password verification, when the user is found to match, we want to then create the user with the supplied credentials on Keycloak internal storage to complete the migration of the user.
However we keep getting a 409 error, even though the user does not yet exist on Keycloak. We suspect this is caused because federation creates the user in memory. Could this be the cause? Is there some cache we can disable or a way to side-step this cache?
I found Storage SPI user migration … since we are not a Java company, we want to keep the amount of Java code to a minimum and so prefer to create the user via REST but I am looking into their strategy to migrate the user within the Keycloak SPI.
Or is there a better strategy for such a smooth migration?
You can use the REST API to create the user and save the password credential representation indicating the existing hashing algorithm and hash iterations.
You just need to develop a small script that iterates over the existing users and create them on Keycloak using the rest api
Something like:
token="..." // get your access token from master realm for example
curl 'http://keycloak-http/auth/admin/realms/testrealm/users/f:60f0ff50-2cc5-492d-8222-04ac0a9964e1:217b93e8-2830-4392-83e3-9feceea94575' \
-X PUT \
-H "Authorization: $token" \
-H "Content-Type: application/json" \
--data '{"credentials": [ { "algorithm": "pbkdf2-sha512", "hashedSaltedValue": "{hashedpassword}", "hashIterations": 30000, "type": "password", "salt":"{salt}"}]}'