The encryption and decryption rules of password in keycloak


We have a project to move user information from other systems to keycloak.

But we encountered difficulties in encrypting the password. What are the encryption and decryption rules of the password in keycloak.

Summarizing Server Administration Guide
Password hashes in Keycloak use the PBKDF2 algorithm with salts and 27,500 hash iterations.

Hashes are stored in the credential table:

keycloak=# \d credential
                         Table "public.credential"
     Column      |          Type          | Collation | Nullable | Default 
 id              | character varying(36)  |           | not null | 
 salt            | bytea                  |           |          | 
 type            | character varying(255) |           |          | 
 user_id         | character varying(36)  |           |          | 
 created_date    | bigint                 |           |          | 
 user_label      | character varying(255) |           |          | 
 secret_data     | text                   |           |          | 
 credential_data | text                   |           |          | 
 priority        | integer                |           |          |

the hashes and salts look like this:

keycloak=# select secret_data from credential;

Your legacy system likely uses a hashing algorithm less modern than PBKDF2. You will not be able to use such hashes without extending the Authentication SPI. The Server Developer Guide has high-level details on how to to that, although that requires non-trivial programming.

Alternatively you might create a new password for each user with “Update Password” set on “Required User Action”. Then they must change their password on first login.

Thank you very much for your answer.
I have solved this problem.
I refer to the “Pbkdf2PasswordHashProvider” class in the source code and rewrite an encryption class.
Because Keycloak encryption has three algorithms (SHA1, SHA256, SHA512), I created a Properties file to dynamically set the encryption algorithm.

That’s great. Would you be willing to share some code with the group in case others have similar requirements? Perhaps with