[keycloak-user] Import User Passwords with User Storage SPI
Omari Christian
omari at fabfitfun.com
Thu Aug 9 17:25:08 EDT 2018
Hello everyone,
We're currently migrating to Keycloak. We're using the user storage SPI (
https://www.keycloak.org/docs/latest/server_development/index.html#import-implementation-strategy)
with the import strategy. Eventually, we will unlink all our users and no
longer need the user storage SPI.
The problem is: 1) We really want our users to keep their same passwords
and 2) we don't store passwords in plaintext. We store them as salted
hashes, using a different algorithm than Keycloak. We verify the password
by performing that 1-way hash on a user's supplied password, then comparing
the result against the hash in the database. Reverse-hashing our user's
passwords into plaintext and importing users through the REST API or JSON
file is not a solution for us.
It seems there is no interface to store passwords in Keycloak's local
storage after you have verified the user's password, although you can store
other attributes locally. I thought there was a way to migrate users with
passwords, partly because I read articles that promised you could (
https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c)
before we chose Keycloak. I now realize that article (and accompanying
code) are out of date.
My next plan is to try some hacky code, or calling the REST API from the
user storage SPI. I don't have a lot of hope those will work. I imagine
this is a common issue. Is there any solution or workaround?
Thanks,
Omari
More information about the keycloak-user
mailing list