[keycloak-user] Import User Passwords with User Storage SPI
Omari Christian
omari at fabfitfun.com
Thu Aug 9 22:04:17 EDT 2018
I've figured it out. After validating, the credential (password) can be
updated with:
session.userCredentialManager().updateCredential(realm, user, credential);
On Thu, Aug 9, 2018 at 2:25 PM Omari Christian <omari at fabfitfun.com> wrote:
> Hello everyone,
>
> We're currently migrating to Keycloak. We're using the user storage SPI (
> https://www.keycloak.org/docs/latest/server_development/index.html#import-implementation-strategy)
> with the import strategy. Eventually, we will unlink all our users and no
> longer need the user storage SPI.
>
> The problem is: 1) We really want our users to keep their same passwords
> and 2) we don't store passwords in plaintext. We store them as salted
> hashes, using a different algorithm than Keycloak. We verify the password
> by performing that 1-way hash on a user's supplied password, then comparing
> the result against the hash in the database. Reverse-hashing our user's
> passwords into plaintext and importing users through the REST API or JSON
> file is not a solution for us.
>
> It seems there is no interface to store passwords in Keycloak's local
> storage after you have verified the user's password, although you can store
> other attributes locally. I thought there was a way to migrate users with
> passwords, partly because I read articles that promised you could (
> https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c)
> before we chose Keycloak. I now realize that article (and accompanying
> code) are out of date.
>
> My next plan is to try some hacky code, or calling the REST API from the
> user storage SPI. I don't have a lot of hope those will work. I imagine
> this is a common issue. Is there any solution or workaround?
>
> Thanks,
> Omari
>
More information about the keycloak-user
mailing list