Currently I am working on a user federation provider which should help us
out migrating from our old authentication application to Keycloak. All this
is done basically by following this great blog
The blogs offers a way of migrating user accounts with hashed passwords in
your legacy authentication application, without resetting the passwords of
all users in Keycloak.
In short, when authenticating a user, first Keycloak checks it's own local
storage. If the user does not exists already, it will try to authenticate
using our legacy authentication application and will copy the user data
from the legacy application. When authentication fails the user will be
If successful, the entered password will be set for the Keycloak user. From
now on the user is migrated and not federated any longer.
However, there is still one scenario I can't figure out how to deal with:
we still want to offer our users the possibility to reset their passwords.
For non-federated users Keycloak will do just fine. For federated users
Keycloak also offers the password reset, but the user will still remain
federated. In this case I would like to remove the federation and update
the credentials in the Keycloak local storage (so the user is migrated).
So, long story short, I think the UserFederationProvider should also offer
the possibility to anticipate on a password change. This way you can update
the credentials and/or remove the federation link.
Or is there some other solution?