Hi,

Currently I am working on a user federation provider which should help us out migrating from our old authentication application to Keycloak. All this is done basically by following this great blog https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime .
The blogs offers a way of migrating user accounts with hashed passwords in your legacy authentication application, without resetting the passwords of all users in Keycloak.
In short, when authenticating a user, first Keycloak checks it's own local storage. If the user does not exists already, it will try to authenticate using our legacy authentication application and will copy the user data from the legacy application. When authentication fails the user will be federated.
If successful, the entered password will be set for the Keycloak user. From now on the user is migrated and not federated any longer.

However, there is still one scenario I can't figure out how to deal with: we still want to offer our users the possibility to reset their passwords. For non-federated users Keycloak will do just fine. For federated users Keycloak also offers the password reset, but the user will still remain federated. In this case I would like to remove the federation and update the credentials in the Keycloak local storage (so the user is migrated).
So, long story short, I think the UserFederationProvider should also offer the possibility to anticipate on a password change. This way you can update the credentials and/or remove the federation link.
Or is there some other solution?

Regards,
Ramon Rockx