The blogs offers a way of migrating user accounts
with hashed passwords in your legacy authentication
application, without resetting the passwords of all
users in Keycloak.
In short, when authenticating a user, first Keycloak
checks it's own local storage. If the user does not
exists already, it will try to authenticate using our
legacy authentication application and will copy the
user data from the legacy application. When
authentication fails the user will be federated.
If successful, the entered password will be set for
the Keycloak user. From now on the user is migrated
and not federated any longer.
However, there is still one scenario I can't figure out
how to deal with: we still want to offer our users the
possibility to reset their passwords. For non-federated
users Keycloak will do just fine. For federated users
Keycloak also offers the password reset, but the user
will still remain federated. In this case I would like
to remove the federation and update the credentials in
the Keycloak local storage (so the user is migrated).
So, long story short, I think the UserFederationProvider
should also offer the possibility to anticipate on a
password change. This way you can update the credentials
and/or remove the federation link.