[keycloak-user] How to migrate users and roles from in-house storage

Paulo Pires pires at littlebits.cc
Fri Jul 22 05:41:20 EDT 2016 

Updated PR!

But now I'm hitting another wall: password migration.

The app I'm replacing generated a random salt per user, stored it and then
used SHA-512(password, iterations, pepper, salt) to hash the password -
iterations and pepper are static. Now, I want to import this to Keycloak
and use bcrypt to hash the old hash. Obviously, I'll still need to be able
to generate the old hash when validating on KC log-in, right?

I also want that new users to just have bcrypt and not the old hashing
thing.

Now, I know that I can implement a PasswordHashProvider, but I'm not sure
exactly where to store and how to read information like the old salt, or
how to split between users that were migrated and need to use old hash +
brcrypt hash AND users that were created directly in KC and just need
bcrypt hash.

Any help is highly appreciated,
Pires

On Thu, Jul 21, 2016 at 1:46 PM Paulo Pires <pires at littlebits.cc> wrote:

> Oh, awesome! Going to add tests, open JIRA ticket and update PR.
>
> Thanks Stian,
> Pires
>
> On Thu, Jul 21, 2016 at 1:13 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> We like cowboy style :)
>>
>> Could you add a JIRA please?
>>
>> Also you could add tests to
>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
>>
>> On 21 July 2016 at 13:13, Paulo Pires <pires at littlebits.cc> wrote:
>>
>>> I went ahead, cowboy style and opened a PR for it
>>> https://github.com/keycloak/keycloak/pull/3056
>>>
>>> Couldn't find tests so didn't add any.
>>>
>>> Pires
>>>
>>> On Thu, Jul 21, 2016 at 12:06 PM Paulo Pires <pires at littlebits.cc>
>>> wrote:
>>>
>>>> Something like this should work though:
>>>>
>>>> @GET
>>>> @Produces({"application/json"})
>>>> @Path("default-roles")
>>>> List<RoleRepresentation> getDefaultRoles();
>>>>
>>>> @PUT
>>>> @Path("default-roles/{roleId}")
>>>> void addDefaultRole(@PathParam("roleId") String roleId);
>>>>
>>>> @DELETE
>>>> @Path("default-roles/{roleId}")
>>>> void removeDefaultRole(@PathParam("roleId") String roleId);
>>>>
>>>> On Thu, Jul 21, 2016 at 12:03 PM Paulo Pires <pires at littlebits.cc>
>>>> wrote:
>>>>
>>>>> It's working like a charm :)
>>>>>
>>>>> Some things I learned:
>>>>> * Need to import resteasy deps for keycloak-admin-cli explicitly
>>>>> * Methods won't return errors but will throw InvocationTargetException
>>>>> (must be checked)
>>>>>
>>>>> Question: is there a way to set default roles? I can't seem to find it
>>>>> in the Java code but it is available through REST.
>>>>>
>>>>> Thanks,
>>>>> Pires
>>>>>
>>>>> On Thu, Jul 21, 2016 at 8:47 AM Paulo Pires <pires at littlebits.cc>
>>>>> wrote:
>>>>>
>>>>>> Thank you Bruno, I haven't been able to verify your code but I assume
>>>>>> you're sharing it because it works.
>>>>>>
>>>>>> It seems pretty trivial, awesome!
>>>>>>
>>>>>> Cheers,
>>>>>> Pires
>>>>>>
>>>>>> On Wed, Jul 20, 2016 at 9:30 PM Bruno Oliveira <bruno at abstractj.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Note sure if it helps, but an example about how to do it
>>>>>>> programatically is here[1].
>>>>>>>
>>>>>>> I just adapted from the admin-client[2].
>>>>>>>
>>>>>>>
>>>>>>> [1] -
>>>>>>> https://gist.github.com/abstractj/78b127e8c9273cdcea6eb82a1cfc153c
>>>>>>> [2] -
>>>>>>> https://github.com/keycloak/keycloak/tree/master/examples/admin-client
>>>>>>>
>>>>>>> On 2016-07-20, Paulo Pires wrote:
>>>>>>> > I did check the admin-cli JAR but it's not clear how to add roles
>>>>>>> and
>>>>>>> > users, or if it's even implemented (I did check the REST API and
>>>>>>> there's
>>>>>>> > endpoints for that).
>>>>>>> >
>>>>>>> > Thank you very much for clarifying,
>>>>>>> > Pires
>>>>>>> >
>>>>>>> > On Wed, Jul 20, 2016 at 2:52 PM Stian Thorgersen <
>>>>>>> sthorger at redhat.com>
>>>>>>> > wrote:
>>>>>>> >
>>>>>>> > > Yep, take a look at
>>>>>>> > >
>>>>>>> https://keycloak.gitbooks.io/server-developer-guide/content/topics/admin-rest-api.html
>>>>>>> > >
>>>>>>> > > On 20 July 2016 at 15:33, Paulo Pires <pires at littlebits.cc>
>>>>>>> wrote:
>>>>>>> > >
>>>>>>> > >> More than 150k. Is there a Java library for the REST api?
>>>>>>> > >>
>>>>>>> > >> On Jul 20, 2016 13:56, "Stian Thorgersen" <sthorger at redhat.com>
>>>>>>> wrote:
>>>>>>> > >>
>>>>>>> > >>> Depending on the amount of users I'd use either partial import
>>>>>>> through
>>>>>>> > >>> the admin console (if you don't have more than a thousand or
>>>>>>> so users) or
>>>>>>> > >>> use the admin REST endpoints if you have quite a lot of users.
>>>>>>> > >>>
>>>>>>> > >>> On 20 July 2016 at 11:52, Paulo Pires <pires at littlebits.cc>
>>>>>>> wrote:
>>>>>>> > >>>
>>>>>>> > >>>> Hi all,
>>>>>>> > >>>>
>>>>>>> > >>>> I'm in the process of migrating from an in-house user-role
>>>>>>> storage to
>>>>>>> > >>>> Keycloak and I'm looking for programmatic (Java) ways to
>>>>>>> migrate all
>>>>>>> > >>>> current users to the new storage. And I need your help to
>>>>>>> figure out the
>>>>>>> > >>>> best approach.
>>>>>>> > >>>>
>>>>>>> > >>>> At first, when reading KC documentation, I believed I could
>>>>>>> easily
>>>>>>> > >>>> achieve this by implementing a User Federation provider but
>>>>>>> after diving a
>>>>>>> > >>>> little more into it, and looking for examples, I can't see a
>>>>>>> way to migrate
>>>>>>> > >>>> all users on-demand but simply one user at a time, possible
>>>>>>> during log-in.
>>>>>>> > >>>>
>>>>>>> > >>>> Next, I tried and look into ways, such as admin-cli, REST,
>>>>>>> etc but
>>>>>>> > >>>> nothing strikes me as the solution to use.
>>>>>>> > >>>>
>>>>>>> > >>>> Here's what I was hoping to deliver:
>>>>>>> > >>>> * Get all roles and users from my soon-to-be deprecated
>>>>>>> storage, e.g.
>>>>>>> > >>>> MySQL tables
>>>>>>> > >>>> * Add roles to KC
>>>>>>> > >>>> * Iterate users and add user to KC + map roles + update
>>>>>>> password hashes
>>>>>>> > >>>> (here I know I need to implement a HashProvider)
>>>>>>> > >>>>
>>>>>>> > >>>> Any hints will be appreciated!
>>>>>>> > >>>>
>>>>>>> > >>>> Pires
>>>>>>> > >>>>
>>>>>>> > >>>> _______________________________________________
>>>>>>> > >>>> keycloak-user mailing list
>>>>>>> > >>>> keycloak-user at lists.jboss.org
>>>>>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> > >>>>
>>>>>>> > >>>
>>>>>>> > >>>
>>>>>>> > >
>>>>>>>
>>>>>>> > _______________________________________________
>>>>>>> > keycloak-user mailing list
>>>>>>> > keycloak-user at lists.jboss.org
>>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> abstractj
>>>>>>> PGP: 0x84DC9914
>>>>>>>
>>>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160722/2271702f/attachment.html

More information about the keycloak-user mailing list