I followed this thread as I'm going be in the same boat in 2-3 months migrating users from a legacy system that uses a SSHA512 hash.
The
https://github.com/nicolabeghin/keycloak-sha1-salted was key in coming up with a solution in no-time.
The legacy component uses the raw password + random salt to create a single ssha512 hash where the salt is part of the hash.
1) Changed the keycloak-sha1-salted repo to sha512 and set it's id to sha512-salted.
2) Import users from legacy system using the API (POST auth/admin/realms/<realm>/users)
{
"firstName":"<firstname> ",
"lastName":"<lastname>",
"email":"
add...@email.com",
"credentials":[
{
"type":"password",
"secretData":"{\"value\":\"<legacy SSHA512 password>\",\"salt\":\"\"}",
"credentialData":"{\"algorithm\":\"sha512-salted\",\"hashIterations\":0}"
}
],
"username":"<username>",
"emailVerified":true,
"enabled":true
}
3) Added a function to keycloak-sha512-salted custom hash provider to extract the salt from the SSHA512 hash/secret.
3) Use raw passwd + extracted salt to create a SSHA512 hash and check it against the stored SSHA512 hash.
4) If matched, verify returns true and the user is authenticated and to top it off with a cherry, Keycloak automagically migrates the SSHA512 password to the default PBKDF2 algorithm.
Another option was to pre-process the LDIF export containing the legacy users, extract the salt and import with the secret + salt separately but doing it in the custom hash provider seemed cleaner than messing with the exported hash before importing. I settled on using a bash script that loops over the LDAP ldiff export and fires curl API calls to create the users.
Without the
https://github.com/nicolabeghin/keycloak-sha1-salted tip it would have taken me a while longer to figure out a migration path, thanks Nicola!
Gr,
L
To view this discussion on the web visit
https://groups.google.com/d/msgid/keycloak-user/84b04c8f-02c6-45bd-ac02-d9e900e85a23%40www.fastmail.com.