Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Migrating users with passwords between Keycloak 14.0.0 and 21.0.2
67 views
Skip to first unread message
Helen Rai
Apr 22, 2025, 2:26:55 AMApr 22
to Keycloak User
I'm currently migrating one Keycloak instance to another
and need to preserve passwords. The source keycloak is running 14.0.0
and the destination keycloak is running 21.0.2.
Current Status:
- Successfully migrated realms, users with there corresponding roles
- Missing password migration capability
- What would be the recommended method to export password hashes from v14.0.0?
- Tried kcadm.sh get users with various field parameters
- Realm export via UI doesn't include credentials
- Database dump appears to be the only option - is this accurate?
- For importing to v21.0.2:
- Are there compatibility issues between password hash formats across these versions?
- Should we use direct DB import or the admin API?
- Special considerations:
- The instances are running different versions (14 → 21)
- We have ~5,000 users to migrate
- Need to maintain existing password policies
Are there any special considerations for maintaining password functionality during this migration? Any best practices or potential pitfalls I should be aware of?
Thank you in advance for your help!
Alexander Schwartz
Apr 24, 2025, 2:38:24 AMApr 24
to Helen Rai, Keycloak User
Hi Helen,
The list above is missing one option that might be helpful for you:
While the export from the UI doesn't contain the passwords, the Keycloak export from the CLI will contain the hashed passwords, and you will be able to import those in a new instance of Keycloak.
See https://www.keycloak.org/server/importExport for the details.
Using a database export/import is also an option, at least if you don't change the database (for example, if you stay on PostgreSQL).
Note that this works well if your target database is empty, that is: Not running Keycloak yet, and no DB schema created.
Note that this works well if your target database is empty, that is: Not running Keycloak yet, and no DB schema created.
If you change the database type (for example from MySQL to PostgreSQL), it is a bit more tricky: You need to create an empty Keycloak DB schema for the DB variant (sometimes there are different indexes or column definitions on the target side) with the same Keycloak version like the source. Then you copy over only the data. Then you start up Keycloak with the new version on the target database, and Keycloak will migrate the DB schema and the data to the latest version of Keycloak.
Best,
Alexander
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/74571012-3548-440d-ba68-51aff2ca8a15n%40googlegroups.com.
Alexander Schwartz, RHCE
He/Him
Principal Software Engineer, Keycloak Maintainer
Red Hat - Germany remote
 |
Red Hat GmbH, Registered seat: Werner von Siemens Ring 12, D-85630 Grasbrunn, Germany
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross
Reply all
Reply to author
Forward
0 new messages