DEV Community


Posted on

Import PBKDF2 hashed user passwords into Keycloak

If you are in process of migrating to dedicated authentication provider Keycloak, you might need to retain original passwords from the source system.

Since I spent some time on getting creating users with already hashed passwords to work with Keycloak, sharing the API call that is needed to achieve this. Tested with Keycloak 9.0.5

POST http://localhost:8080/auth/admin/realms/master/users
Authorization: Bearer {{access_token}}
Content-Type: application/json

  "enabled": true,
  "attributes": {},
  "username": "admin",
  "emailVerified": "",
  "credentials": [
      "credentialData": "{\"hashIterations\": 27500,\"algorithm\": \"pbkdf2-sha256\"}",
      "secretData": "{\"salt\": \"x/bm4Y3DcuV9eU97ervkPA==\",\"value\": \"1u7BLvfSPxQFpwc5jpGSA+88EGl9pZYKhaZ8YPIu9N4=\"}",
      "type": "password"
Enter fullscreen mode Exit fullscreen mode

Here salt must be Base64 encoded value.
An example creates a user with username "admin" and password "admin"

There are also online tools available to encode raw passwords, for example,

Discussion (0)