If you are in process of migrating to dedicated authentication provider Keycloak, you might need to retain original passwords from the source system.
Since I spent some time on getting creating users with already hashed passwords to work with Keycloak, sharing the API call that is needed to achieve this. Tested with Keycloak 9.0.5
POST http://localhost:8080/auth/admin/realms/master/users
Authorization: Bearer {{access_token}}
Content-Type: application/json
{
"enabled": true,
"attributes": {},
"username": "admin",
"emailVerified": "",
"credentials": [
{
"credentialData": "{\"hashIterations\": 27500,\"algorithm\": \"pbkdf2-sha256\"}",
"secretData": "{\"salt\": \"x/bm4Y3DcuV9eU97ervkPA==\",\"value\": \"1u7BLvfSPxQFpwc5jpGSA+88EGl9pZYKhaZ8YPIu9N4=\"}",
"type": "password"
}
]
}
Here salt must be Base64 encoded value.
An example creates a user with username "admin" and password "admin"
There are also online tools available to encode raw passwords, for example, https://8gwifi.org/pbkdf.jsp.
Top comments (0)