Importing users from Fusion Auth to KeyCloak
-
I tried using the Ruby to import users into a tenant from KeyCloak, the script threw no errors but I am unable to login using the password. The password works in KeyCloak but not in FusionAuth. The Fusion Auth version I am using is
1.45.3and Key Cloak version is21.1.1.Anybody had this issue before?
-
Hi @benjamin
I've tested with FusionAuth and Keycloak.
One thing to make sure of is that you are using the correct password hashing algorithm on import.
I think that this is the default hashing algorithm for Keycloak: https://fusionauth.io/docs/v1/tech/reference/password-hashes#salted-pbkdf2-hmac-sha-512
Can you share an example of your import script which shows the password hashing algorithm?
-
@dan Hello Dan, I found the fix, at least for my test instance, seems that
pbkdf2-sha256maps tosalted-pbkdf2-hmac-sha256rather thansalted-pbkdf2-hmac-sha256-512.This seems to make the Ruby script work and also it works on our own internal update scripts in the test instance.
-
@benjamin Awesome!
-
@dan You folks may want to update the documentation and potentially the ruby script you guys provide so people won't panic like we did lolz.
-
@benjamin Hmmm.
I'm not quite sure what the issue is, because we do specify
salted-pbkdf2-hmac-sha256-512in the import script:https://github.com/FusionAuth/fusionauth-import-scripts/blob/master/keycloak/import.rb#L151
"The encryptionScheme for this plugin is salted-pbkdf2-hmac-sha256-512."
So when you write:
Hello Dan, I found the fix, at least for my test instance, seems that pbkdf2-sha256 maps to salted-pbkdf2-hmac-sha256 rather than salted-pbkdf2-hmac-sha256-512.
Do you mean that
pbkdf2-sha256is the value from Keycloak and it only worked when you usedsalted-pbkdf2-hmac-sha256in FusionAuth, or something else?What version of Keycloak are you migrating from?
