@benjamin Hmmm.

I'm not quite sure what the issue is, because we do specify salted-pbkdf2-hmac-sha256-512 in the import script:

https://github.com/FusionAuth/fusionauth-import-scripts/blob/master/keycloak/import.rb#L151

The migration guide says:

"The encryptionScheme for this plugin is salted-pbkdf2-hmac-sha256-512."

So when you write:

Hello Dan, I found the fix, at least for my test instance, seems that pbkdf2-sha256 maps to salted-pbkdf2-hmac-sha256 rather than salted-pbkdf2-hmac-sha256-512.

Do you mean that pbkdf2-sha256 is the value from Keycloak and it only worked when you used salted-pbkdf2-hmac-sha256 in FusionAuth, or something else?

What version of Keycloak are you migrating from?

You can migrate all of your user data (store any non standard info in user.data), their roles, groups, application association, refresh tokens (so that someone using a TV app, for example, won't have to login again) and their password hashes.

Please see the FusionAuth migration guide for more.

You can use Connectors to integrate with your old backend but this isn’t the best approach.

The best approach is to do a migration all in one step using our Import API.

If you are worried about resetting your users' passwords (justifiably!), you can implement custom password hashing if needed so that no one would need to do a password reset. See password encryptors for more info. If you use this path, you can upgrade each user's old password hash to BCrypt as users log in.

You can send us your jar file and we'll assist you. Just open a support ticket from your account page.

I'd use the import users API.

Helpful links:

https://fusionauth.io/docs/v1/tech/tutorials/migrate-users https://fusionauth.io/docs/v1/tech/apis/users#import-users