• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Importing users from Fusion Auth to KeyCloak

Scheduled Pinned Locked Moved Unsolved
Q&A
migration migrate users keycloak
2
6
1.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    benjamin
    last edited by 4 Jul 2023, 15:00

    I tried using the Ruby to import users into a tenant from KeyCloak, the script threw no errors but I am unable to login using the password. The password works in KeyCloak but not in FusionAuth. The Fusion Auth version I am using is 1.45.3 and Key Cloak version is 21.1.1.

    Anybody had this issue before?

    D 1 Reply Last reply 5 Jul 2023, 12:20 Reply Quote 1
    • D
      dan @benjamin
      last edited by 5 Jul 2023, 12:20

      Hi @benjamin

      I've tested with FusionAuth and Keycloak.

      One thing to make sure of is that you are using the correct password hashing algorithm on import.

      I think that this is the default hashing algorithm for Keycloak: https://fusionauth.io/docs/v1/tech/reference/password-hashes#salted-pbkdf2-hmac-sha-512

      Can you share an example of your import script which shows the password hashing algorithm?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      B 1 Reply Last reply 5 Jul 2023, 16:15 Reply Quote 0
      • B
        benjamin @dan
        last edited by 5 Jul 2023, 16:15

        @dan Hello Dan, I found the fix, at least for my test instance, seems that pbkdf2-sha256 maps to salted-pbkdf2-hmac-sha256 rather than salted-pbkdf2-hmac-sha256-512.

        This seems to make the Ruby script work and also it works on our own internal update scripts in the test instance.

        D 1 Reply Last reply 5 Jul 2023, 19:07 Reply Quote 1
        • D
          dan @benjamin
          last edited by 5 Jul 2023, 19:07

          @benjamin Awesome!

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          B 1 Reply Last reply 6 Jul 2023, 07:24 Reply Quote 0
          • B
            benjamin @dan
            last edited by 6 Jul 2023, 07:24

            @dan You folks may want to update the documentation and potentially the ruby script you guys provide so people won't panic like we did lolz.

            D 1 Reply Last reply 6 Jul 2023, 17:08 Reply Quote 1
            • D
              dan @benjamin
              last edited by 6 Jul 2023, 17:08

              @benjamin Hmmm.

              I'm not quite sure what the issue is, because we do specify salted-pbkdf2-hmac-sha256-512 in the import script:

              https://github.com/FusionAuth/fusionauth-import-scripts/blob/master/keycloak/import.rb#L151

              The migration guide says:

              "The encryptionScheme for this plugin is salted-pbkdf2-hmac-sha256-512."

              So when you write:

              Hello Dan, I found the fix, at least for my test instance, seems that pbkdf2-sha256 maps to salted-pbkdf2-hmac-sha256 rather than salted-pbkdf2-hmac-sha256-512.

              Do you mean that pbkdf2-sha256 is the value from Keycloak and it only worked when you used salted-pbkdf2-hmac-sha256 in FusionAuth, or something else?

              What version of Keycloak are you migrating from?

              --
              FusionAuth - Auth for devs, built by devs.
              https://fusionauth.io

              1 Reply Last reply Reply Quote 0
              4 out of 6
              • First post
                4/6
                Last post