Need example for creating a user with existing bcrypt password hash

Question

Need example for creating a user with existing bcrypt password hash

ManfredLange opened this issue a year ago · 3 comments

We are migrating users from a previous IDP to Keycloak using the admin REST API. We used the following with KC 20.0.1 and keycloak-bcrypt version 1.5.3 and the following code worked:

         const payload = {
            username: migrateUserDetails.emailAddress,
            enabled: true,
            email: migrateUserDetails.emailAddress,
            emailVerified: true,
            credentials: [
               {
                  type: 'password',
                  algorithm: 'bcrypt',
                  hashedSaltedValue: migrateUserDetails.passwordBcryptHash,
                  // hashedSaltedValue is deprecated according to https://stackoverflow.com/a/63800566
                  // However, documentation for version 22.0.0 of the Keycloak Admin REST API still
                  // lists this property in CredentialRepresentation, see
                  // https://www.keycloak.org/docs-api/22.0.0/rest-api/#AuthenticatorConfigRepresentation
                  // [Manfred, 17jul2023]
                  temporary: false,
                  hashIterations: 10,
               }
            ],
         };
         const config = await this.makeConfig();
         const response = await axios.post(`${this.environment.kcUrl}/admin/realms/${realmName}/users`, payload, config);

This then set up the user with the bcrypt-hashed password. On first login, the password would then be migrated to KC's hash algorithm. Login worked for a migrated user.

Now we have upgraded to KC 22.0.1 and to keycloak-bcrypt version 1.6.0. When we execute the same code. we see the following warning in Keycloak's log output:

2023-07-22 05:17:13,608 WARN [org.keycloak.models.utils.RepresentationToModel] (executor-thread-127) Using deprecated 'credentials' format in JSON representation for user 'test68435@test.com'. It will be removed in future versions

I checked the CredentialRepresentation at https://www.keycloak.org/docs-api/22.0.0/rest-api/#CredentialRepresentation . It appears as if the credentials details provided in payload match what the ClientRepresentation.

I'm wondering if someone is doing something similar and can advise how I need to change the details of the credentials that I send as part of the payload. I'd like to avoid the warning that Keycloak writes to the log. Thank you!

Answer 1 · 2023-09-21T09:18:01.000Z

Hello !

Sorry for the delay. Unfortunately, I'm not sure you're at the right place for this question. You can try directly on Keycloak support.

Answer 2 · 2023-10-04T00:08:43.000Z

@ManfredLange

Hi, as you already pointed out in your comment the hashedSaltedValue its marked as deprecated in the source code.
You should use credentialData and secretData instead.

I had the same issue and after doing some research and playing around a bit. I found both attributes in the credentials table in the database. After setting the password manually for a test user with bcrypt I found this in the database.

credentialData -> {"hashIterations":-1,"algorithm":"bcrypt","additionalParameters":{}}
secretData -> {"value":"<HashedPassword>","salt":"","additionalParameters":{}}

You can adjust your request like this.

 const payload = {
            username: migrateUserDetails.emailAddress,
            enabled: true,
            email: migrateUserDetails.emailAddress,
            emailVerified: true,
            credentials: [
               {
                  type: 'password',
                  credentialData: '{"hashIterations":-1,"algorithm":"bcrypt","additionalParameters":{}}',
                  secretData: `{"value":"${migrateUserDetails.passwordBcryptHash}","salt":"","additionalParameters":{}}`,
                  temporary: false
               }
            ],
         };
         const config = await this.makeConfig();
         const response = await axios.post(`${this.environment.kcUrl}/admin/realms/${realmName}/users`, payload, config);

After that, the warning was gone and the user login was working as expected and the password was automatically migrated to the KC hashing algo after he first login.

I use the latest version of Keycloak 20.0.3

Hope that helps anyone in the future.

Answer 3 · 2024-07-04T01:12:12.000Z

@ManfredLange

Hi, as you already pointed out in your comment the hashedSaltedValue its marked as deprecated in the source code. You should use credentialData and secretData instead.

I had the same issue and after doing some research and playing around a bit. I found both attributes in the credentials table in the database. After setting the password manually for a test user with bcrypt I found this in the database.

credentialData -> {"hashIterations":-1,"algorithm":"bcrypt","additionalParameters":{}} secretData -> {"value":"<HashedPassword>","salt":"","additionalParameters":{}}

You can adjust your request like this.
 const payload = {
            username: migrateUserDetails.emailAddress,
            enabled: true,
            email: migrateUserDetails.emailAddress,
            emailVerified: true,
            credentials: [
               {
                  type: 'password',
                  credentialData: '{"hashIterations":-1,"algorithm":"bcrypt","additionalParameters":{}}',
                  secretData: `{"value":"${migrateUserDetails.passwordBcryptHash}","salt":"","additionalParameters":{}}`,
                  temporary: false
               }
            ],
         };
         const config = await this.makeConfig();
         const response = await axios.post(`${this.environment.kcUrl}/admin/realms/${realmName}/users`, payload, config);
After that, the warning was gone and the user login was working as expected and the password was automatically migrated to the KC hashing algo after he first login.

I use the latest version of Keycloak 20.0.3

Hope that helps anyone in the future.

Thanks @tiran133 , It still works on KeyCloak 24.04. You saved my day!