Keyclock hashed password migration

livio-a commented 1 year ago

Admins must be able to migrate KeyCloak users to ZITADEL. For that we should provide a tool, which takes exported users and a credential export and create a JSON file, which can be used to import into ZITADEL.

Acceptance criteria

[ ] import.json ready to be used on the Import endpoint of Admin API
[ ] hashed password format in MCF (see below)

Additional Information

Keyclock stores passwords in the following format:

 "credentials": [
      {
        "id": "f27826f7-6ec1-4283-822f-10e0c51a9089",
        "type": "password",
        "userLabel": "My password",
        "createdDate": 1690887741455,
        "secretData": "{\"value\":\"G4pkQxlaYGLOqaO4wDUgItslxTtvcg3lv+JihbYD2ccym7aDixYmCUf5L318TjrfMFZIxqwzrVjGTXUF5GGttA==\",\"salt\":\"VaXa3H3OJXXujl+cRg66HA==\",\"additionalParameters\":{}}",
        "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
      }
    ],

For a ZITADEL import, the format needs to be according to the Modular Crypt Format, e.g. $pbkdf2-sha256$12$cmFuZG9tc2FsdGlzaGFyZA$OFvEcLOIPFd/oq8egf10i.qJLI7A8nDjPLnolCWarQY

livio-a commented 1 year ago

whole user format can also be found here: https://github.com/caos/caos-internal/issues/424#issuecomment-1706300574

github-actions[bot] commented 11 months ago

:tada: This issue has been resolved in version 0.4.1 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

zitadel / zitadel-tools

Keyclock hashed password migration #84

Acceptance criteria

Additional Information