Search code examples
restmigrationkeycloakcredentialskeycloak-rest-api

Failing to create user with password via Keycloak Rest API

I'm trying to migrate users from existing database. Passwords are encrypted with sha512. I use Keycloak 10 with the REST API.

I have read the CredentialRepresentation and y Have try put JSON into the strings for attributes secretData and credentialData.

My post user (with correct Authorization) return "error": "unknown_error".

POST <someDomain>/auth/admin/realms/assure/users
{
"firstName": "test_encrypte",
"lastName":"test_encrypte", 
"email":"jeremy.rafflin@mail.fr", 
"credentials": [{
    "type":"password",
            "credentialData" : "{\"value\":\"fdVjg7Ed/dck1eSGobCHG4JtObyE3BNE3xZhCuuJ0PpmGB4d/OO+t0C5PwYhtOnUV++X2Jh0xmNdNu+sTkt4Bw==\",\"salt\":\"98cj35ZuYZR7S6N.MvZ2lA/UYfWAztXfF.nm/hFIQso\"}",
    "secretData": "{\"algorithm\":\"sha512\",\"hashIterations\":1}"
}],
"username":"encrypt",
"emailVerified": false,
"enabled": true,
"attributes": {"assureId":"10406440"}
}

I using keycloak standalone.

My request

Solution

  • You have some issues with your JSON, first instead of :

    "secretData": "{\"algorithm\":\"sha512\",\"hashIterations\":1}"

    it is:

    "credentialData": "{\"algorithm\":\"sha512\",\"hashIterations\":1}"

    as you can check in the Keycloak open source repo.

    and instead of

    "credentialData" : "{\"value\":\"fdVjg7Ed/dck1eSGobCHG4JtObyE3BNE3xZhCuuJ0PpmGB4d/OO+t0C5PwYhtOnUV++X2Jh0xmNdNu+sTkt4Bw==\",\"salt\":\"98cj35ZuYZR7S6N.MvZ2lA/UYfWAztXfF.nm/hFIQso\"}",

    is actually:

    "secretData" : "{\"value\":\"fdVjg7Ed/dck1eSGobCHG4JtObyE3BNE3xZhCuuJ0PpmGB4d/OO+t0C5PwYhtOnUV++X2Jh0xmNdNu+sTkt4Bw==\",\"salt\":\"98cj35ZuYZR7S6N.MvZ2lA/UYfWAztXfF.nm/hFIQso\"}",

    as you can check in the Keycloak open source repo.

    Finally, the salt value has to be base 64 encoded so instead of

    98cj35ZuYZR7S6N.MvZ2lA/UYfWAztXfF.nm/hFIQso\

    it has to be:

    OThjajM1WnVZWlI3UzZOLk12WjJsQS9VWWZXQXp0WGZGLm5tL2hGSVFzbw==

    The Json that you are looking for is :

    {
  "firstName": "test_encrypte",
  "lastName": "test_encrypte",
  "email": "jeremy.rafflin@ageo.fr",
  "credentials": [
    {
      "type": "password",
      "secretData": "{\"value\":\"fdVjg7Ed/dck1eSGobCHG4JtObyE3BNE3xZhCuuJ0PpmGB4d/OO+t0C5PwYhtOnUV++X2Jh0xmNdNu+sTkt4Bw==\",\"salt\":\"OThjajM1WnVZWlI3UzZOLk12WjJsQS9VWWZXQXp0WGZGLm5tL2hGSVFzbw==\"}",
      "credentialData": "{\"algorithm\":\"sha512\",\"hashIterations\":1}"
    }
  ],
  "username": "encrypt",
  "emailVerified": false,
  "enabled": true,
  "attributes": {
    "assureId": "10406440"
  }
}