Contrib.social

What is the correct method to allow existing users in Drupal 10 to be able to log in through keycloak?

Open on Drupal.org →
Created on 9 May 2024, 9 months ago
Updated 11 May 2024, 8 months ago

Problem/Motivation

Transitioning to Keycloak and, as I am unfamiliar with it (or Drupal really if we are being honest), I am not sure what is the correct way to let existing users use their existing credentials when logging in. I clicked the "Automatically connect existing users" in the OpenID settings tab in Configuration, but it only works if there's a user with the same email in Keycloak. I thought of duplicating users to Keycloak but this is a Drupal 7 to 10 migration, therefore I do not know how to migrate the password hashes to keycloak outside of implementing a password hashing provider. I know Drupal 10 automatically updates D7 hashes starting from 10.1 when a user logs in for the first time. Would I have to wait for majority of users to log in at least once before rolling out Keycloak?

I apologize for poor english or formatting mistakes.

💬 Support request
Status

Active

Version

1.8

Component

User interface

Created by

paz61

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @paz61
  • Comment 8 months ago
    🇧🇪Belgium BramDriesen Belgium 🇧🇪

    I don't think this way around will work. Migrating passwords is tricky anyway because you are dealing with different hashing algorithms and salts. Decoding passwords usually also isn't possible. For keycloak the password needs to exist in there, the one of Drupal is not used anymore once the user is linked to Keycloak and logs in through keycloak. I also believe you can't log in anymore through the default Drupal login UI once you're linked to keycloak.

    "Automatically connect existing users" also works the other way around. When a user logs in via keycloak, the check is done and if a user exists, they are linked together.

    I would opt for migrating users into drupal, and then set-up the users in keycloak with fresh passwords.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024