Skip to content

Instantly share code, notes, and snippets.

Last active December 27, 2022 03:25
What would you like to do?
Import users from OpenEdx to Keycloak with NodeJS
import KcAdminClient from "@keycloak/keycloak-admin-client";
const kcAdminClient = new KcAdminClient({
baseUrl: "http://localhost:8080",
realmName: "myrealm",
const credentials = {
grantType: "password",
username: "superuser",
password: "xxxxxx",
clientId: "myclient",
clientSecret: "myclientsecret",
await kcAdminClient.auth(credentials);
const user = await kcAdminClient.users.create({
username: "openedxuser1",
email: '',
emailVerified: true,
firstName: "AAAAA",
lastName: "BBBBB",
enabled: true,
credentials: [
type: 'password',
credentialData: "{\"hashIterations\": 150000,\"algorithm\": \"pbkdf2-sha256\"}",
secretData: "{\"salt\": \"eGl5VFUzTDVHbFlI\",\"value\": \"Y+tlU1BH10IDYMycH5+4S8J3IoeakcGKjKS51jDxcEQ=\"}",
Copy link

maitrungduc1410 commented Dec 27, 2022


superuser must have role manage-users in order to create users. From admin console -> select your realm -> Users -> select the superuser -> Role Mapping -> Assign Role -> Filter By Clients

Password of an account from OpenEdx is in this format pbkdf2_sha256$150000$xiyTU3L5GlYH$Y+tlU1BH10IDYMycH5+4S8J3IoeakcGKjKS51jDxcEQ=

Breakdown the hashed password:

  • hashing algorithm: pbkdf2_sha256
  • iteration: 150000
  • salt: xiyTU3L5GlYH
  • hash: Y+tlU1BH10IDYMycH5+4S8J3IoeakcGKjKS51jDxcEQ=

all parts are separated by $

When we import to Keycloak, in credentials we need to put same information, except salt, we need to encode salt to base64 and ONLY take the first 16 chars of the encoded string

In our case, salt is xiyTU3L5GlYH ----> base64: eGl5VFUzTDVHbFlICg== --> first 16 chars: eGl5VFUzTDVHbFlI

After you have successfully created the user, you should be able to login to keycloak with same credentials as in OpenEdx

This solution works in latest version of Keycloak 20.0.0

Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment