Import users from OpenEdx to Keycloak with NodeJS

index.js

import KcAdminClient from "@keycloak/keycloak-admin-client";

const kcAdminClient = new KcAdminClient({
    baseUrl: "http://localhost:8080",
    realmName: "myrealm",
  });

const credentials = {
  grantType: "password",
  username: "superuser",
  password: "xxxxxx",
  clientId: "myclient",
  clientSecret: "myclientsecret",
};
await kcAdminClient.auth(credentials);

const user = await kcAdminClient.users.create({
  username: "openedxuser1",
  email: 'openedxuser1@gmail.com',
  emailVerified: true,
  firstName: "AAAAA",
  lastName: "BBBBB",
  enabled: true,
  credentials: [
    {
      type: 'password',
      credentialData: "{\"hashIterations\": 150000,\"algorithm\": \"pbkdf2-sha256\"}",
      secretData: "{\"salt\": \"eGl5VFUzTDVHbFlI\",\"value\": \"Y+tlU1BH10IDYMycH5+4S8J3IoeakcGKjKS51jDxcEQ=\"}",
    }
  ]
})

console.log(user)

Notes

superuser must have role manage-users in order to create users. From admin console -> select your realm -> Users -> select the superuser -> Role Mapping -> Assign Role -> Filter By Clients

Password of an account from OpenEdx is in this format pbkdf2_sha256$150000$xiyTU3L5GlYH$Y+tlU1BH10IDYMycH5+4S8J3IoeakcGKjKS51jDxcEQ=

Breakdown the hashed password:

• hashing algorithm: pbkdf2_sha256
• iteration: 150000
• salt: xiyTU3L5GlYH
• hash: Y+tlU1BH10IDYMycH5+4S8J3IoeakcGKjKS51jDxcEQ=

all parts are separated by $

When we import to Keycloak, in credentials we need to put same information, except salt, we need to encode salt to base64 and ONLY take the first 16 chars of the encoded string

In our case, salt is xiyTU3L5GlYH ----> base64: eGl5VFUzTDVHbFlICg== --> first 16 chars: eGl5VFUzTDVHbFlI

After you have successfully created the user, you should be able to login to keycloak with same credentials as in OpenEdx

This solution works in latest version of Keycloak 20.0.0

Big thanks to this discussion: https://groups.google.com/g/keycloak-user/c/XgUbXJr2xsM