[keycloak-user] Recommended way to import user accounts with external identity provider information?

Federico Navarro Polo - Info.nl federico at info.nl
Thu Jun 22 09:20:53 EDT 2017 

Hello,

I’m facing currently a migration scenario where I have a group of users which need to be imported from a different system into Keycloak. For regular users everything works fine, but I wonder what would be the best approach for users which authenticate via external identity providers (eg: facebook) in order to make the transition as transparent as possible for the users (ideally, no interaction at all).

From the source system, I have access to the facebook user id and email address, so first I tried to include that as federated identity in the users import:

{
    "realm": "test",
    "users": [
        {
            "createdTimestamp" : 1476191007295,
            "username" : "somebody at somewhere.com",
            "enabled" : true,
            "totp" : false,
            "emailVerified" : true,
            "firstName" : "Test",
            "lastName" : "Test",
            "email" : "somebody at somewhere.com",
            "credentials" : [ ],
            "disableableCredentialTypes" : [ ],
            "requiredActions" : [ ],
            "federatedIdentities" : [ {
              "identityProvider" : "facebook",
              "userId" : "0123456789",
              "userName" : "somebody at somewhere.com",
            } ],
            "realmRoles" : [ "offline_access", "uma_authorization" ],
            "clientRoles" : {
              "account" : [ "manage-account", "view-profile" ]
            }
          }
      ]
}

, which imports fine, and I can see the link in the admin console, but when attempting to login using Facebook, Keycloak ignores that data and redirects to the “Account linking” screen (and in that case, if I follow the process, then I get a DB exception due to duplicate key). So it seems the best way is to not import the Facebook details, and when the user tries to login with Facebook, then the standard account linking process will be triggered, which is not ideal in a migration.

I suppose there is some extra logic which is not taking place when doing the import as opposed to creating a new account from scratch or creating the identity provider link manually in the admin console, but can’t figure out what is it. Is there any possible way to avoid the account linking step?

Met vriendelijke groet,

Federico Navarro

backend developer

federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  +31 (0)2 05 30 91 61<tel:+31205309161>

info.nl<http://www.info.nl/>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>

More information about the keycloak-user mailing list