2:57 a.m.
Yes, it does indeed work, and the content of the exports was correct as well. The problem
I was having was because I was using different Facebook apps to do the test. When keeping
the Facebook app the same, there is no problem, which makes sense.
Regards,
Federico
On 23/06/17 08:15, "Marek Posolda" <mposolda(a)redhat.com> wrote:
I think it should work - unless we have a bug :) The question is if
"userId" and "userName" are really filled correctly in your JSON?
I suggest that you try to setup some Keycloak environment from scratch
and do facebook login there. Then you can doublecheck the content from
DB and how the federated link in Keycloak DB looks like. You can also
export Keycloak DB and re-import to clean DB and then doublecheck if
Facebook login still works after export/import.
If this works, you can compare the exported JSON with your own JSON file
and doublecheck if "userId" and "userName" matches.
Marek
On 22/06/17 15:20, Federico Navarro Polo - Info.nl wrote:
Hello,
I’m facing currently a migration scenario where I have a group of users which need to be
imported from a different system into Keycloak. For regular users everything works fine,
but I wonder what would be the best approach for users which authenticate via external
identity providers (eg: facebook) in order to make the transition as transparent as
possible for the users (ideally, no interaction at all).
From the source system, I have access to the facebook user id and email address, so
first I tried to include that as federated identity in the users import:
{
"realm": "test",
"users": [
{
"createdTimestamp" : 1476191007295,
"username" : "somebody(a)somewhere.com",
"enabled" : true,
"totp" : false,
"emailVerified" : true,
"firstName" : "Test",
"lastName" : "Test",
"email" : "somebody(a)somewhere.com",
"credentials" : [ ],
"disableableCredentialTypes" : [ ],
"requiredActions" : [ ],
"federatedIdentities" : [ {
"identityProvider" : "facebook",
"userId" : "0123456789",
"userName" : "somebody(a)somewhere.com",
} ],
"realmRoles" : [ "offline_access",
"uma_authorization" ],
"clientRoles" : {
"account" : [ "manage-account",
"view-profile" ]
}
}
]
}
, which imports fine, and I can see the link in the admin console, but when attempting to
login using Facebook, Keycloak ignores that data and redirects to the “Account linking”
screen (and in that case, if I follow the process, then I get a DB exception due to
duplicate key). So it seems the best way is to not import the Facebook details, and when
the user tries to login with Facebook, then the standard account linking process will be
triggered, which is not ideal in a migration.
I suppose there is some extra logic which is not taking place when doing the import as
opposed to creating a new account from scratch or creating the identity provider link
manually in the admin console, but can’t figure out what is it. Is there any possible way
to avoid the account linking step?
Met vriendelijke groet,
Federico Navarro
backend developer
federico@info.nl<mailto:federico@info.nl> |
LinkedIn<https://www.linkedin.com/company/info-nl> | +31 (0)2 05 30 91
61<tel:+31205309161>
info.nl<http://www.info.nl/>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530
9100<tel:+31205309100>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user