[keycloak-user] Migrating Users Database

Stian Thorgersen stian at redhat.com
Thu May 22 09:30:23 EDT 2014


Add a persistence-unit for it to:

* standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/persistence.xml

Then use Persistence.createEntityManagerFactory(name) in AuthenticationProviderFactory.init, and create a new EntityManager in AuthenticationProviderFactory.init and pass into AuthenticationProvider.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 22 May, 2014 2:20:39 PM
> Subject: Re: [keycloak-user] Migrating Users Database
> 
> Hmm, I see..
> 
> In that case, since I'm using JPA, what would be the best way for me to get
> access to an EntityManager on my implementation of the
> AuthenticationProvider?
> 
> 
> On Mon, May 19, 2014 at 5:20 PM, Marek Posolda < mposolda at redhat.com > wrote:
> 
> 
> 
> Hi Rodrigo,
> 
> it's not "Settings and Authentication", but it's tab "Settings" and then top
> bar called "Authentication" inside it. It will be opened if you login to
> admin console and then open URL:
> http://localhost:8081/auth/admin/#/realms/keycloak-admin (Replace
> 'keycloak-admin' with name of your realm, for example 'test'). Once you open
> it, you can click to button "Add provider" and your provider should be
> available in the list of available authentication providers.
> 
> For the inspiration, you can take a look at the existing implementations, for
> example this one:
> https://github.com/keycloak/keycloak/tree/master/authentication/authentication-picketlink
> and it's configuration in file:
> https://github.com/keycloak/keycloak/blob/master/authentication/authentication-picketlink/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticationProviderFactory
> . Note that it's using standard java ServiceLoader mechanism described here
> - http://docs.oracle.com/javase/6/docs/api/java/util/ServiceLoader.html
> 
> You don't need implement RealmAdapter . RealmAdapter is not related to
> authentication SPI. It's implementation of interface RealmModel, which is
> part of model-api. You need to implement model-api just in case that you
> want to create your own storage for all keycloak data, but implementing
> whole model-api is much more complicated and challenging than implementation
> of authentication-api.
> 
> So in shortcut, you need to implement AuthenticationProvider interface, which
> will be able to read data from your internal database.
> 
> Marek
> 
> 
> On 19.5.2014 18:05, Rodrigo Sasaki wrote:
> 
> 
> 
> I have done most of what you mentioned, although I didn't find the "Settings
> and Authentication" part on the Realm Settings. I couldn't add the new
> provider to it like you said, and the version I'm using is the one available
> on the github repo.
> 
> Also I saw that I should probably implement a RealmAdapter aswell, to provide
> access to my table structure, is that correct? If so, how should I configure
> Keycloak to use my adapter to find users, and not it's default one? Or at
> least not only it's default one
> 
> 
> On Fri, May 16, 2014 at 4:50 AM, Stian Thorgersen < stian at redhat.com > wrote:
> 
> 
> 
> We will add some documentation to this soon, but you basically need to:
> 
> - Implement
> https://github.com/keycloak/keycloak/blob/master/authentication/authentication-api/src/main/java/org/keycloak/authentication/AuthenticationProviderFactory.java
> - Implement
> https://github.com/keycloak/keycloak/blob/master/authentication/authentication-api/src/main/java/org/keycloak/authentication/AuthenticationProvider.java
> - Add a
> 'META-INF/services/org.keycloak.authentication.AuthenticationProviderFactory'
> that contains the fully qualified name of your AuthenticationProviderFactory
> implementation
> 
> Build as a JAR and drop into
> keycloak/standalone/deployments/auth-server.war/WEB-INF/lib.
> 
> Start the server, open the admin console, navigate to realm settings and
> authentication. Click Add Provider and it should now have your new provider.
> Add it to the realm.
> 
> It will now use your provider to authenticate users.
> 
> ----- Original Message -----
> > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com >
> > To: "Bill Burke" < bburke at redhat.com >
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 15 May, 2014 7:30:00 PM
> > Subject: Re: [keycloak-user] Migrating Users Database
> > 
> > By the way, do you have further information regarding that SPI you
> > mentioned?
> > 
> > I was looking at the source code but I couldn't derive much from it, I
> > don't
> > know exactly how I should implement my own provider, and how do I tell
> > keycloak to use mine instead of its own.
> > 
> > 
> > On Thu, May 15, 2014 at 11:05 AM, Rodrigo Sasaki < rodrigopsasaki at gmail.com
> > >
> > wrote:
> > 
> > 
> > 
> > That's quite alright at the moment.
> > 
> > We have seen the roadmap and if it stays around the announced dates, there
> > shouldn't be a problem for us here.
> > 
> > 
> > On Thu, May 15, 2014 at 11:03 AM, Bill Burke < bburke at redhat.com > wrote:
> > 
> > 
> > FYI, Keycloak will be very slow until we start our performance work
> > (scheduled for Beta-2). Right now, every login/logout/token action is
> > all DB hits. We don't cache anything at the moment!
> > 
> > On 5/15/2014 7:02 AM, Rodrigo Sasaki wrote:
> > > I am very interested in importing the whole database. It seems to be the
> > > cleanest way to do what we want to do here, and migrate to keycloak
> > > completely.
> > > 
> > > Are there any guidelines on how to do this? Nonetheless I will look into
> > > the SPI you mentioned, might come in handy sometime.
> > > 
> > > 
> > > On Thu, May 15, 2014 at 5:13 AM, Stian Thorgersen < stian at redhat.com
> > > <mailto: stian at redhat.com >> wrote:
> > > 
> > > At the moment we have an Authentication SPI that will let you easily
> > > authenticate users with your existing database of users. The first
> > > time a new user logs in using this approach a user will be pulled in
> > > to the Keycloak database. There's no documentation for this feature
> > > yet, but look at the SPI at
> > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-api
> > > and the implementation that uses the Keycloak model itself to
> > > authenticate at
> > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model
> > > .
> > > 
> > > In the future we plan to provide a Sync SPI that will take this one
> > > step further and let you sync users (and roles) to/from an existing
> > > database.
> > > 
> > > However, if you plan to completely replace your current
> > > authentication system the cleanest solution may be to import your
> > > current user database into Keycloak once and for all. If you're
> > > interested in this approach let me know.
> > > 
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> > > <mailto: rodrigopsasaki at gmail.com >>
> > > > To: keycloak-user at lists.jboss.org
> > > <mailto: keycloak-user at lists.jboss.org >
> > > > Sent: Wednesday, 14 May, 2014 8:52:07 PM
> > > > Subject: [keycloak-user] Migrating Users Database
> > > > 
> > > > Hi,
> > > > 
> > > > I'm trying to replace my current authentication system with
> > > Keycloak, but I
> > > > have one problem. I already have a database of users, populated with
> > > > millions of records, and I wanted to make it work with Keycloak.
> > > > 
> > > > What would be the best approach on this scenario? Should I
> > > migrate everything
> > > > to the Keycloak tables, or try to make Keycloak understand my current
> > > > database?
> > > > 
> > > > Is there any recommendation on this matter? And if there is, some
> > > explanation
> > > > or documentation?
> > > > 
> > > > Thanks!
> > > > 
> > > > --
> > > > Rodrigo Sasaki
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org <mailto: keycloak-user at lists.jboss.org >
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > 
> > > 
> > > 
> > > --
> > > Rodrigo Sasaki
> > > 
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> >admin
> 
> > 
> > --
> > Rodrigo Sasaki
> > 
> > 
> > 
> > --
> > Rodrigo Sasaki
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> --
> Rodrigo Sasaki
> 
> 
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list