[keycloak-user] How to migrate users and roles from in-house storage

Paulo Pires pires at littlebits.cc
Fri Jul 22 10:19:52 EDT 2016


Got everything to work!

Cheers,
Pires

On Fri, Jul 22, 2016 at 11:25 AM Paulo Pires <pires at littlebits.cc> wrote:

> Allow me some rubber-ducking here..
>
> 1) Add user attributes (old salt, etc.) when migrating a user
> 2) Implement authenticator that:
>   2.1) Get user by username/email, if not present, fail
>   2.2) Retrieve user attributes
>   2.3) If user attributes include old salt, hence user has been migrated,
> hash input password (cleartext) and pass it to
> context.getSession().users().validCredentials(...)
>   2.4) If user attributes don't include old salt, hence user was created
> in KC, pass input password(cleartext) to
> context.getSession().users().validCredentials(...)
>
> If this is proven to work - and there's no better way to do it - one may
> verify validCredentials(...) return-value, and if it is validated
> successfully, and the user is migrated, can we replace current user model
> password with a new one?
>
> Pires
>
> On Fri, Jul 22, 2016 at 10:41 AM Paulo Pires <pires at littlebits.cc> wrote:
>
>> Updated PR!
>>
>> But now I'm hitting another wall: password migration.
>>
>> The app I'm replacing generated a random salt per user, stored it and
>> then used SHA-512(password, iterations, pepper, salt) to hash the password
>> - iterations and pepper are static. Now, I want to import this to Keycloak
>> and use bcrypt to hash the old hash. Obviously, I'll still need to be able
>> to generate the old hash when validating on KC log-in, right?
>>
>> I also want that new users to just have bcrypt and not the old hashing
>> thing.
>>
>> Now, I know that I can implement a PasswordHashProvider, but I'm not sure
>> exactly where to store and how to read information like the old salt, or
>> how to split between users that were migrated and need to use old hash +
>> brcrypt hash AND users that were created directly in KC and just need
>> bcrypt hash.
>>
>> Any help is highly appreciated,
>> Pires
>>
>> On Thu, Jul 21, 2016 at 1:46 PM Paulo Pires <pires at littlebits.cc> wrote:
>>
>>> Oh, awesome! Going to add tests, open JIRA ticket and update PR.
>>>
>>> Thanks Stian,
>>> Pires
>>>
>>> On Thu, Jul 21, 2016 at 1:13 PM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> We like cowboy style :)
>>>>
>>>> Could you add a JIRA please?
>>>>
>>>> Also you could add tests to
>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
>>>>
>>>> On 21 July 2016 at 13:13, Paulo Pires <pires at littlebits.cc> wrote:
>>>>
>>>>> I went ahead, cowboy style and opened a PR for it
>>>>> https://github.com/keycloak/keycloak/pull/3056
>>>>>
>>>>> Couldn't find tests so didn't add any.
>>>>>
>>>>> Pires
>>>>>
>>>>> On Thu, Jul 21, 2016 at 12:06 PM Paulo Pires <pires at littlebits.cc>
>>>>> wrote:
>>>>>
>>>>>> Something like this should work though:
>>>>>>
>>>>>> @GET
>>>>>> @Produces({"application/json"})
>>>>>> @Path("default-roles")
>>>>>> List<RoleRepresentation> getDefaultRoles();
>>>>>>
>>>>>> @PUT
>>>>>> @Path("default-roles/{roleId}")
>>>>>> void addDefaultRole(@PathParam("roleId") String roleId);
>>>>>>
>>>>>> @DELETE
>>>>>> @Path("default-roles/{roleId}")
>>>>>> void removeDefaultRole(@PathParam("roleId") String roleId);
>>>>>>
>>>>>> On Thu, Jul 21, 2016 at 12:03 PM Paulo Pires <pires at littlebits.cc>
>>>>>> wrote:
>>>>>>
>>>>>>> It's working like a charm :)
>>>>>>>
>>>>>>> Some things I learned:
>>>>>>> * Need to import resteasy deps for keycloak-admin-cli explicitly
>>>>>>> * Methods won't return errors but will throw
>>>>>>> InvocationTargetException (must be checked)
>>>>>>>
>>>>>>> Question: is there a way to set default roles? I can't seem to find
>>>>>>> it in the Java code but it is available through REST.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Pires
>>>>>>>
>>>>>>> On Thu, Jul 21, 2016 at 8:47 AM Paulo Pires <pires at littlebits.cc>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Thank you Bruno, I haven't been able to verify your code but I
>>>>>>>> assume you're sharing it because it works.
>>>>>>>>
>>>>>>>> It seems pretty trivial, awesome!
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Pires
>>>>>>>>
>>>>>>>> On Wed, Jul 20, 2016 at 9:30 PM Bruno Oliveira <bruno at abstractj.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Note sure if it helps, but an example about how to do it
>>>>>>>>> programatically is here[1].
>>>>>>>>>
>>>>>>>>> I just adapted from the admin-client[2].
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [1] -
>>>>>>>>> https://gist.github.com/abstractj/78b127e8c9273cdcea6eb82a1cfc153c
>>>>>>>>> [2] -
>>>>>>>>> https://github.com/keycloak/keycloak/tree/master/examples/admin-client
>>>>>>>>>
>>>>>>>>> On 2016-07-20, Paulo Pires wrote:
>>>>>>>>> > I did check the admin-cli JAR but it's not clear how to add
>>>>>>>>> roles and
>>>>>>>>> > users, or if it's even implemented (I did check the REST API and
>>>>>>>>> there's
>>>>>>>>> > endpoints for that).
>>>>>>>>> >
>>>>>>>>> > Thank you very much for clarifying,
>>>>>>>>> > Pires
>>>>>>>>> >
>>>>>>>>> > On Wed, Jul 20, 2016 at 2:52 PM Stian Thorgersen <
>>>>>>>>> sthorger at redhat.com>
>>>>>>>>> > wrote:
>>>>>>>>> >
>>>>>>>>> > > Yep, take a look at
>>>>>>>>> > >
>>>>>>>>> https://keycloak.gitbooks.io/server-developer-guide/content/topics/admin-rest-api.html
>>>>>>>>> > >
>>>>>>>>> > > On 20 July 2016 at 15:33, Paulo Pires <pires at littlebits.cc>
>>>>>>>>> wrote:
>>>>>>>>> > >
>>>>>>>>> > >> More than 150k. Is there a Java library for the REST api?
>>>>>>>>> > >>
>>>>>>>>> > >> On Jul 20, 2016 13:56, "Stian Thorgersen" <
>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>> > >>
>>>>>>>>> > >>> Depending on the amount of users I'd use either partial
>>>>>>>>> import through
>>>>>>>>> > >>> the admin console (if you don't have more than a thousand or
>>>>>>>>> so users) or
>>>>>>>>> > >>> use the admin REST endpoints if you have quite a lot of
>>>>>>>>> users.
>>>>>>>>> > >>>
>>>>>>>>> > >>> On 20 July 2016 at 11:52, Paulo Pires <pires at littlebits.cc>
>>>>>>>>> wrote:
>>>>>>>>> > >>>
>>>>>>>>> > >>>> Hi all,
>>>>>>>>> > >>>>
>>>>>>>>> > >>>> I'm in the process of migrating from an in-house user-role
>>>>>>>>> storage to
>>>>>>>>> > >>>> Keycloak and I'm looking for programmatic (Java) ways to
>>>>>>>>> migrate all
>>>>>>>>> > >>>> current users to the new storage. And I need your help to
>>>>>>>>> figure out the
>>>>>>>>> > >>>> best approach.
>>>>>>>>> > >>>>
>>>>>>>>> > >>>> At first, when reading KC documentation, I believed I could
>>>>>>>>> easily
>>>>>>>>> > >>>> achieve this by implementing a User Federation provider but
>>>>>>>>> after diving a
>>>>>>>>> > >>>> little more into it, and looking for examples, I can't see
>>>>>>>>> a way to migrate
>>>>>>>>> > >>>> all users on-demand but simply one user at a time, possible
>>>>>>>>> during log-in.
>>>>>>>>> > >>>>
>>>>>>>>> > >>>> Next, I tried and look into ways, such as admin-cli, REST,
>>>>>>>>> etc but
>>>>>>>>> > >>>> nothing strikes me as the solution to use.
>>>>>>>>> > >>>>
>>>>>>>>> > >>>> Here's what I was hoping to deliver:
>>>>>>>>> > >>>> * Get all roles and users from my soon-to-be deprecated
>>>>>>>>> storage, e.g.
>>>>>>>>> > >>>> MySQL tables
>>>>>>>>> > >>>> * Add roles to KC
>>>>>>>>> > >>>> * Iterate users and add user to KC + map roles + update
>>>>>>>>> password hashes
>>>>>>>>> > >>>> (here I know I need to implement a HashProvider)
>>>>>>>>> > >>>>
>>>>>>>>> > >>>> Any hints will be appreciated!
>>>>>>>>> > >>>>
>>>>>>>>> > >>>> Pires
>>>>>>>>> > >>>>
>>>>>>>>> > >>>> _______________________________________________
>>>>>>>>> > >>>> keycloak-user mailing list
>>>>>>>>> > >>>> keycloak-user at lists.jboss.org
>>>>>>>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>> > >>>>
>>>>>>>>> > >>>
>>>>>>>>> > >>>
>>>>>>>>> > >
>>>>>>>>>
>>>>>>>>> > _______________________________________________
>>>>>>>>> > keycloak-user mailing list
>>>>>>>>> > keycloak-user at lists.jboss.org
>>>>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> abstractj
>>>>>>>>> PGP: 0x84DC9914
>>>>>>>>>
>>>>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160722/c7fe10e9/attachment-0001.html 


More information about the keycloak-user mailing list