[keycloak-user] Recommended way to import user accounts with external identity provider information?

Federico Navarro Polo - Info.nl federico at info.nl
Thu Jul 13 03:57:03 EDT 2017


Yes, it does indeed work, and the content of the exports was correct as well. The problem I was having was because I was using different Facebook apps to do the test. When keeping the Facebook app the same, there is no problem, which makes sense.

Regards,
Federico

On 23/06/17 08:15, "Marek Posolda" <mposolda at redhat.com> wrote:

    I think it should work - unless we have a bug :) The question is if 
    "userId" and "userName" are really filled correctly in your JSON?
    
    I suggest that you try to setup some Keycloak environment from scratch 
    and do facebook login there. Then you can doublecheck the content from 
    DB and how the federated link in Keycloak DB looks like. You can also 
    export Keycloak DB and re-import to clean DB and then doublecheck if 
    Facebook login still works after export/import.
    
    If this works, you can compare the exported JSON with your own JSON file 
    and doublecheck if "userId" and "userName" matches.
    
    Marek
    
    On 22/06/17 15:20, Federico Navarro Polo - Info.nl wrote:
    > Hello,
    >
    > I’m facing currently a migration scenario where I have a group of users which need to be imported from a different system into Keycloak. For regular users everything works fine, but I wonder what would be the best approach for users which authenticate via external identity providers (eg: facebook) in order to make the transition as transparent as possible for the users (ideally, no interaction at all).
    >
    >  From the source system, I have access to the facebook user id and email address, so first I tried to include that as federated identity in the users import:
    >
    > {
    >      "realm": "test",
    >      "users": [
    >          {
    >              "createdTimestamp" : 1476191007295,
    >              "username" : "somebody at somewhere.com",
    >              "enabled" : true,
    >              "totp" : false,
    >              "emailVerified" : true,
    >              "firstName" : "Test",
    >              "lastName" : "Test",
    >              "email" : "somebody at somewhere.com",
    >              "credentials" : [ ],
    >              "disableableCredentialTypes" : [ ],
    >              "requiredActions" : [ ],
    >              "federatedIdentities" : [ {
    >                "identityProvider" : "facebook",
    >                "userId" : "0123456789",
    >                "userName" : "somebody at somewhere.com",
    >              } ],
    >              "realmRoles" : [ "offline_access", "uma_authorization" ],
    >              "clientRoles" : {
    >                "account" : [ "manage-account", "view-profile" ]
    >              }
    >            }
    >        ]
    > }
    >
    > , which imports fine, and I can see the link in the admin console, but when attempting to login using Facebook, Keycloak ignores that data and redirects to the “Account linking” screen (and in that case, if I follow the process, then I get a DB exception due to duplicate key). So it seems the best way is to not import the Facebook details, and when the user tries to login with Facebook, then the standard account linking process will be triggered, which is not ideal in a migration.
    >
    > I suppose there is some extra logic which is not taking place when doing the import as opposed to creating a new account from scratch or creating the identity provider link manually in the admin console, but can’t figure out what is it. Is there any possible way to avoid the account linking step?
    >
    > Met vriendelijke groet,
    >
    > Federico Navarro
    >
    > backend developer
    >
    > federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  +31 (0)2 05 30 91 61<tel:+31205309161>
    >
    > info.nl<http://www.info.nl/>
    >
    > Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
    >
    >
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    
    
    




More information about the keycloak-user mailing list