[keycloak-user] Recommended way to import user accounts with external identity provider information?

Marek Posolda mposolda at redhat.com
Fri Jun 23 02:15:45 EDT 2017


I think it should work - unless we have a bug :) The question is if 
"userId" and "userName" are really filled correctly in your JSON?

I suggest that you try to setup some Keycloak environment from scratch 
and do facebook login there. Then you can doublecheck the content from 
DB and how the federated link in Keycloak DB looks like. You can also 
export Keycloak DB and re-import to clean DB and then doublecheck if 
Facebook login still works after export/import.

If this works, you can compare the exported JSON with your own JSON file 
and doublecheck if "userId" and "userName" matches.

Marek

On 22/06/17 15:20, Federico Navarro Polo - Info.nl wrote:
> Hello,
>
> I’m facing currently a migration scenario where I have a group of users which need to be imported from a different system into Keycloak. For regular users everything works fine, but I wonder what would be the best approach for users which authenticate via external identity providers (eg: facebook) in order to make the transition as transparent as possible for the users (ideally, no interaction at all).
>
>  From the source system, I have access to the facebook user id and email address, so first I tried to include that as federated identity in the users import:
>
> {
>      "realm": "test",
>      "users": [
>          {
>              "createdTimestamp" : 1476191007295,
>              "username" : "somebody at somewhere.com",
>              "enabled" : true,
>              "totp" : false,
>              "emailVerified" : true,
>              "firstName" : "Test",
>              "lastName" : "Test",
>              "email" : "somebody at somewhere.com",
>              "credentials" : [ ],
>              "disableableCredentialTypes" : [ ],
>              "requiredActions" : [ ],
>              "federatedIdentities" : [ {
>                "identityProvider" : "facebook",
>                "userId" : "0123456789",
>                "userName" : "somebody at somewhere.com",
>              } ],
>              "realmRoles" : [ "offline_access", "uma_authorization" ],
>              "clientRoles" : {
>                "account" : [ "manage-account", "view-profile" ]
>              }
>            }
>        ]
> }
>
> , which imports fine, and I can see the link in the admin console, but when attempting to login using Facebook, Keycloak ignores that data and redirects to the “Account linking” screen (and in that case, if I follow the process, then I get a DB exception due to duplicate key). So it seems the best way is to not import the Facebook details, and when the user tries to login with Facebook, then the standard account linking process will be triggered, which is not ideal in a migration.
>
> I suppose there is some extra logic which is not taking place when doing the import as opposed to creating a new account from scratch or creating the identity provider link manually in the admin console, but can’t figure out what is it. Is there any possible way to avoid the account linking step?
>
> Met vriendelijke groet,
>
> Federico Navarro
>
> backend developer
>
> federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  +31 (0)2 05 30 91 61<tel:+31205309161>
>
> info.nl<http://www.info.nl/>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list