Migrate users to Keycloak

Learn how to migrate users with censhare standard login into Keycloak by script.

Introduction

For censhare WP, users who authenticated with standard censhare party entries with login name and password must be migrated to Keycloak users. The password is lost in this scenario since it cannot be deduced from the hashed value stored in the database.

Prerequisites

JDK 9+ environment to run jshell
Terminal access

Migration

Step 1 - Export users

Open the censhare Admin Client. Go to Master data/Users, select the users you want to migrate and click the Export.

As a result you have a local usergroups.xml file which is an input file in step 2 below.

Step 2 - Convert data into importable JSON

Create a new JSON file named party-export-.json for each user who is exported in step 1.

From a command line prompt, run:

jshell -class-path /opt/corpus/css/app/common/lib/censhare-support.jar keycloak-user-migration.jsh -R-Dparties=/tmp/usergroups.xml -R-Djsondir=/tmp/

CODE

/tmp/ here is used as an example directory for import and export files. Replace with your respective directory.

Step 3 - Execute Keycloak import

You need access to a running Keycloak instance and acquire a valid OpenID token.

Execute a command line similar to the following:

TOKEN=$(curl -s -L -X POST http://localhost:8080/auth/realms/censhare/protocol/openid-connect/token \
             -H 'Content-Type: application/x-www-form-urlencoded' \
             --data-urlencode 'client_id=censhare5' \
             --data-urlencode 'grant_type=password' \
             --data-urlencode 'client_secret=YOUR-CENSHARE5-CLIENT-SECRET' \
             --data-urlencode 'scope=openid' \
             --data-urlencode 'username=keycloak-admin' \
             --data-urlencode 'password=secret' | jq -r .access_token)

CODE

jq is not strictly required but useful. on macOS, you can install it with brew install jq.

Otherwise just execute the curl command and save the TOKEN for the subsequent calls.

In the example above, the values keycloak-admin/secret are the credentials for the user who was added before and configured in censhare-Server Keycloak service.

Please replace the values for *username* and *password* with your actually configured ones.

Import users:

for f in party-export-*.json
do
  echo $f
  curl -X POST http://localhost:8080/auth/admin/realms/censhare/users -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" --data @$f
done

CODE

The Keycloak import rejects users if they use the e-mail of any already existing user.

Check existing users:

curl -s -X GET 'http://localhost:8080/auth/admin/realms/censhare/users' \
     -H "Accept: application/json" \
     -H "Authorization: Bearer $TOKEN" | jq .

CODE

Customizing/Options

You can change the script to your needs. Combine step 2 and 3 as well as your own additions into a single script if you feel comfortable with the mechanism.

Lowercase in usernames

Keycloak stores usernames and emails in lower case by design. Mixed-case letters are not supported in Keycloak.

This might possibly lead to username duplicates.

Script

keycloak-user-migration.jsh

Notes

Exported users keep their Standard login method configured in addition to the External authentication.