Skip to main content
Skip table of contents

Migrate users to Keycloak

Learn how to migrate users with censhare standard login into Keycloak by script.

Introduction

For censhare WP, users who authenticated with standard censhare party entries with login name and password must be migrated to Keycloak users. The password is lost in this scenario since it cannot be deduced from the hashed value stored in the database.

Prerequisites

  • JDK 9+ environment to run  jshell
  • Terminal access

Migration

Step 1 - Export users

Open the censhare Admin Client. Go to Master data/Users, select the users you want to migrate and click the Export.

As a result you have a local usergroups.xml  file which is an input file in step 2 below.

Step 2 - Convert data into importable JSON

Create a new JSON file named party-export-.json for each user who is exported in step 1.

From a command line prompt, run:

CODE
jshell -class-path /opt/corpus/css/app/common/lib/censhare-support.jar keycloak-user-migration.jsh -R-Dparties=/tmp/usergroups.xml -R-Djsondir=/tmp/

/tmp/   here is used as an example directory for import and export files. Replace with your respective directory.

Step 3 - Execute Keycloak import

You need access to a running Keycloak instance and acquire a valid OpenID token. 

Execute a command line similar to the following:

CODE
TOKEN=$(curl -s -L -X POST http://localhost:8080/auth/realms/censhare/protocol/openid-connect/token \
             -H 'Content-Type: application/x-www-form-urlencoded' \
             --data-urlencode 'client_id=censhare5' \
             --data-urlencode 'grant_type=password' \
             --data-urlencode 'client_secret=YOUR-CENSHARE5-CLIENT-SECRET' \
             --data-urlencode 'scope=openid' \
             --data-urlencode 'username=keycloak-admin' \
             --data-urlencode 'password=secret' | jq -r .access_token)

jq  is not strictly required but useful. on macOS, you can install it with  brew install jq.

Otherwise just execute the  curl  command and save the TOKEN for the subsequent calls.

In the example above, the values keycloak-admin/secret  are the credentials for the user who was added before and configured in censhare-Server Keycloak service.

Please replace the values for *username* and *password* with your actually configured ones.

Import users:

CODE
for f in party-export-*.json
do
  echo $f
  curl -X POST http://localhost:8080/auth/admin/realms/censhare/users -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" --data @$f
done

The Keycloak import rejects users if they use the e-mail of any already existing user.

Check existing users:

CODE
curl -s -X GET 'http://localhost:8080/auth/admin/realms/censhare/users' \
     -H "Accept: application/json" \
     -H "Authorization: Bearer $TOKEN" | jq .

Customizing/Options

You can change the script to your needs. Combine step 2 and 3 as well as your own additions into a single script if you feel comfortable with the mechanism.

Lowercase in usernames

Keycloak stores usernames and emails in lower case by design. Mixed-case letters are not supported in Keycloak. 

This might possibly lead to username duplicates.

Script

keycloak-user-migration.jsh


Notes

Exported users keep their Standard login method configured in addition to the External authentication.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.