Learn how to migrate users with censhare standard login into Keycloak by script. |
For censhare WP, users who authenticated with standard censhare party entries with login name and password must be migrated to Keycloak users. The password is lost in this scenario since it cannot be deduced from the hashed value stored in the database.
jshell
Open the censhare Admin Client. Go to Master data/Users, select the users you want to migrate and click the Export.
As a result you have a local usergroups.xml file which is an input file in step 2 below.
Create a new JSON file named party-export-.json
for each user who is exported in step 1.
From a command line prompt, run:
jshell -class-path /opt/corpus/css/app/common/lib/censhare-support.jar keycloak-user-migration.jsh -R-Dparties=/tmp/usergroups.xml -R-Djsondir=/tmp/ |
/tmp/
here is used as an example directory for import and export files. Replace with your respective directory.
You need access to a running Keycloak instance and acquire a valid OpenID token.
Execute a command line similar to the following:
TOKEN=$(curl -s -L -X POST http://localhost:8080/auth/realms/censhare/protocol/openid-connect/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=censhare5' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'client_secret=YOUR-CENSHARE5-CLIENT-SECRET' \ --data-urlencode 'scope=openid' \ --data-urlencode 'username=keycloak-admin' \ --data-urlencode 'password=secret' | jq -r .access_token) |
jq
is not strictly required but useful. on macOS, you can install it with brew install jq
.
Otherwise just execute the curl
command and save the TOKEN for the subsequent calls.
In the example above, keycloak-admin/secret
are the credentials for the user who was added before and configured in censhare-Server Keycloak service.
Import users:
for f in party-export-*.json do echo $f curl -X POST http://localhost:8080/auth/admin/realms/censhare/users -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" --data @$f done |
The Keycloak import rejects users if they use the e-mail of any already existing user.
Check existing users:
curl -s -X GET 'http://localhost:8080/auth/admin/realms/censhare/users' \ -H "Accept: application/json" \ -H "Authorization: Bearer $TOKEN" | jq . |
You can change the script to your needs. Combine step 2 and 3 as well as your own additions into a single script if you feel comfortable with the mechanism.
Keycloak stores usernames and emails in lower case by design. Mixed-case letters are not supported in Keycloak.
This might possibly lead to username duplicates. |
|