search

daniel-frak / keycloak-user-migration

A Keycloak plugin for migrating users from legacy systems
MIT License
295 stars 132 forks source link

Unable to migrate users to a subgroup #45

Open cosmin-harangus opened 2 years ago

cosmin-harangus commented 2 years ago

I have a Keycloak installation which contains multiple company groups with subgroups (Owner, Admin, Member). I am trying to use the plugin to migrate users from the old auth system to the new one and assign the users to the groups for each of the company.

Since assigning to a group is based on the group name I can't find a way to assign a user to a subgroup, especially since the subgroups all have the same name for each company group.

Can you let me know if that is possible with the current implementation? Wouldn't it be better to use the id instead of the name?

daniel-frak commented 2 years ago

I wasn't even aware that Keycloak supports subgroups prior to this, so I don't think it's possible with the plugin right now.

However, it should be easy to change the code in UserModelFactory to support this, perhaps using something like this StackOverflow answer as a base: https://stackoverflow.com/a/59888309

Subgroups in the response JSON could then be recognized as being keys in a "group array", e.g.: { "groups": ["mainGroup[subGroup], someOtherGroup"] }.

Unfortunately, I don't have the time to implement this, but I encourage you to create a PR if you have the time :)

timadevelop commented 5 months ago

In case someone else will work on this in the future:

Maybe identifying groups would work better with group paths used in KC, not names.

e.g. { "groups": ["/parent/child", "/another/path", "backward-compatible-group-name-w-current-behaviour" ] }

https://www.keycloak.org/docs-api/23.0.7/javadocs/org/keycloak/models/utils/KeycloakModelUtils.html#buildGroupPath(org.keycloak.models.GroupModel)

https://www.keycloak.org/docs-api/23.0.6/javadocs/org/keycloak/representations/idm/GroupRepresentation.html#getPath()

https://github.com/keycloak/keycloak/commit/6d74e6b2895d8b0820d910a818bef8f67d0df129#diff-bbf1d9e0c38c672e6e567177adee2b53cf018d3c119419d0f47264ea0576abf2R72

Until this is implemented, there's a workaround that might work for others: prepopulate all groups in KC and use unique names for subgroups. UserModelFactory will pick a proper subgroup if its name is unique within your realm.