opf
Export service for Keycloak
This is a proof-of-concept that's able to synchronize existing users in the OpenProject database to a Keycloak host.
It transfers:
- basic user attributes (name, email, login)
- groups and group memberships
- passwords (assuming that Keycloak can handle BCrypt hashes)
- app-based MFA authenticator codes
- Required actions:
- Configure TOTP; if no MFA device was added
- Setup recovery codes; if recovery codes were present before
There is no way yet to access this functionality from the UI. It can be accessed through a rake task for now that expects the ID of the OpenID Connect provider as an argument:
rake keycloak:export[42]
Limitations
- Phishing resistant MFA devices (i.e. WebAuthn/Yubikeys) can't be transferred by design, they would not accept a domain change
- Users logging in through SSO can't get their SSO-association transferred
- they effectively get created without a password and should be able to use "Reset Password" to gain access
Ticket
- Epic: https://community.openproject.org/wp/63768
- Task: https://community.openproject.org/wp/67596
[!CAUTION] The provided work package version does not match the core version
Details:
- Work package URL: https://community.openproject.org/wp/63768
- Work package version: not set
- Core version: 16.6.0
Please make sure that:
- The work package version OR your pull request target branch is correct
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @NobodysNightmare, Can you please add the work package to the description?
Hi @NobodysNightmare, Can you please add the work package to the description?
The Epic was already linked. I also added a link to the task that this belongs to.
Hi @NobodysNightmare, Can you please add the work package to the description?
The Epic was already linked. I also added a link to the task that this belongs to.
Sorry, didn‘t scroll down.