Skip to content

Commit

Permalink
216 create endpoints for import/export orgs (#222)
Browse files Browse the repository at this point in the history 
* 216 create endpoints for import/export orgs

* 216 resolve comments
  • Loading branch information
@rtufisi
rtufisi committed Apr 12, 2024
1 parent 040af1e commit 22d3e7b
Show file tree
Hide file tree
Showing 48 changed files with 2,197 additions and 1,299 deletions.
12 changes: 6 additions & 6 deletions docs/events.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,20 @@ Description of the events associated with the management of organizations:
| `/auth/realms/:realmId/orgs/:orgId/invitations/:invitationId` | `POST` | INVITATION | CREATE |
| `/auth/realms/:realmId/orgs/:orgId/invitations/:invitationId/:invitationId` | `DELETE` | INVITATION | DELETE |
| `/auth/realms/:realmId/orgs/:orgId/domains/:domainName/verify` | `POST` | DOMAIN | UPDATE |
| `/auth/realms/:realmId/orgs/import` | `POST` | ORGANIZATION_IMPORT | CREATE |

### User events

Description of the events associated with users in the context of a organization.

Organization management

| Path | Method | Event type |
|-----------------------------------------------------|----------|-----------------|
| `/auth/realms/:realmId/users/switch-organization` | `PUT` | UPDATE_PROFILE |
| `/auth/realms/:realmId/orgs/:orgId/members/:userId` | `DELETE` | UPDATE_PROFILE |
| Path | Method | Event type |
|-----------------------------------------------------|----------|----------------|
| `/auth/realms/:realmId/users/switch-organization` | `PUT` | UPDATE_PROFILE |
| `/auth/realms/:realmId/orgs/:orgId/members/:userId` | `DELETE` | UPDATE_PROFILE |

`Invitations` - Event type: CUSTOM_REQUIRED_ACTION
`Invitations` - Event type: CUSTOM_REQUIRED_ACTION

![invitation-required-action-success](./assets/events/invitation-required-action-success-event.png)

Expand All @@ -46,7 +47,6 @@ Organization management

![remove-organization-invitation-event](./assets/events/remove-organization-invitation-event.png)


`PortalLink` - Event type: EXECUTE_ACTION_TOKEN

![portal-link-success](./assets/events/portal-link-success-event.png)
211 changes: 156 additions & 55 deletions docs/import-export.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,29 +10,142 @@
* [Import](#import)
* [Organization import/export schema](#organization-importexport-schema)
* [Organization roles import/export schema](#organization-roles-importexport-schema)
* [IDP link import/export schema](#idp-link-importexport-schema)
* [IDP link import/export schema](#identity-provider-link-importexport-schema)
* [Members import/export schema](#members-importexport-schema)
* [Invitations import/export schema](#invitations-importexport-schema)
* [Export](#export)
* [Compatibility](#compatibility)

## Overview

This documents describes the functionality for importing and exporting a realm containing organizations.

The current approach works with the import/export functionality from the Keycloak UI console (not CLI commands)
This documents describes the functionality for importing and exporting organizations from a realm.

## Import

Organizations can be imported, by adding `organizations` in the realm representation json.
Organizations can be imported, by performing a `POST` http call to `orgs/import` endpoint. <br>
The endpoint support two query parameters `skipMissingMember` and `skipMissingIdp`. <br>


The import functionality is transactional meaning that all elements in the `organizations` array must be imported in order to complete successfully.


If both `skipMissingMember` and `skipMissingIdp`are set to `false` the import will be strict, meaning that the realm should contain the all users and idps which are referred in the import json file. <br>

E.q.:
```
{
"realm": "org-realm",
"enabled": true,
.....
"organizations": [...]
}
curl --location 'https://{$fqdn}/auth/realms/{{$realm}}/orgs/import?skipMissingMember=false&skipMissingIdp=false' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{$access_token}}' \
--data-raw '{
"organizations": [
{
"organization": {
"name": "test",
"displayName": "test",
"url": "test",
"domains": [
"test.com",
"test2.com"
],
"attributes": {
"attr1": [
"attr1"
]
}
},
"roles": [
{
"name": "role1",
"description": ""
},
{
"name": "role2",
"description": "role2"
}
],
"idpLink": "keycloak-oidc",
"members": [
{
"username": "testUser",
"roles": [
"role1",
"manage-members"
]
}
],
"invitations": [
{
"email": "[email protected]",
"inviterUsername": "testUser",
"roles": ["role2"],
"redirectUri": "",
"attributes": {}
}
]
},
{
"organization": {
"name": "test2",
"displayName": "test",
"url": "",
"domains": [],
"attributes": {}
},
"roles": [
{
"name": "view-organization"
},
{
"name": "manage-organization"
},
{
"name": "view-members"
},
{
"name": "manage-members"
},
{
"name": "view-roles"
},
{
"name": "manage-roles"
},
{
"name": "view-invitations"
},
{
"name": "manage-invitations"
},
{
"name": "view-identity-providers"
},
{
"name": "manage-identity-providers"
},
{
"name": "role2_test",
"description": "gdssdg"
}
],
"members": [
{
"username": "testUser2",
"roles": [
"view-identity-providers",
"role2_test"
]
},
{
"username": "testUser3",
"roles": [
"view-organization",
"role2_test"
]
}
],
"invitations": []
}
]
}'
```

### Organization import/export schema
Expand All @@ -41,9 +154,6 @@ To import an organization use the following schema.

```
{
"realm": "org-realm",
"enabled": true,
.....
"organizations": [
{
"organization": {
Expand Down Expand Up @@ -76,9 +186,6 @@ To import an organization roles use the following schema.

```
{
"realm": "org-realm",
"enabled": true,
.......
"organizations": [
{
"organization": {
Expand Down Expand Up @@ -108,20 +215,14 @@ The default organization roles are created even if not defined in the `roles`.

### Identity provider link import/export schema

To add an identity provider to a organization use the following schema. <br>
The identity provider with the `alias` mentioned in the property `idpLink` must be defined in the realm `identityProviders`.
To add an identity provider to a organization use the following schema.

If the `skipMissingIdp` is set to `false`, the identity provider with the `alias` mentioned in the property `idpLink` must be present the realm `identityProviders`.

If the `skipMissingIdp` is set to `true`, if the identity provider with the `alias` mentioned in the property `idpLink` is not present the realm `identityProviders` the import will ignore it.

```
{
"realm": "org-realm",
"enabled": true,
"identityProviders": [
{
"alias": "keycloak-oidc",
......
}
]
.....
"organizations": [
{
"organization": {
Expand All @@ -136,9 +237,16 @@ The identity provider with the `alias` mentioned in the property `idpLink` must

### Members import/export schema

To add a member to an organization use the following schema.<br>
The users from the `members` must be defined in realm `users`.<br>
The roles associated to a `member` must be defined in organization `roles`.
To add a member to an organization use the following schema.


If the `skipMissingMember` is set to `false`:
- The users from the `members` must be defined in realm `users`.
- The roles associated to a `member` must be defined in organization `roles`.


If the `skipMissingMember` is set to `true`:
- The users from the `members` which are not found in the realm `users` will be ignored.

```
{
Expand Down Expand Up @@ -194,20 +302,17 @@ The roles associated to a `member` must be defined in organization `roles`.

### Invitations import/export schema

To add an invitations to an organization use the following schema. <br>
The invitation `email` should not belong to a member of the organization.<br>
The `inviter` must be defined in `users` import schema.
To add an invitations to an organization use the following schema.
The invitation `email` should not belong to a existing member of the organization.

If the `skipMissingMember` is set to `false`:
- The `inviter` must be defined in `users` import schema.


If the `skipMissingMember` is set to `true`:
- If the `inviter` is not found in the realm `users` the invitation import will be skipped.

```
"realm": "org-realm",
"enabled": true,
......
"users": [
{
"username": "test",
"enabled": true
}
],
"organizations": [
{
"organization": {
Expand Down Expand Up @@ -242,15 +347,11 @@ The `inviter` must be defined in `users` import schema.

## Export

Using Keycloak `/partial-export` the realm representation should include the `organizations`. Organization will not
contain `members` and `invitations`.<br>
Using Keycloak a `GET` http call to `orgs/export` the realm representation should include the `organizations`. Organization will not
contain `members` and `invitations` if the flag `exportMembersAndInvitations` is set to `false`.<br>

## Compatibility

### Standard Keycloak -> Keycloak + keycloak-orgs extension

A realm can be created using a valid realm representation json for the current Keycloak version.

### Keycloak + keycloak-orgs extension -> Standard Keycloak

To port back from PhaseTwo to standard Keycloak the `organizations` must be removed from the realm representation json.
E.q.:
```
curl --location 'https://{$fqdn}/auth/realms/{{$realm}}/orgs/export?exportMembersAndInvitations=true' \
--header 'Authorization: Bearer {{$access_token}}'
```
20 changes: 0 additions & 20 deletions src/main/java/io/phasetwo/service/datastore/KeycloakOrgsDatastoreProvider.java
View file

This file was deleted.

16 changes: 0 additions & 16 deletions src/main/java/io/phasetwo/service/datastore/KeycloakOrgsDatastoreProviderFactory.java
View file

This file was deleted.

Loading

0 comments on commit 22d3e7b

Please sign in to comment.