Jira Link : https://project-sunbird.atlassian.net/browse/SC-911
Design Doc : Encrypting data stored within keycloak
Note: Take back up of keycloak database.
Steps :
- Checkout https://github.com/project-sunbird/sunbird-auth code and make build.
- create providers folder inside keycloak
- Copy the jar to providers folder
- Run the keycloak
- Login to admin console and click User Federation tab on left panel of the screen. As shown in fig.
- Select cassandra-storage-provider from Add provider drop down on the screen , then you will be redirected to screen as shown
- Click save button , It will generate one provider id as shown
- Copy this provider id and save this as env variable sunbird_keycloak_user_federation_provider_id .
- Run the below sql on keycloak database (provide {PROVIDER_ID} and realm name {realm name} in sql) , Before running sql just check the data of FEDERATED_USER,FED_USER_CREDENTIAL & FED_USER_REQUIRED_ACTION for further validation
1. insert into public.FEDERATED_USER(ID, STORAGE_PROVIDER_ID, REALM_ID)select concat('f:{PROVIDER_ID}:', USER_ENTITY.ID), '{PROVIDER_ID}', '{realm name}' from public.USER_ENTITY;
2. insert into FED_USER_CREDENTIAL(ID, DEVICE, HASH_ITERATIONS, SALT, TYPE, VALUE, CREATED_DATE, COUNTER, DIGITS, PERIOD, ALGORITHM, USER_ID, REALM_ID,STORAGE_PROVIDER_ID) select ID, DEVICE, HASH_ITERATIONS, SALT, TYPE, VALUE, CREATED_DATE, COUNTER, DIGITS, PERIOD, ALGORITHM, concat('f:{PROVIDER_ID}:',USER_ID), '{realm name}', '{PROVIDER_ID}' from CREDENTIAL
3. insert into FED_USER_REQUIRED_ACTION(REQUIRED_ACTION, USER_ID, REALM_ID, STORAGE_PROVIDER_ID)
select REQUIRED_ACTION, concat('f:{PROVIDER_ID}:', USER_ID), '{realm name}', '{PROVIDER_ID}' from USER_REQUIRED_ACTION;
10. Run the ETL to delete the user from keycloak.