Moving To Updated OIDC Provider

[Carver Bray]

Hello Dataverse Users,

I have recently moved one of my Dataverse installations to a newer version of keycloak that is running on a different machine. It is almost exactly the same, with the same users and configuration for the client, although I believe the old version had a different realm name. However, whenever users try to login with their accounts, it prompts them to create a new account on Dataverse when the expected outcome should be just logging them into their existing accounts. Since the old users from the old auth provider still exist they cannot just use the same username and email to create this new account or log in. Is there a way to tell Dataverse that it should treat any logins from this new auth provider as logging into the already existing accounts? The new auth provider has the same id as the old provider in the list of auth providers, but I assume that since it is from a different issuer (new ip address/machine) that's what's causing the issue. 

While it would be possible to have users create a new temporary user from this and then merge the old account into the new one using the API, I only want to do that as a last-ditch effort. Primarily there are issues with merging the old user into the new. For keeping data attached to a specific user it works fine, it's primarily aesthetic concerns. You can change the display name to match the old account, but the email, which would have to have a +1 attached to it to have it treated as a new email, is unable to be changed to my knowledge, so it would permanently have that +1 on it, which I feel like may cause issues in the future. 

Thanks,

Carver Bray

[Philip Durbin]

Hi Carver,

I'm hoping someone more familiar with the OIDC code will chime in but from a quick look, the getUserByID* and related methods all take the realm into account. As an experiment, can you try restoring the original name of the realm?

I hope this helps!

Phil

* https://github.com/IQSS/dataverse/blob/v6.9/conf/keycloak/builtin-users-spi/src/main/java/edu/harvard/iq/keycloak/auth/spi/providers/DataverseUserStorageProvider.java#L41

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dataverse-community/6c41aaa6-2bd1-462b-b02c-118513d7be0fn%40googlegroups.com.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

[Carver Bray]

Hello Philip,

Sorry for the late update, but I have tried restoring the old realm name and it still prompted users to create a new account. So I believe it must be something else causing it. 

As for other solutions, is there a way to "trick" Dataverse into treating these users as the same ones from before? Potentially some trick in the database I could use, or something similar? 

Thanks,

Carver Bray

[o.be...@fz-juelich.de]

Educated guess: the "sub" of the users in the new realm may have been changed. This is how existing users in the DB are matched to the incoming ID or Access Token.

Cheers,
Oliver