infra/docs/keycloak/delete-unverified-accounts.md

1.9 KiB

Delete accounts without verified email address

Keycloak

Required:

  • auth.pub.solar admin-cli service user credentials
  • SSH access to host nachtigall
ssh barkeeper@nachtigall.wg.pub.solar

Credentials for the following command are in keepass.

Create keycloak config/credentials file at /tmp/kcadm.config:

sudo --user keycloak kcadm.sh config credentials \
  --config /tmp/kcadm.config \
  --server https://auth.pub.solar \
  --realm pub.solar \
  --client admin-cli

Get list of accounts without a verified email address:

sudo --user keycloak kcadm.sh get \
  --config /tmp/kcadm.config \
  users \
  --realm pub.solar \
  --query emailVerified=false \
  > /tmp/keycloak-unverified-accounts

Review list of accounts, especially check createdTimestamp if any accounts were created in the past 2 days. If so, delete those from the /tmp/keycloak-unverified-accounts file.

createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )

# timestamps are in nanoseconds since epoch, so we need to strip the last three digits
for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done

vim /tmp/keycloak-unverified-accounts

Check how many accounts are going to be deleted:

jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids

Final check before deletion (dry-run):

for id in $(cat /tmp/keycloak-unverified-account-ids)
  do
    echo sudo --user keycloak kcadm.sh delete \
      --config /tmp/kcadm.config \
      users/$id \
      --realm pub.solar
  done

THIS WILL DELETE ACCOUNTS:

for id in $(cat /tmp/keycloak-unverified-account-ids)
  do
    sudo --user keycloak kcadm.sh delete \
      --config /tmp/kcadm.config \
      users/$id \
      --realm pub.solar
  done