[FEATURE] Integrate Petition App with BetterGov In-House SSO

[mzowera]

Summary

Now that the Petition app will integrate with BetterGov’s in-house SSO (Keycloak), we need to migrate our existing Google SSO users so they can continue signing in seamlessly through the new centralized authentication system.

This migration ensures that users don’t lose access to their existing accounts and data after the switch.

---

🧱 Objectives

• Preserve all existing Petition user accounts that were originally authenticated via Google.
• Link these accounts with their corresponding Keycloak identities (which also use Google as a federated IdP).
• Ensure no duplicate users are created during or after the migration.

---

🛠️ Migration Plan

1. Analyze Existing User Data

   • Identify all users currently authenticated through Google OAuth.
   • Confirm that email is stored and used as the unique identifier in the Petition database.

2. Prepare Keycloak Environment

   • Ensure Google Identity Provider is enabled in the bettergov realm.
   • Confirm users who log in via Google through Keycloak have matching email addresses.

3. Implement Linking Logic

   • On first login via BetterGov SSO:
     • Check if the user’s email already exists in the Petition DB.
     • If yes → link Keycloak user ID to the existing Petition record.
     • If no → create a new record as a standard SSO user.

4. Database Update

   • Add a new column to store keycloak_user_id or equivalent identifier.
   • Optionally log migration status or timestamps for audit trail.

5. Testing

   • Verify that migrated users can log in with the same Google account through Keycloak.
   • Ensure data integrity — no duplicate user rows created.
   • Test behavior for new (non-Google) Keycloak users.

---

🧠 Benefits

• Users experience a smooth transition with no new registration required.
• Maintains existing data and activity records linked to each account.
• Consolidates authentication under one secure and centralized system.

---

✅ Acceptance Criteria

• All existing Google-authenticated users successfully linked to Keycloak accounts.
• No duplicate accounts created during migration.
• Database migration and linking logic tested in staging.
• Migration script or logic documented for future reference.

---

📎 Related

• BetterGov SSO Repository