[keycloak-dev] How would you handle an external user store?

Bill Burke bburke at redhat.com
Tue Jul 8 11:21:46 EDT 2014


It is not very clear going forward the relationship between 
AuthenticationProvider and UserProvider.  My understanding was that 
UserProvider split was implemented to help users handle the case where 
they have an existing user store they want to use.  IMO, 
AuthenticationProvider have overlapping concerns and should be merged.

Let's say we have LdAP that stores

username,
password,
address
phone

But no role mappings.  How would you handle both authentication and 
implementing the UserProvider with role mapping support?

I just think our current way/split of UserProvider, 
AuthenticationProvider, and UserModel just isn't going to cut it going 
forward.  Think of federation too where one Keycloak server might have 
to federate multiple user stores.  Each of those stores might have 
static data models which don't fully support Keycloak metadata which may 
require us to store some user information in Keycloak's storage.

I think a UserProvider needs to tell keycloak:

* What user metadata it stores
* What credential types does the UserProvider store?
* What credential types should the store validate?
* What credential types should Keycloak validate?

Keycloak needs a reference to local storage to the UserProvider so it 
can create local UserModels if necessary.  The local UserModel needs to 
have metadata that answers all the above questions.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list