[keycloak-dev] How would you handle an external user store?

[Bill Burke]

On 7/8/2014 11:42 AM, Stian Thorgersen wrote:
> Cut/paste from previous email:
>

Which didn't answer anything for me.

>
> AuthProvider is trying to achieve something different than storing users, and the combination of the two is quite flexible.

They serve different purposes? And yet AuthProvider stores users:

AuthProvider.registerUser()

and retrieves them:

AuthProvider.getUser()

Then you have AuthenticationManager which creates a UserModel, sets up 
an AuthenticationLink.  So a developer has to implement registerUser() 
as well as the create interfaces of UserProvider.

More often than not, authentication and user storage will be from the 
same place, then you have to doubly configure the LDAP connection for 
both the UserProvider and the AuthProvider.  Except one is configured in 
the Admin Console (AuthProvider) and the other within keycloak-server.json.

You really don't see how this is screwed up?

> Someone could still achieve what they can achieve with AuthProvider by creating a UserProvider impl that delegates to another UserProvider impl for storage, so maybe we could respin the AuthProvider SPI into a UserProvider that can use another UserProvider for storing users, and one or more UserProviders for authentication. That way we'd still have the capability, but with it less hard-coded into the core code.
>

Of course, which is why I asked the question, WTF do we still have 
AuthProvider?  The two need to be merged and credential validation needs 
to move down to the User interface level.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com