[keycloak-dev] AuthProvider refactor details

Mon Jul 21 04:34:30 EDT 2014

I am not sure I understand why "getUserCount" is an issue and for 
example "getUsers" or "searchForUser" is not? Am I understand correctly 
that implementor of FederationProvider can choose which method to 
override, so for example if he won't override "getUsers" or 
"getUserCount" then FederationManager just delegates those to "local" 
UserProvider?

If getUserCount() is an issue, I can remove it and refactor export to 
not using it and instead use approach like: "checkout users until 
current page is not full", which would mean that there are no more users 
to export (Like for example if I have 50 users and usersPerPage is 20, 
then page1 has 20 users, page2 has 20 users and page3 has just 10 users, 
so export process can recognize that it is last page).

But still getUserCount() may be useful if we later want to add 
pagination support to admin console (in this case, we may need "count" 
methods also for searchFor** - 
https://issues.jboss.org/browse/KEYCLOAK-564 )

Marek

On 20.7.2014 23:05, Bill Burke wrote:
> One thing I'm not sure what do do is getUserCount().  can't really get
> an accurate user count in a federated environment.  I see this is only
> used by export?  Probably not an issue as export would only use local
> Keycloak storage.
>
>
> On 7/18/2014 10:05 PM, Bill Burke wrote:
>> I reviewed Marek's code.  The refactor is going to be pretty much
>> Marek's code except reorganized a little bit.  Hopefully you can follow
>> what I'm saying.  I'll try and follow up with code in a few days.
>>
>> * AuthProvider is going to turn into FederationProvider which is an
>> extension of UserProvider
>>
>> public interface FederationProvider extends UserProvider {
>>        String getAdminPage();
>>        Class<? extends FederatonAdmin> getAdminClass();
>>        UserModel proxy(UserModel localUser);
>> }
>>
>> * AuthenticationProviderManager is going to turn into a concrete class
>> which implements UserProvider, FederationManager.  It will basically do
>> the same algorithm as AuthProviderManager for finding users (looping
>> through the realm's configured FederationProviders), except it will be
>> using the UserProvider interface and returning UserModels.
>> - UserModel getXXX() methods will search within "local" storage first
>> for a user.
>> - If exists, it will look at the UserModel.getProvider() attribute to
>> learn which provider to use.  Then call FederationProvider.proxy()
>> method.  This will allow the FederationProvider to proxy the UserModel
>> so it can perform on demand sync.
>>
>> * KeycloakSession will allocate a FederationManager and wrap it with a
>> CacheUserProvider instead of getting the "local" user storage provider.
>>
>> * LDAP/Picketlink code will turn into a set of abstract classes used to
>> build the LDAPFederationProvider.
>> - getXXX will try to locate in LDAP store.  If exists, it will import
>> the user into the "local" storage UserModel.  It will create a proxy to
>> this local storage.  This proxy will allow on-demand sync.
>>
>> Configuration:
>>
>> * AuthentiationProviderModel will be renamed to FederationProviderModel.
>>     RealmModel will also return a list of these
>> * LDAP code will not use Realm.getLdapConfig().  It will instead use
>> FederationProviderModel config.
>>
>> Management:
>>
>> * Federation configuration will move from the Realm Settings page, to
>> the Users page.
>> * getAdminPage and getAdminClass exist so that FederationProvider
>> plugins can plug-in their own admin console UI and REST API.
>> * FederationProvider.getAdminPage() will point to a admin console path.
>>     When adding a FederationProvider, the admin console will load this
>> page for setup/config.
>> * The FederationProvider.getAdminClass() method will return a JAX-RS
>> resource locator class that implements
>>
>> interface FederationAdmin {
>>       void setAdmin(UserModel admin);
>>       void setSession(Keycloak session);
>>       void setRealm(RealmModel realm);
>> }
>> * The admin class will be instantiated when invoking REST calls to
>> .../realms/{realm}/users/providers/{provider-name}/...
>>
>> That's it in a nutshell.  I haven't implemented any of this, its just in
>> my head and there's probably a lot of details I've overlooked that I'll
>> figure out when I code.
>>
>>
>>