[keycloak-dev] Custom federation - webservice

Vlastimil Elias velias at redhat.com
Fri Dec 11 07:15:12 EST 2015 


On 11.12.2015 12:19, Marek Posolda wrote:
> I think what we can possibly do is:
>
> 1) Improve KeycloakTransactionManager to allow enlist with "priority"
> . Instead of methods:
>
> void enlist(KeycloakTransaction transaction);
> void enlistAfterCompletion(KeycloakTransaction transaction);
>
> we will have single method:
>
> void enlist(KeycloakTransaction transaction, int priority);
>
> By default, JPA will enlist transaction with priority 10 and
> infinispan with priority 20 or something like that.
>
> This change will allow to enlist your transaction in your
> FederationProvider with exact priority. So you can choose whether the
> commit will happen  before JPA commit, or after JPA commit or even
> after infinispan commit etc.
>

+1, this may help to resolve current problems

> 2) Make TxAwareLDAPUserModelDelegate class more generic and reusable
> for other federation providers

may also help, but point 1 with correct documentation is main what we
have to do

Thanks

Vlastimil

>
> Marek
>
> On 11/12/15 10:50, Vlastimil Elias wrote:
>> Hi,
>>
>> I use similar approach and problem is (at least I think) that local
>> DB transaction is already commited when our code runs. It has two
>> negative effects:
>> - if remote service call is successful you are not able to write
>> anything locally as Jorge mentioned
>> - if remote service call fails local DB record is commited already
>> and it is hard to implement correct error handling
>>
>> So I think User Federation SPI should be extended by exact method
>> which allows atomic call of backend during user creation or update
>> before local transaction is commited. I already created issue for it
>> but not resolved yet https://issues.jboss.org/browse/KEYCLOAK-1075
>>
>> Vlastimil
>>
>> On 10.12.2015 18:49, Jorge M. wrote:
>>>
>>> Hi,
>>>
>>> I think I'm in the right track now. I'm being able to call the
>>> webservice before commit. However, when the user is sucessfully
>>> created by the webservice, I need to update my local user to add a
>>> property with the external user id. How can I do that in the same
>>> transaction?
>>> I'm trying to set the property on the managed delegate user model,
>>> but it has no effect.
>>>
>>> Thank you!
>>>
>>> On 9 Dec 2015 18:39, "Marek Posolda" <mposolda at redhat.com> wrote:
>>>
>>>     On 09/12/15 19:33, Jorge M. wrote:
>>>>
>>>>     I'm developing a custom federation that communicates with my
>>>>     user repository via webservices.
>>>>     Probably this is a very strange scenario for a federation but
>>>>     that's the unique way that I have to communicate with the
>>>>     repository.
>>>>
>>>>     My problem is that, as the webservices only exposes methods
>>>>     such as createUser and updateUser, I'm having problems with
>>>>     registrations and user profile updates because I'm not being
>>>>     able to do atomic calls to the webservice methods, with all the
>>>>     information that I need.
>>>>
>>>>     As far as I know, from the properties file example and from the
>>>>     ldap federation source (probably I'm missing something) it
>>>>     seems that the federation api is intended to update and sync
>>>>     attribute by attribute (Keycloak <-> Federation).
>>>>     Am i wrong? Do you suggest another approach? Should I give up
>>>>     from having a federation that uses a webservice?
>>>>
>>>     You can use "transaction wrapper", which will allow you to store
>>>     all the updates to user locally, but send the UPDATE request to
>>>     your webservice later at transaction commit time. You may need
>>>     to create custom transaction and enlist it with Keycloak
>>>     TransactionManager.
>>>
>>>     This is what we have for LDAP federation provider right now. See
>>>     TxAwareLDAPUserModelDelegate.
>>>
>>>     Marek
>>>>
>>>>     Thank you.
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     keycloak-dev mailing list
>>>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> -- 
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151211/e69aa8c5/attachment.html

More information about the keycloak-dev mailing list