[keycloak-dev] brokerid + subject for brokered username?

Bill Burke bburke at redhat.com
Tue Mar 24 20:13:01 EDT 2015 

Sucks, for SAML, i'll have to find a usersession based on the SAML 
nameID and session index.  For Keycloak OIDC, I have the external 
keycloak session id.

Searching via a UserSessionModel note would be very slow and hard to 
create a "index" across all storage types.  I'm thinking of pushing up a 
"brokerId" to a top level attribute on UserSessionModel.  Then I can do 
queries and create indexes much easier across storage types.

Damn this shit is a pain in the ass...

On 3/24/2015 1:54 PM, Bill Burke wrote:
> I wanted brokerAlias + "." external_username for backchannel logout when
> the external IDP is initiating the logout in the background.  An
> external SAML IDP sends a subject name and optionally a session index.
> These external attributes must be mapped to a UserSession in Keycloak so
> the logout can be performed.  Same sort of thing would need to be done
> for chained keycloak realms.
>
> Its easier to implement if it is  brokerAlias + "." + external_username.
>    It could be implemented by doing a UserSessionModel query by Note
> name/value, but then this would require changes across all the
> sessionModel data stores and eventually would have to be optimized for
> each as well.
>
> On 3/24/2015 1:21 PM, Stian Thorgersen wrote:
>> A username like that is pointless IMO.
>>
>> Using username from broker actually has a pretty high chance of clash, especially for social logins. I very often can't get my preferred username when signing up to sites, and judging on how may saly9581 there are out there that's a common problem. That's why username for social logins used to be a UUID, but was for some reason changed.
>>
>> For users provisioned through idp logins we should set the username to null, or equal to the user-id. When a user has a null username or username is equal to user-id it should not be displayed in account management, instead we could add an option to allow the user to set the username.
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Tuesday, 24 March, 2015 4:58:24 PM
>>> Subject: [keycloak-dev] brokerid + subject for brokered username?
>>>
>>> Although a remote possibility, it might be possible for usernames to
>>> clash when there are multiple brokers.  Anybody have a problem with
>>> creating usernames of:
>>>
>>> brokerAlias + "." + external_username
>>>
>>> ??
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list