[keycloak-dev] usersession-based UserModels

Stian Thorgersen stian at redhat.com
Wed Mar 25 09:54:31 EDT 2015 

If we don't create a user in the db for a federated or brokered user wouldn't we loose a lot of functionality like:

* Account management
* Required actions
* Linking multiple brokered/federated accounts with a single internal account

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 25 March, 2015 2:49:11 PM
> Subject: Re: [keycloak-dev] usersession-based UserModels
> 
> Not sure if this would be a rare case.  Right now our solution is a bit
> heavyweight when we have external systems (brokered or
> UserFederationProvider) as we require a lot of database writes for those
> that log in for the 1st time.  I don't think users have hit this yet
> because they haven't hit us with a lot of requests.
> 
> On 3/25/2015 1:55 AM, Stian Thorgersen wrote:
> > Sounds like it would make sense for the SAML transient use-case you
> > mentioned, but do we have other use-cases for it? Wouldn't it be a fairly
> > big change for a rare use-case?
> >
> > Unless we start supporting IdP logins without provisioning an internal
> > account, but that would be a pretty big change as well for something we
> > haven't had a request for.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, 24 March, 2015 3:54:28 PM
> >> Subject: [keycloak-dev] usersession-based UserModels
> >>
> >> I'm thinking more and more we need UserSession based UserModels.  This
> >> would be the case where nothing is imported for a user with either
> >> brokering or federation, but rather stored in memory for the duration of
> >> the UserSession.
> >>
> >> If user metadata (role mappings, etc.) is all obtained from external
> >> sources, there really is no need to import the data and import is just a
> >> huge performance hit.
> >>
> >> I ran into this with "transient" nameid format and SAML brokering.  In
> >> this scenario the parent IDP generates a new userid each and every
> >> login.  This is to define an anonymous user.  So, every time a user logs
> >> in would create a brand new user in the keycloak database.
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list