[keycloak-dev] rethinking credentials
Marek Posolda
mposolda at redhat.com
Tue Aug 23 03:31:04 EDT 2016
On 16/08/16 22:51, Bill Burke wrote:
>
>
> On 8/16/16 10:12 AM, Bruno Oliveira wrote:
>> On 2016-08-11, Marek Posolda wrote:
>>> I wonder if we can have UserCredentialValueModel to be more generic
>>> store? Currently it has properties applicable just to password or OTP
>>> credentials, but it will be better to have something more generic based
>>> on key-value pairs though.
>> +1 that would be fantastic, if possible.
> A data model that can store any arbitrary key-value pair would require
> a join with RDBMs storage. Should we keep something like
> UsercredValModel, but just add the ability for attributes? Then model
> the API so that it can avoid joins? There's also the issue of data
> migration from the old tables to the new. Since this is users we
> could be talking about tens of thousands of rows.
Yep, maybe we can keep the "old" attributes on the UserCredValModel, so
it's not needed to migrate and most important credential types (
password, OTP) don't need to change anything. Still we can add key-value
for other credential types? Maybe the caching of users and user
credentials also helps with the performance, so the performance
bottleneck of joins won't be so bad (but yes, I know that we need to
limit size of userCache cache, so the same user and his credential may
be still downloaded from underlying DB multiple times...)
Marek
>
> Bill
More information about the keycloak-dev
mailing list