[keycloak-dev] Customizing UserEntity to encrypt personally identifiable information

[Stian Thorgersen]

You can use option 1. Create your own user provider, inside the provider
lookup the JPA provider and delegate to that, but create a wrapper that
encrypts/decrypts the personal details.

Just to point out that the User SPI is currently being reworked and you
would most likely have to do some refactoring once it is ready, which
should be in a month or two.

On 23 June 2016 at 20:35, Aaron Harnly <aharnly at amplify.com> wrote:

> Hi there,
>
> I'm on Day 1 of looking at Keycloak, although some colleagues have been
> using it successfully. Please forgive the naiveté of the question, but I'd
> love confirmation that I'm on the right track.
>
> I'd like to ensure that user email addresses, names, and usernames are
> encrypted by the KeyCloak application before persisting to a relational
> store.
>
> org.keycloak.models.jpa.entities.UserEntity is pretty obviously the place
> to do that – the natural question is, what is the best way for me to
> provide a slightly customized UserEntity.java in which I can do my desired
> encryption/decryption?
>
> My initial scan of docs and repo suggests one of the following:
>
> 1) Create a UserProvider analogous to the JpaUserProvider, but with my own
> UserEntity subclass.
> 2) If needed, follow the approach described in this thread[1] from
> November to implement a custom Hibernate EntityManager, but I don't think
> that's necessary for my case, and don't yet fully understand that.
> 3) Something else.
>
> [1]
> http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005745.html
>
> Thoughts or advice appreciated!
> Aaron
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160624/78e8b77a/attachment.html