[keycloak-dev] User SPI cache policies
Marek Posolda
mposolda at redhat.com
Mon Oct 31 09:50:07 EDT 2016
On 31/10/16 14:08, Bill Burke wrote:
>
> On 10/31/16 8:51 AM, Stian Thorgersen wrote:
>>
>> On 31 October 2016 at 13:49, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>
>>
>> On 10/31/16 1:48 AM, Stian Thorgersen wrote:
>>
>> What about evict on authenticate (load from store when user
>> authenticates)? I think that would be the most useful policy.
>>
>> That would need to be implemented at the authenticator level.
>>
>>
>> Implementation details aside, should we not have it? It seems like the
>> most likely time you want to fetch the user and especially credentials.
> Yeah, its a great idea. Implementation details matter though as I'm not
> sure this can be reliably done without coding this in each top-level
> authenticator and requiring an authenticator provider developer to be
> aware of this policy.
How about having separate methods on UserProvider for lookup user, which
will allow to lookup user from storage and invalidate him afterwards in
case that "authenticator-invalidation" policy is configured?
UserModel getUserByUsername(String username, RealmModel realm, boolean
fresh);
if "fresh" is true, user will need to be lookup from persistent storage
and invalidated from cache afterwards.
Or even have something on KeycloakSession like:
UserFederationManager users(boolean fresh);
which will return some proxy instance of UserFederationManager, which is
doing it for all user lookup methods?
Marek
>
> Bill
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list